Regression in Drupal 7.29 can lead to data loss - 7.30 out and fixes it

Update --- Drupal 7.30 was released yesterday, and fixes the regression in 7.29 .   So -- If you've not updated to 7.29, update to 7.30.


Thanks to Acquia for the heads-up.   There's a serious reported regression in Drupal 7.29 that can lead to data loss.

A simple rule to block some Drupal spammers

We've all been there - your Drupal site is being overwhelmed by people and robots trying to post to your site, or trying to create accounts.  These attempts can really hammer your web server, and it's the sort of traffic that isn't going to be helped any by the thirty-five different kinds of caching you have set up on your site.  

Drupal 6 Extended Support Announcement

Three has been a fair amount of question about Drupal 6 and when support for Drupal 6 will end (there is a huge backlog of Drupal 6 sites that have for one reason or another not transitioned to 7).  Partly in recognition of this, the Drupal Association has announced that there will be a 3-month extension of Drupal 6 support after Drupal 8 ends ..  It also seems likely that a couple of commercial companies will provide Drupal 6 support service after that at least for security updates.

Yet Another OpenSSL issue

So -- it's time for another OpenSSL upgrade on our servers.  There's another fairly serious security flaw in recent OpenSSL releases, which was found due to the increased scrutiny of the OpenSSL software.  Again, this only affects the recent 1.0 versions of OpenSSL, so in our case it's again the servers running CentOS 6.  We have not yet started this upgrade since we are waiting for the update to go out to our CentOS update servers --- but it should start to roll out later this afternoon.

Drupal 7.28 out

Drupal 7.28 was just released.  It's a bug-fix release, so does not correct any security issues.   There are multiple bug fixes, the biggest and scariest one of which is that they have finally fixed the oddity in both Drupal 6 and 7 where the update module often cannot actually query for updates all on its own.  This is mostly a Drupal 7 issue, and is what happens that causes your site to not reliably report updates unless you go in and check for them manually.  The BAD news here is that if you've got your site set up to just use the built-in "Poorman's Cron" implementation in Drupal 7, you

CERT -- Stop Using Internet Explorer till it's fixed!

This is really unusual.  Today CERT suggested that everyone just plain stop using Internet Explorer until such time that Microsoft fixes the current Zero-Day exploit against it.  This rarely happens, but it's a particularly egregious bug, and it's on the worlds most common OS platform.  I think the thing that's particularly interesting here is that it's not ever going to get fixed for Windows XP users since they are now completely out of support.  So I think the lesson here is:

Drupal 6.31 and 7.27

New security releases of Drupal came out yesterday.  We are in the process of upgrading the sites that we have under maintenance contracts. This wil take a few days to get through all of the different sites. This is only a moderately concerning update and will only affect some sites depending on how they are configured.  In particular, this is likely to only affect sites that use multi-step or ajax forms that are exposed to anonymous users.  We will attempt to work our way through sites in the order of how vulnerable we believe they wil be to this bug.

Heartbleed Security Flaw

Many of you have undoubtedly been reading about the Hearbleed security issue with OpenSSL. Some of our servers were vulnerable to Heartbleed - notably our CentOS 6 servers.  The ones running CentOS 5 were not vulnerable because they are based on an older version of OpenSSL.  We upgraded the OpenSSL library on all of our vulnerable servers as soon as a patched version was available, and none of our servers are now vulnerable to this exploit.  We have re-keyed the secure certificates for our clients who were under maintenance contracts.  We would recommend that everyone go out and update your passwords on any web-based systems that may have been vulnerable to this exploit, including logins for email accounts.  If you are having any trouble with this on our systems, please let us know.

Please note that the administrative panel logins on our servers were not vulnerable to this exploit - but your logins through SSL on your own web sites were, possibly.  In any case, rotating passwords occasionally is always a good policy, and we would also recommend (as the Internet gets more and more lawless) that you think seriously about using a password system (we happen to like LastPass) to keep track of your passwords, allowing you to generate random passwords for sites, but to still keep track of them.  Last of all, we'd like to recommend that you think about implementing dual authorization on your important logins.  We are using Authy on some of our administration software to require that we not only have a password, but a random one-time key to log in to our servers. 

Drupal Open House in Minneapolis

Time for the first-ever Drupal Open House in Minneapolis - an un-conference revolving around Drupal.  Come meet the Twin Cities Drupal folk, talk about all things Drupalicious, code, sprint, have lunch, and then start again!

We'll have a couple folks from Cruiskeen Consulting there, and it's a great chance to meet people, schmooze, and learn. 


Intermedia Arts

Saturday, March 1

2822 Lyndale Ave. S.

Minneapolis, MN 55408

Free, but $5 requested to pay for lunch


See you all there!


Subscribe to Cruiskeen Consulting LLC RSS