Hello! You've arrived at part 2 of a series of 3 blog posts about the Mentored Core Sprint, which traditionally takes place every Friday at Drupalcon.
If you haven't already, please go back and read part 1.You may think sprinting is not for you ...
So, you may be the kind of person who usually stays away from the Sprint Room at Drupal events. We understand. You would like to find something to work on, but when you step in the room, you get the feeling you're interrupting something really important that you don't understand.
It's okay. We've all been there.
That's why the Drupal Community invented the Mentored Core Sprint. If you stay for this sprint day, you will be among friends. You can ask any question you like. The venue is packed with people who want to make it a useful experience for you.Come as you are
All you need in order to take part in the first-time mentored sprint are two things:
- Your self, a human who is interested in Drupal
- Your laptop
To get productive, your laptop needs a local installation of Drupal. Don't have one yet? Well, it's your lucky day because you can your Windows or Mac laptop set up at the first-time setup workshop!Need a local Drupal installation? Come to the first-time setup workshop
After about half an hour, your laptop is now ready, and you can go to the sprint room to work on Drupal Core issues ...You do not need to be a coder ...
You do not need to be a coder to work on Drupal Core. Let's say, you're a project manager. You have skills in clarifying issues, deciding what needs to be done next, managing developers, and herding cats. You're great at taking large problems and breaking them down into smaller problems that designers or developers can solve. This is what you do all day when you're at work.
Well, that's also what happens here at the Major Issue Triage table!
But - you could just as easily join any other table, because your skills will be needed there, as well!Never Drupal alone
At this sprint, no-one works on their own. You work collaboratively in a small group (maybe 3-4 people). So, if you don't have coding or design skills, you will have someone alongside you who does, just like at work.
Collaborating together, you will learn how the Drupal issue queue works. You will, most likely, not fix any large issues during the sprint.Learn the process of contributing
Instead, you will learn the process of contributing to Drupal. You will learn how to use the issue queue so you can stay in touch with the friends you made today, so that you fix the issue over the coming weeks after Drupalcon.It's never too late
Even if you've been in the Drupal community for over a decade, just come along. Jump in. You'll enjoy it.
A very welcoming place to start contributing is to work on Drupal documentation. This is how I made my first contribution, at Drupalcon London in 2011. In Vienna, this table was mentored by Amber Matz from Drupalize.Me.
This is one of the most experienced mentors, Valery Lourie (valthebald). We'll meet him again in part 3, when we come to the Drupalcon Vienna live commit.
Here's Dries. He comes along and walks around, no one takes any notice because they are too engaged and too busy. And so he gets to talk to people without being interrupted.
This is what Drupal is about. It's not about the code. It's about the people.
Next time. Just come. As a sprinter or a mentor. EVERYONE is welcome, we mean that.
This is a three-part blog post series:
Part one is here
You've just finished reading part two
Part three is coming soon
Acro Media recently launched a demo ecommerce site called Urban Hipster that exhibits the incredible range of out-of-the-box functionality you get with Drupal Commerce 2 (check it out here). To make the demo even more amazing, we've also created a “Plus” version that shows you what's possible with a bit of extra work.Some background
If you have an ecommerce business or have a product that you're trying to sell online, a product catalog could be just what you need. But if you produce your own product or you only have a few different products, a product showcase is actually a better way to demonstrate and sell your wares. It's like buying something on Amazon vs buying something on Apple: Amazon has an enormous list of products and all the pages look the same, whereas Apple has fully customized, unique pages for each item it sells.UH Axe builder product page
When you go to buy the UH Axe on the demo, you'll bring up a unique UH Axe builder product page in the Apple style. The page talks about what the UH Axe is and what its purpose is, and then you're able to choose the type of handle you want, the handle length, how heavy the axe head should be, whether you want a sheath, etc. By the time you add it to your cart, it has become a completely unique product with all the variations that you've chosen. But it exists and is configured the same way that any other product would.
It's actually a very similar configuration as the White and Wood Chair example on the demo; it just looks completely different.
The functionality behind a lot of the extra content is a module called Paragraphs. It's similar to Panels (which a lot of people use), but a bit simpler and more streamlined. It doesn't have the same breadth of functionality, but it's easier to work with, and it lets you do all those customizations like deciding where you want to put it on the page and so on. It looks very custom, but it is surprisingly configurable through the back end.
(A note of caution: while it's mostly out-of-the-box functionality, some of the more complex design elements did require a bit of custom code. That’s why it’s on the “Plus” demo.)
Keep in mind that it's not uncommon to have both ways of viewing the product: a fancy customized page as well as a more standard catalog. People can get to the product through either route.The bottom line
You can make awesome product pages through Drupal Commerce without a lot of effort.
More from Acro Media
- High Five video: Introducting the Urban Hipster (UH) Demo for Drupal Commerce 2
- High Five video: Digital Products and Recurring Subscriptions in Drupal Commerce 2
- Learn more about Drupal Commerce
- Learn more about Acro Media
If you'd like a personalized tour to discuss how Drupal Commerce fits into your ecommerce solution, give us a shout. We're happy to show and tell.
In just a few hours, the first serious critical security update for Drupal since "Drupalgeddon" will be released.
To make this update easier for DevShop users, we've pushed out a new release with 2 features that allow you to update your sites without ever leaving your web browser: "Update, Commit & Push" and "Tag a Release"."Commit & Push"
The "Update Drupal" button has been available in DevShop for some time, but now you can automatically commit the results by checking a box.
this is a faq
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
The security team has written an FAQ about this issue.Solution:
Upgrade to the most recent version of Drupal 7 or 8 core.
- If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
- If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.
Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.
- If you are running 8.3.x, upgrade to Drupal 8.3.9 or apply this patch.
- If you are running 8.4.x, upgrade to Drupal 8.4.6 or apply this patch.
This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.
This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.Reported By:
- Jasper Mattsson
- Samuel Mortenson Provisional Drupal Security Team member
- David Rothstein of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- Alex Pott of the Drupal Security Team
- David Snopek of the Drupal Security Team
- Pere Orga of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
- Cash Williams of the Drupal Security Team
- Daniel Wehner
- Tim Plunkett
The Drupal security team can be reached by email at security at drupal.org or via the contact form.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Today, there is a Highly Critical security release for Drupal core to fix a Remote Code Execution (RCE) vulnerability. You can learn more in the security advisory:
As we noted last week, this issue also affects Drupal 6! So, we're also making a Drupal 6 Long-Term Support (D6LTS) release of Drupal core.Drupal 6 core security update
As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!
If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)
If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.
Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).
An hour ago the SA-CORE-2018-002 critical Drupal vulnerability was disclosed. It was announced a week ago PSA-2018-001. That allowed us to gather our technical team and make sure we can develop and deploy a mitigation to all our clients immediately as the issue is made known.
If you're not running on Platform.sh, please stop reading this post and go update your Drupal site to version 8.5.1 / 8.4.9 / 8.3.8 / 7.58 right now. We're serious; upgrade first and ask questions later.
If you are running on Platform.sh: You're safe and can continue reading... then upgrade.
The vulnerability (also referred to as CVE-2108-7600) affects the vast majority of Drupal 6.x, 7.x and 8.x sites and allows arbitrary remote code execution that allow anonymous remote users to take full control of any affected Drupal site prior to 8.5.1 / 8.4.9 / 8.3.8 / 7.58.
The same issue is present in Backdrop CMS installations prior to 1.9.3.
If your Drupal site is not hosted on Platform.sh we encourage you to immediately update all your Drupal sites to 8.5.1 / 7.58 or to take your site offline. This is serious and trivially exploitable. You can expect automated attacks to appear within hours at most. If you are not on Platform.sh or another provider that has implemented a mitigation your site will be hacked. This is as critical as the notorious “DrupaGeddon” episode from three and a half years ago.
If you are hosting on Platform.sh...
Platform.sh is pleased to announce all Drupal sites hosted on all our regions and all our plans are automatically safe from this attack.
Platform.sh has many security layers that make attacks such as this much harder than on comparable services. Starting from our read-only hosts and our read-only containers, through our auditable and reproducible build-chain, and static-analysis based protective block.
In response to this latest vulnerability, we've taken two important steps:
We've added a new rule to our Web Application Firewall (WAF) on all regions and on all Enterprise clusters that detects and blocks requests trying to exploit this latest attack vector, even if your site hasn't been updated. (But still, please update.)
We are adding a check to our protective block to prevent deployment of affected Drupal versions. If you try to push an insecure Drupal version our system will flag it for you and warn you that you are pushing known-insecure code. Please update your code base as soon as possible.
As a client if you need any further assistance or want more information about the vulnerability, how it may affect you, and our mitigation strategy don’t hesitate to contact support. We have set our WAF to an especially aggressive stance for now and this may result in some users seeing a "400 Bad Request" message in some edge cases for legitimate traffic. If you experience this, please contact our support immediately they will be able to help.Ori Pekelman 28 Mar, 2018
Platform.sh customers should visit Safe from DrupalGeddon II aka SA-CORE-2018-02 for the specific steps we took to protect all our Drupal instances.
Earlier today, a critical remote code execution vulnerability in Drupal 6, 7, and 8 was disclosed. This highly-critical issue affects all Drupal 7.x and 8.x sites and most Drupal 6.x sites. It is trivially exploitable remotely by anonymous users on any site that exposes forms. It is very possible that your site exposes this vulnerability even if you are not aware of publicly accessible forms. You should update immediately any Drupal site you have to versions 8.5.1, 8.4.6, or 7.58, as appropriate.How to know if I am affected?
We are currently not aware of exploits of this vulnerability in the wild but this will undoubtedly change in the next few hours. Writing an exploit for this is trivial and you should expect automated internet-wide attacks before the day is out.
You should take immediate steps to protect yourself. This is as bad or worse than the previous highly-critical vulnerability SA-CORE-2014-05 that wreaked havoc three and a half years ago affecting more than 12 Million websites.
(Like, seriously, if you are reading this and you are not on Platform.sh or another provider that has put a platform-level mitigation in place, go update your sites and then come back and finish reading. Please. Platform.sh customers, see below for how to quickly update your site.)Where does the vulnerability come from?
The issue is in Drupal's handling of HTTP request parameters that contain certain special characters. These characters have special meaning in various places in Drupal, which if misinterpreted could lead to unexpected code paths being executed. The solution in the latest patch is to filter out such values before passing them off to application code.
Fortunately that same strategy can be implemented at the network layer. We have therefore applied the same logic to our Web Application Firewall to reject requests containing such values and deployed it across all projects in all regions, both Platform.sh Professional and Platform.sh Enterprise. That should protect all Drupal and Backdrop installations running anywhere on Platform.sh until they are upgraded.What to do?
You must update any and all Drupal instances with 6.x, 7.x and 8.x or Backdrop CMS, or verify that your hosting provider has put in place an automated mitigation strategy for this vulnerability. (All Platform.sh clients are safe; our new WAF now detects and blocks all variants of this attack). Even if your hosting provider has a mitigation strategy in place you should update immediately anyway.
Drupal 6.x is no longer maintained and unlike Drupal 7.x and 8.x it does not support automated updates. Third-party support providers may provide a patch but you should make plans to upgrade from Drupal 6 to Drupal 8 as soon as possible.
Hopefully you are using Composer for your Drupal 7.x and 8.x or Drush make for Drupal 7.x, as is the default with Platform.sh installations.To upgrade Drupal via Composer
To update your Drupal instances, and test nothing breaks you can follow the following simple procedure:
Verify that your composer.json file does not lock down drupal core to a minor version it should be something like "drupal/core": "~8.0". Then run:git checkout -b security_update composer update
Make sure that Drupal Core was updated to 8.5.1 or higher. (Check composer.lock using git diff). Commit and push your changes:
git commit –am ’fix for SA-CORE-2018-02’ && git push
On Platform.sh you can test that everything is fine on your automatically-generated staging environment, then merge to master putting this to production.
If you do not use Platform.sh you should test this either locally or your testing server; and follow your normal procedure to update your live sites.To upgrade Drupal using Drush Make
If you are using "Drush Make" style of dependency management, again, make sure you are not locked down to a vulnerable version such as:
projects[drupal][version] = 7.57
if it is, bump it up to 7.58. Then make a branch and update it:git checkout -b security_update drush pm-update
Commit the changes and push the result to Platform.sh for testing. Once you're satisfied nothing is broken merge back to master and deploy.To upgrade Drupal if you're checking Drupal core into your repository
If you're running a "vanilla" Drupal setup, with all of Drupal checked into Git, the easiest way to upgrade is using drush.
In your local environment, go to your Drupal document root and run:git checkout -b security_update drush pm-update drupal
Commit the changes and push the result to Platform.sh for testing. Once you're satisfied nothing is broken merge back to master and deploy. Afterward, look into how to migrate your site to a dependency managed configuration, preferably Composer. It will make maintenance far easier and more robust in the future.
As a reminder, your Platform.sh instances are not vulnerable as they are protected by our WAF. You should still apply the fixes ASAP.Damien Tournoud 28 Mar, 2018