Security updates for Drupal Contrib Modules - Update

There will be an important security release of contrib modlules at 11 AM Central time today.  Yes, in a few minutes. We're ready to start doing a rollout of these to our clients who are on security contracts. Some of these are very high-importance updates, so we strongly recommend that EVERYONE with a Drupal site install these updates as quickly as possible, since past experience has shown that these high-visiblity updates are often exploited within hours.

Drupal Camp Wisconsin - Coming soon!

Drupal Camp Wisconsin is on! and will be held on July 29-30 in beautiful Madison Wisconsin. This year we will be meeting at the Chemistry biulding on the UW Campus. There are still open slots for presentations --- so please stop by at http://drupalcampwi.org or make a session proposal, or to sign up for the camp. This is always a fun camp, and it did not happen last year, so this is the year to stop by and make Drupal Camp Wisconsin a success!  See you there.

Back in the saddle again

Gene Autry - Back in the Saddle Again (from Back in the Saddle 1941)

Everyone in the world is back from Drupalcon - full of seafood and other New Orleans specialties, and tired after all the great ideas and --- netowrking. So things are slowly getting back to normal here at the farm as this video will attest. Unpacking and getting back to work. And yes, I DO look a lot like Gene Autrey - it never occurred to me before I watched the video.

ImageTragick - Update

Update --- all of our servers are now fully patched with the recently released updates for ImageMagick -

The talk of the Internet for the last few days has been a new exploit termed ImageTragick - CVE-2016–3714.  It's a potential exploit on any server with the ImageMagick package installed that runs web apps that do not check properly for file type before displaying a file manipulated through the Convert command. It doesn't look like Drupal is VERY exploitable by this (and would only be exploitable if the site used ImageMagick, which is not a lot of them.  Wordpress will also only be vulnerable if it uses an extension that calls ImageMagick. 

However, since our clients run all sorts of code on our servers, we have just taken steps to mitigate this vulnerability on all of our servers. We don't think this will have any bad effects on any production sites - but if you're suddenly having issues with image processing, this may be why.  We've patched the policy.xml file on all of the servers as suggested by Red Hat and CentOS. This should stop any potential exploits until such time that actual patches for ImageMagick are available that are known to actually fix the exploit - probably next week.

Hosting packages now at CMS-FARM.COM

We're separating our web presence into two different places. This has been in the works for some time now, and we're finally moving forward on it.  You can now purchase web hosting, domains, certificates, etc. through our new front-end web site at http://www.cms-farm.com . The site is still being developed, but it should make it easier to find your web hosting and service choices.  Web development and consulting will still be run from this site.

Upcoming Changes

We're in the process of making multiple changes in our hosting.  This is an update.  Things that are coming soon?

  • We're going to be re-branding our hosting services as cms-farm to make them separate from consulting and design. Some time in the next couple months there'll be a new web site for that which will make the hosting services clearer and easier to buy.  Still part of the same company though - just a new face.
  • We're really interested in expanding some of our service for developers. This will eventually include a Git repository based on Gitlab (which will come with any of the non-shared accounts), a Dropbox-like storage system, and some new cleverer use of the Crashplan backup system.

Drupal 6 support

As most of you are probably aware, Drupal 6 support formally ends on Feb. 24 - so all official support for D6 ends on that date. This has a few ramifications:

  • As of that date the Drupal Security Team will no longer release new patches and will no longer send out security notices.
  • Most module developers will stop suporting their Drupal 6 versions of modules  altogether.
  • At some point the security notices on D6 sites should start reporting "unsupported" status for everything.
  • We will no longer be able to provide the same sort of support on D6 that we have in the past - in particular we cannot really guarantee any updates will occur.

We're still working on a formal stance on support for D6, since there's quite a lot of activity around the possiblity of a D6 LTS support model to be provided by a few commercial vendors.  Being a small company with limited resources, we will not be one of those vendors.

Most likely what we will recommend for everyone using Drupal 6 at this point will be the following:

  • If you keep a Drupal maintenance contract on your site we will make a best effort to apply any Drupal patches that become available through the D6 LTS support system - but we cannot make any promise that any Drupal security issues will be patched in a timely basis.  We will only be applying patches for security issues, and only if they become publicly available. We are currently mulling over a price structure for this.
  • If you prefer you can cancel your D6 support contract and your site will be on its own for any security updates. Frankly we do not expect a LOT of security patches will be ported to D6 in the future, but it's always possible something truly serious will pop up.
  • If support for your D6 site is important to you and you do not believe you will be upgrading to D7 or D8 in the near future then we will be happy to recommend a support company that is doing D6 support on a commercial basis.  This is likely to become expensive, and may in a lot of cases require that you host your site with the support company involved. However, if support long-term on D6 is important to you, subscribing to one of those services will help to fund back-porting of security fixes to D6 and will support the Drupal community.

In any case, we recommend that if you are on Drupal 6 that you make an attempt to upgrade to D7 or D8 as soon as possible. We will not be taking on any new support contracts for D6 sites as of today.  We'll be glad to discuss the possible options with you whether or not you are currently a customer.

Drupal 8 Shared Hosting Test

Drupal 8

Drupal continues to move forward, adding in more features, more power, higher performance, and lots of other new goodies. Drupal 8 in particular is bringing a lot to the table, and a whole new world of web development.

Unfortunately it's also big, and has a lot of new requirements for web hosting which may make it difficult to host your D8 site on a lot of hosting services, particularly if you want to host in a shared hosting environment.

We're working on a solution for that, and are offering a shared hosting environment guaranteed to work with Drupal 8. The D8 package is much like our previous half-acre hosting setup, but includes more:

  • Choice of PHP 5.4, 5.5, 5.6, or 7.0 - your choice on every site, or even by directory. We recommend 5.6 currently as many Drupal contrib modules may have trouble with 7.0 (and we REALLY recommend not going with 7.0 if you're on Drupal 7).
  • MariaDB 5.5
  • One-click Drupal 8 installer
  • CentOS 7.2 operating system
  • 20 Gbytes of storage
  • Unlimited bandwidth
  • 6 MySQL databases
  • Up to 4 real domains and up to 20 aliases
  • Up to 100 email accounts
  • php.ini per site under your control - with up to 256 meg php instances
  • Drush, Composer, and Git all available on the server
  • ssh login to server and scp file access
  • Virtualmin Pro control panel
  • Free optimized Cloudflare (optional)

This is a work in progress - we are working to make this the best shared hosting environment for Drupal developers, and we'd like to enlist your help. For a limited time we are offering one free month of this service, and you can sign up by going to https://billing.cruiskeenconsulting.com/cart.php?a=add&pid=36 and entering the discount code D8testing at checkout (you need to sign up for monthly billing). No contract, cancel any time.

Help us polish our D8 hosting service and get a free month of hosting to boot ---

Let's Encrypt

A lot of you may be aware of the Let's Encrypt project,which aims to provide free SSL certificates. We are currently working on bringing support for Let's Encrypt into our web control panels, to make it easy for you to get a free cert for your domain automatically. Let's Encrypt went into public beta yesterday.

As always with being an early adopter, there are still a few flies in the mayonnaise on that - but we hope to have this available to all of our hosting customers by Jan. 1.

Pages

Subscribe to Cruiskeen Consulting LLC RSS