Web Design and Development

Secure your account: Two Factor authentication on Drupal.org

Drupal - Sun, 07/19/2015 - 13:22

Drupal.org users* can now use Two factor authentication to increase the security of their accounts. It can be enabled via Security tab of your user profile page. Read the detailed instructions at Enabling TFA on Drupal.org.

This was made available to Drupal.org admins in May. It is now required for users who have advanced access on Drupal.org. However, every user can benefit from the security that two factor authentication offers.

If you want to make two factor authentication available on your own Drupal site, you can install the TFA module.

* Two factor authentication is available for all users with the 'confirmed user' role. If you don't see 'Security' tab on your profile page, you might be missing the role. Just keep posting content on Drupal.org and it will be granted soon. You can also apply to get the role.

Front page news: Planet Drupal

Outage: Drupal.org Git server Migration

Drupal - Wed, 07/08/2015 - 10:22

On July 9th 8pm UTC, Drupal.org will be migrating our git server to a redundant cluster of 2 servers. This will provide failover in the event one server fails.

While we are working on the migration, users will not be able to commit files to git or check files out of git. We expect the migration to take up to 2 hours.

After the migration Host keys will change and your client might give an error message when pushing to git. Consult your OS’s documentation on how to fix this error.

If you have any questions please raise an issue in the infrastructure issue queue. https://www.drupal.org/project/issues/infrastructure?categories=All

You can follow the progress of the migration at http://twitter.com/drupal_infra

Drupal 7.38 and 6.36 released

Drupal - Wed, 06/17/2015 - 10:06

Drupal 7.38 and Drupal 6.36, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.38 and Drupal 6.36 release notes for further information.

Download Drupal 7.38
Download Drupal 6.36

Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features or non-security-related bug fixes in these releases. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement. More information on the Drupal 6.x release series can be found in the Drupal 6.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 and 6 include the built-in Update Status module (renamed to Update Manager in Drupal 7), which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 7.x and 6.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.


Drupal 7.38 is a security release only. For more details, see the 7.38 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Drupal 6.36 is a security release only. For more details, see the 6.36 release notes. A complete list of all bug fixes in the stable 6.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.38 and 6.36 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade to either Drupal 7.38 or Drupal 6.36.

Known issues


Front page news: Planet DrupalDrupal version: Drupal 6.xDrupal 7.x

Community Spotlight: Solomon Kitumba and Benjamin Lutaaya Kiyita

Drupal - Tue, 06/02/2015 - 14:01

For our June community spotlight, we’d like to highlight the efforts of two men in Uganda who are working hard to grow their local community and bring more university students into the Drupal fold. In 2014, the two were awarded a Community Cultivation Grant for their Uganda University Drupal Tour program, which will be discussed in today’s spotlight.

For close to three years, Solomon Kitumba(solomonkitumba) and Benjamin Lutaaya Kiyita(benjaminkyta) of Kampala, Uganda, have been working with Drupal. Solomon, a Drupal front end developer, owns Kyta Labs, a mobile and web app development company. Benjamin, a Drupal Dev Ops and UI/UX Developer, is active both in the local Drupal community and in the local Linux community as well. Both men share a fascination with open source, and encountered the same obstacles when learning Drupal — which led them to team up and forge a better path for other Ugandans.

Initially, both Solomon and Benjamin learned Drupal software through online tutorials found on Lynda.com and YouTube, and through free eBooks as well. One struggle that the two bumped up against — and still struggle with — is the lack of a physical space where their local community can come together to teach new Drupalers, learn from each other, and give each other support.

"One of the biggest challenges we have faced is a lack of collaborative space where drupalers can meet daily,” said Solomon.” In our city, there’s nowhere where we can work on solutions together and learn from each other. There are a couple of these places for mobile developers, but we lack one for web people in Kampala.

“We’ve used our Drupal careers to create a presence in the local tech industry,” said Solomon by email. “People know who to talk to if they want to discuss Drupal and getting paid to develop using Drupal. Initially, our local community was pretty inactive. There were a few people who knew how to use Drupal, but lacked the force and momentum to get good attendance at events and meetups. We’ve been working to attract more people, like site builders and module developers, and we’ve seen a lot of growth in our local community because of it."

And how have the two grown the Drupal community in Uganda?

“We started doing some outreach to use local universities as meeting spaces, but they’re so far from the main city that it became very costly. Getting together outside of the city means dealing with expenses like hotel fees, transportation costs, and a few other things, and those costs would put our projects at a standstill in times when we can’t afford it."

However, the outreach to nearby universities — though expensive — has its benefits. “We’re doing a lot of work to get university students interested in Drupal while they are still at school. Students have a lot of time available to learn new things, so we put together a Drupal University tour that we are still conducting, and so far it has been very well received."

For Solomon and Benjamin, the university tour seemed like a natural extension of the work they’d been doing at local meetups.

"We got the idea from the tech meetups we attended in Kampala that were also attended by university students in the same field. They were all curious about the platforms we use to build our online technologies, and we told them about Drupal. After the meetups they knew it was a CMS and a few of them could even install it — but that was it. We asked ourselves how we could help these students learn Drupal more easily, which led us to the idea of holding training through the major universities in Uganda. And for us, it just made sense to call the campaign the Drupal University Tour."

Planning the University Tour was no easy task: the duo encountered no small amount of hesitation from universities, and came up against financial obstacles as well. “We started off by writing down the things we would need, and figured out from there how we would hold the trainings — what we would teach specifically, and so on. Then, we started communicating with the department heads of the universities we wanted to train at. Some of them were hesitant at first, but eventually they accepted our proposal.

"When we were preparing the tour, we realized that we needed funding for the whole campaign. The universities weren't ready to financially facilitate our sessions, so we applied for the Drupal Community Cultivation Grant. Through it, we were awarded $1,488 USD, and we were able to kick off the tour."

The two knew that, for maximum efficacy, they’d have to go to a number of different schools to speak to as many students as possible. So they decided to go to the best schools in the country. “We went to all the major universities in Uganda. Makere University, Kampala International University, Kyambogo University, and Mbara University of Science and Technology were all on our list. Because of scheduling conflicts, we weren’t able to run the tour in the timeframe we had planned, but we eventually made it. And, we managed to have a little money left over — about $50 USD, which was enough for us to go to another institution called Datamine Technical Institute. So they were able to benefit from the campaign as well,” Solomon concluded.

The Drupal University tour has been a big success, the two felt.

“We spent a day teaching the students about Drupal itself as a software. We taught them about making contributions to the development, such as by submitting code to the project. We also emphasized the power of both the local and global Drupal communities, and discussed what a big benefit it is,” Solomon said. “We talked about how to share resources with people in the Drupal community, and how we can mobilize both locally and internationally to help people learn Drupal and organize training."

We couldn’t be more thrilled and grateful for the work that Solomon and Benjamin have done. We often hear conversations about the difficulties of bringing new talent into the Drupal community, and the work that Solomon and Benjamin have done is invaluable, both for their local community and for the wider Drupal world. Thank you for your work!

Drupal 8 Security bug bounty program: Get paid to find security issues in D8

Drupal - Tue, 06/02/2015 - 06:38

Drupal 8 is nearing release, and with all the big architectural changes it brings, we want to ensure D8 upholds the same level of security as our previous releases. That's where you come in!

The security team is using monies from the D8 Accelerate fund to pay for valid security issues found in Drupal 8, from now until August 31, 2015 (open to extension). This program is open for participation by anyone.

How does this work?

Install a local copy of Drupal 8 from Git (https://www.drupal.org/project/drupal/git-instructions). Find security issues such as XSS, SQL Injection, CSRF, Access Bypass etc. If you find any, go to www.bugcrowd.com/drupal and submit them. You will have to sign up for an account on bugcrowd.com for this. Bugcrowd is a crowdsourced security bug finding platform suggested by security team members, and it is used by many, including LastPass, Pinterest, Heroku, Pantheon, and CARD.com.

I can get paid to do this?

We will be paying anywhere from $50-$1000 per issue. The more serious the issue, the more the security team will be paying. Issues must first be confirmed by a security team member before being approved for payment. You must provide a detailed explanation of the issue and steps to reproduce the issue. The quality of your report will be taken into account when assigning a value to it. We will also take into account the severity of the security issue.

Can I get paid for finding issues in contrib or Drupal 7?

No, however if you do find security issues in Drupal core other than version 8 or in contrib projects please submit them via our issue reporting process.

Who is running this program?

The Drupal Security Team with funds from the D8 Accelerate program.

If I find something will I get credit?

Yes, just like our regular reporting policy you will get credit as long as you don’t disclose it until a fix is released. If an issue is suitable for public discussion, we will disclose it and give you credit.

Do all security issues count?

If a task requires the attacker to have one of the following roles it would not count:
Access site reports (a.k.a. "View site reports"), Administer filters, Administer users, Administer permissions, Administer content types, Administer site configuration, Administer views, Translate interface.
List of issues excluded from the bounty program includes, but not limited to:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
- Lack of Security Speedbump when leaving the site.
- Username enumeration
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- Content-Security-Policy-Report-Only
- SSL Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak / insecure cipher suites

However, we would still like to know about it, and you will still get credit for it. but we will not be issuing payments for it.

I have a question not listed here

Email security@drupal.org

Drupal version: Drupal 8.x

Drupal 7.37 released

Drupal - Wed, 05/06/2015 - 21:24

Drupal 7.37, a maintenance release with numerous bug fixes (no security fixes), is now available for download. See the Drupal 7.37 release notes for a full listing.

Download Drupal 7.37

Upgrading your existing Drupal 7 sites is recommended. There are no major, non-backwards-compatible features in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

There are no security fixes in this release of Drupal core.

Bug reports

Drupal 7.x is being maintained, so given enough bug fixes (not just bug reports), more maintenance releases will be made available, according to our monthly release cycle.


Drupal 7.37 contains bug fixes and small API/feature improvements only. The full list of changes between the 7.36 and 7.37 releases can be found by reading the 7.37 release notes. A complete list of all changes in the stable 7.x branch can be found in the git commit log.

Update notes

See the 7.37 release notes for details on important changes in this release.

Known issues


Front page news: Planet DrupalDrupal version: Drupal 7.x

Limited email privacy breach on Drupal.org on April 15th

Drupal - Fri, 04/17/2015 - 17:05

On April 15th, a change to a Drupal.org website permission inadvertently allowed a small segment of users to view a report listing the email addresses of recently logged in users. No passwords were involved. The problem was mitigated within 13 hours of being introduced and within 3 hours of being reported. The problem was completely resolved within 24 hours of introduction. The number of affected email addresses is relatively small – fewer than 500. Those users are being contacted directly if their email was affected. Users with maintainer access or the community role and above were not affected by this incident.

The users with permission to see this report were limited to community members that have shown frequent contribution to Drupal.org. The possible exposure time was also limited to between April 15, 2015 20:53 UTC to April 16, 2015 9:00 UTC. There were approximately 44 IP addresses that accessed the information during that time. These users are mostly administrators of Drupal.org and the community members who first reported the incident.

Even though the exposure of email addresses was limited as described above, we recommend all users to be cautious of any email that asks you for personal information.

We want to thank the community members who moved quickly to alert the Drupal Security and Drupal.org infrastructure teams about the problem.

Front page news: Drupal NewsDrupal version: Drupal 7.x

A new way to welcome newcomers on Drupal.org

Drupal - Wed, 04/15/2015 - 13:04

The first initiative on the Drupal.org 2015 roadmap is ‘Better account creation and login’. One of the listed goals for that initiative is “Build a user engagement path which will guide users from fresh empty accounts to active contributors, identifying and preventing spammers from moving further.” This is something Drupal Association team has been focusing on in the last few weeks.

The first change we rolled out a few days ago was a ‘new’ indicator on comments from users whose Drupal.org accounts are fewer than 90 days old. The indicator is displayed on their profile page as well. We hope this will help make conversations in the issue queues and forum comments more welcoming, as people will be able to easily see that someone is new, and probably doesn’t know yet a lot about the way community works.

Today we are taking another step towards making Drupal.org more welcoming environment for new users. But first, a bit of background.

New users and spam

It is not a surprise for anyone that a big number of user accounts registering on the site are spam accounts. To fight that and prevent spam content from appearing on Drupal.org, we have a number of different tools in place. Of course, we don’t want these tools to affect all active, honest users of the site, and make their daily experience more difficult. To separate users we are sure about from those we aren’t sure about yet, we have a special ‘confirmed’ user role.

All new users start without such a role. Their content submissions are checked by Honeypot and Mollom, their profiles are not visible to anonymous visitors of the site, and the types of content they may create are limited. Once a user receives a ‘confirmed’ role, his or her submissions will not be checked by spam fighting tools anymore; their profile page will be visible to everyone, and they will be able to create more different types of content on the site.

This system works pretty well, and our main goal is to ensure that valid new users get the ‘confirmed’ role as quickly as possible, to improve their experience and enable them to fully participate on the site.

The best way to identify someone as not a spammer is have another human look at the content they post and confirm they are not spammers. Previously, we had a very limited number of people who could do that-- about 50. Because of that, it usually took quite some time for new user to get the role. This was especially noticeable during sprints.

Today we’d like to open a process of granting a ‘confirmed’ role to the thousands of active users on the site.

‘Community’ user role

Today, we are introducing a new ‘Community’ role on the site. It will be granted automatically to users who have been around for some time and reached a certain level of participation on Drupal.org. Users who have this role will be able to ‘confirm’ new users on the site. They will see a small button on comments and user profile of any user who has not yet been confirmed. If you are one of the users with ‘Community’ role, look out for this new Confirm button, and when you see one next to a user - take another look at what the person posted. If their content looks valid, just click ‘confirm’. By doing so, you will empower new users to fully participate on Drupal.org and improve their daily experience on the site.

With expect to have at least 10,000 active users with the ‘Community’ role. With so many people to grant the ‘confirmed’ role, new users should be confirmed faster than ever before.

If you aren’t sure if you have the ‘community’ role or not, don’t worry. We will send an email notification to every user whose account receives the new role. The email will have all the information about the role and how to use it.

Thanks for helping us make Drupal.org a better place!

New Try Drupal Program

Drupal - Fri, 04/10/2015 - 09:38

One of the Drupal Association's primary missions is to grow the adoption of Drupal. We are about to launch a new program on April 15th called Try Drupal. The program will make it easy and fast for evaluators to try Drupal and have a simple, great experience while on Drupal.org.

We’ve created Try Drupal with our Premium Hosting Supporters to make it easier for CMS evaluators and Drupal.org newcomers to test and work with a Drupal demo site. The Program will showcase a selection of Hosting Companies where a new user can quickly (in less than 20 minutes) sign up and have a Drupal demo site up and running for them to use for free.

This is part of the Drupal Association’s initiative to develop a new revenue stream through advertising programs on Drupal.org. This revenue will help fund various site initiatives by the Association to improve Drupal.org performance, and make it easier to use and more secure. After interviewing many members of the community, we determined that new advertising products should be useful to Drupal.org visitors, support our mission to grow the adoption of Drupal, and should not interfere with visitors contributing to the project.

To ensure a positive Drupal experience, partners need to adhere to the following guidelines:

  • Users are directed to a self-serve sign up platform
  • Users can create a free account for the demo site that accommodates a trial installation of Drupal 7 or 8
  • Users can create a website in 20 minutes or less
  • The demo site should be available to the user for a minimum of one day upon sign up
  • The partner cannot include a paywall or require a credit card upon sign up

The Try Drupal program will be featured on the homepage of Drupal.org. It will launch with a larger iterative change to the homepage, with an emphasis on helping users move from newcomer, to learner, to skilled Drupal community members.

It’s important that we fund Drupal.org improvements, and that we do so in a responsible way that respects the community. We anticipate rolling out more key advertising programs throughout 2015, stay tuned for more updates. Thanks for taking the time to read about our initiatives, and please tell us your thoughts!