Thurston County Drupal Users Group
Who?
All are welcome :) site admins, dev, content contributors. State, local, education,
private sector and those kicking the tires of Drupal to see if the platform is a
good fit.
When?
Next meeting will be Thursday 4/26 from 2:00-4:00.
Where?
WA Dept. of Veterans Affairs
You will need to check in at the front desk to obtain a badge.
1102 Quince St SE –
2nd Floor Conference Room (Go through the door between elevator and stairs)
Olympia, WA 98501
What?
A chance to meet, share, and troubleshoot.
Please come prepared with something to share. What challenges or
excitement have happened with your site recently.
Do you have something to add to the agenda, something you are willing to present or trouble-shoot?? Please email it to Jenniferm@dva.wa.gov
Agenda
o Introductions
o Drupalcon News – How did that happen? So excited!
Drupalcon Seattle 2019!
o PNW Drupal summit Seattle 2019 – Dates TBD
o New sites
• Other updates
https://www.drupal.org/psa-2018-002
Description
This Public Service Announcement is a follow-up to SA-CORE-2018-002 - Drupal core - RCE. This is not an announcement of a new vulnerability. If you have not updated your site as described in SA-CORE-2018-002 you should assume your site has been targeted and follow directions for remediation as described below.
The security team is now aware of automated attacks attempting to compromise Drupal 7 and 8 websites using the vulnerability reported in SA-CORE-2018-002. Due to this, the security team is increasing the security risk score of that issue to 24/25
Sites not patched by Wednesday, 2018-04-11 may be compromised. This is the date when evidence emerged of automated attack attempts. It is possible targeted attacks occurred before that.
Simply updating Drupal will not remove backdoors or fix compromised sites.
If you find that your site is already patched, but you didn’t do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.
https://www.drupal.org/sa-core-2018-002
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
The security team has written an FAQ about this issue.
Solution:
Upgrade to the most recent version of Drupal 7 or 8 core.
• If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
• If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.
https://www.drupal.org/blog/drupal-8-5-0
What's new in Drupal 8.5.0?
This new version makes Media module available for all, improves migrations significantly, stabilizes the Content Moderation and Settings Tray modules, serves dynamic pages faster with BigPipe enabled by default, and introduces a new experimental entity layout user interface. The release includes several very important fixes for workflows of content translations and supports running on PHP 7.2.
https://www.drupal.org/blog/big-steps-for-migrations-in-drupal-850
Big steps for migrations in Drupal 8.5.0
After over four years of work with over 570 contributors and 1300+ closed issues, Drupal 8.5.0 releases the Migrate system's architecture as fully stable. This means that developers can write migration paths without worrying for stability of the underlying system.
On top of that the Migrate Drupal and Migrate Drupal UI modules (providing Drupal 6 and 7 to Drupal 8 migrations) are considered stable for upgrading monolingual sites. All of the remaining critical issues for the Migrate Drupal module's upgrade paths and stability are related to multilingual migration support (so multilingual site upgrades are still not fully supported).
Support for incremental migrations is now also available, which means that site owners can work gradually on their new Drupal 8 site while content is still being added to the old site. When migrations (including incremental migrations) are run through the user interface, site owners will now see a warning if some data on the Drupal 8 site might be overwritten. (A similar fix for Drush is not yet available, so be careful not to overwrite data if you run a migration on the command line.)
Upgrade instructions for Drupal 6 and Drupal 7 sites can be found in the Upgrading to Drupal 8 handbook. Your old site can still remain up and running while you test migrating your data into your new Drupal 8 site. If you happen to find a bug, that is not a known migrate issue, your detailed bug report with steps to reproduce is a big help!
Unlike previous versions, Drupal 8 stores translated content as single entities. Multilingual sites with reference fields (node_reference, entity_reference) or multilingual menus can upgrade to Drupal 8 using Drush, executing the desired migrations one by one. In this process you need to create and run a series of additional custom migrations to reflect the new entity identifiers assigned during earlier migrations. There is no automation implemented for this process yet.
Data can be migrated to Drupal 8 also from non-Drupal sources such as CSV, XML, JSON, or directly from 3rd party systems' databases. For instructions and examples, refer to Migrate API handbook.
Huge thanks again to all the contributors who made this possible.
Thank you,
Jennifer Montgomery
Web Manager
Washington Department of Veterans Affairs
360-725-2169 | jenniferm@dva.wa.gov