Media Technology News
- Advisory ID: DRUPAL-SA-CORE-2017-002
- Project: Drupal core
- Version: 8.x
- Date: 2017-April-19
- CVEID: CVE-2017-6919
- Security risk: 17/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default
- Vulnerability: Access bypass
This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:
- The site has the RESTful Web Services (rest) module enabled.
- The site allows PATCH requests.
- An attacker can get or register a user account on the site.
While we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely.
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
- Drupal 8 prior to 8.2.8 and 8.3.1.
- Drupal 7.x is not affected.
- If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8.
- If the site is running Drupal 8.3.0, upgrade to 8.3.1.
Also see the Drupal core project page.Reported by
- Alex Pott of the Drupal Security Team
- xjm of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Wim Leers
- Sascha Grossenbacher
- Daniel Wehner
- Tobias Stöckler
- Nathaniel Catchpole of the Drupal Security Team
- The Drupal Security team
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Nita has been creating the most adorable renders for a while now, and just recently she made Moana after watching the movie. This render has been everywhere! Facebook, Artstation, Instagram, Twitter, you name it. After sharing her work here, I asked if you guys were interested in an interview. You guys were, so here comes [...]
The post BlenderNation Exclusive Interview - Nita Ravalji On Moana appeared first on BlenderNation.
Dulana57 writes: A Lightsaber Node Group for Blender (Works in both Cycles and Internal) It has Accurate Lightsaber Motion Blur, an Accurate Recreation of the Most Recent Star Wars Film, and it is Very Customisable. Overview: Tutorial:
I love the short 'studies' in the reel by Brent Patterson. Hello, I'd like to share this montage of various experimental animations I've made in Blender over the past couple of years. I hope you enjoy!
Here are the notes from today's 14 UTC meeting in irc.freenode.net #blendercoders. Ton Roosendaal writes: (We kept it short, Easter Sunday). 1) Blender 2.79 targets See the targets list. Still need to get reviews done... everyone's very busy with other tasks too. So, next week another attempt to freeze the targets for 2.79! 2) Blender [...]
The post Weekly Blender Developers meeting notes - April 16, 2017 appeared first on BlenderNation.
Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.
The Drupal Association team is gearing up for DrupalCon Baltimore. We're excited to see you there and we'll presenting a panel giving an update on our work since Dublin, and our plans for the coming months.Drupal.org updates Project application revamp
As we announced in mid-March, new contributors on Drupal.org can now create full projects and releases! Contributors no longer have to wait in the project application queue for a manual review before they are able to contribute projects.
This is a very significant change in the Drupal contribution landscape, and it's something we approached carefully and will continue to monitor over the coming months. Drupal has always had a reputation for a high quality code, and we want to make sure that reputation is preserved with good security signals, project quality signals, and continued incentives for peer code review.
That said, we're very excited to see how this change opens up Drupal to a wider audience of contributors.
Please note that the removal of project applications to create full projects and releases means a change in the security advisory policy (see below for details).Security Advisory Opt-in and new Security Signals for Projects Are you responsible for the security of your clients' Drupal sites?
Please note that Drupal's security advisory coverage policy has changed. Security advisory coverage for contributed projects is now only available for projects that have both opted in to receive coverage and made a stable release. You can see which projects have opted in by checking their project pages. If you have questions, please contact email@example.com.
Because users may now create full projects and releases without opting in to security advisory coverage, it's critically important that we provide good security signals to users evaluating projects on Drupal.org. This is why we've added a security coverage warning to projects that aren't opted in to coverage.
- Opened up the opt-in process, allowing any maintainer of a project (not just the node author) to opt in to receive security advisory coverage
- Added a confirmation step when a user goes to make a stable release - this encourages users to be sure the project is ready for a release, and to opt-in to coverage if they haven't already
- Blocked security advisory opt-in if a project has an open, public security issue
- Started displaying info about public security issues on project pages that haven't opted into advisory coverage
- Added a filter to project browsing pages to make it easier to find projects with supported stable releases
The 2017 elections for the community-at-large seat on the board were held successfully in March. Drupal Association community board elections are conducted with the Instant Runoff Voting system. This voting methodology requires that voters rank their preferred candidates on their ballot, and we've heard that this system has been somewhat unwieldy in the past.
Each year we try to improve the voter experience and so this year we deployed a new drag-and-drop ballot.
Finally, we want to congratulate our newest board member Ryan Szrama!Better international datetime support throughout Drupal.org
Drupal.org has grown organically over the course of more than a decade, and as features have been built out they were not always consistent in their display of datetime information. While it sometimes makes sense to have a few different formats for displaying date and time, many of the formats in use were simply arbitrary historical decisions.
As a quality of life improvement, especially for users outside of the USA, we've standardized the datetime format used on Drupal.org. That format is: DD MMM YYYY - hh:mm (UTC±h). For example: 11 Aug 2016 - 16:42 (UTC+8)DrupalCI CSS Lint check style results
When we implemented coding standards testing in DrupalCI in February we were not able to add CSS Lint testing until the CSSLint configuration file in core was fixed. That issue was fixed in late February and so we added CSSLint to support coding standards testing for CSS at the beginning of March.Cleaning up coding standards results
The addition of coding standards results to DrupalCI means that Drupal.org is now storing even more test data about the code we test on Drupal.org. Our initial implementation of coding standards testing did not include clean up of older results, and so to preserve database space and testing resources, we implemented some clean-up routines in March. In particular we are now:
- Cleaning up all results for closed issues
- For custom one-off tests, keeping results for 30 days to match what is shown on project’s automated testing tab
- For tests triggered on a schedule or commit, keeping the most recent per-environment per-branch, and keeping anything less than 24h old
We experienced some minor Git outages in March, due to malicious authentication attempts. To mitigate these issues in the future, we've implemented fail2ban rules to protect Git authentication. This should improve the stability and uptime of Git services for all developers on Drupal.org.
We want to thank Drupal.org infrastructure volunteer mlhess for his assistance with this.Community Initiatives Contrib Documentation Migration
New tools for Documentation have been available on Drupal.org for more than half a year. While most of the core documentation has been migrated to the new system, we are still encouraging Contrib maintainers to migrate their docs.
To make it easier for contrib project maintainers to migrate their documentation to the new documentation tools, we've made two improvements:
- Maintainers may now attach Documentation guides directly to their project pages.
- The Documentation Guides that a user maintains are now listed on their user profile.
As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particular we want to thank:
- CivicActions - *NEW* Supporting Partner
- HS2 Solutions - *NEW* Supporting Partner
- Cheeky Monkey Media - Renewing Supporting Partner
- Cybage Software - Renewing Supporting Partner
- Digital Circus - Renewing Supporting Partner
- Message Agency - Renewing Supporting Partner
- QED42 - Renewing Supporting Partner
- Srijan Technologies - Renewing Supporting Partner
- Evolving Web - Renewing Supporting Partner
- Brightcove - *NEW* Technology Supporter Partner
- SiteGround - Renewing Hosting Supporter Partner
- Smartling - *NEW* Technology Supporter Partner
- Sevaa Group - *NEW* Technology Supporter Partner
If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.
Second place winner Lukas Fischer made this awesome animation for the Weekly CG Challenge #97. What do you guys think of it?
ONiRiXEL just completed a project for the European Space Agency in Blender! The European Space Agency (ESA) entrusted to the french 3D animation studio ONiRiXEL the creation of the new Space Debris Movie 2017, in collaboration with the french consulting startup ID&SENSE and the Information Systems Department of the C-S Group. This short film premiered [...]
The post ESA's Space Debris Movie 2017 (made with Blender/Cycles) appeared first on BlenderNation.
cgvirus writes: Hey Folks! I am developing a optical flare engine addon for Blender VSE for my studio. Our team feels Optical Flare should be a post process so here it is. It's now in beta stage. I will experiment with it in real time productions and refine it further more. You are welcome to [...]
Denzyl writes: Blender and cycles is extremely powerful and the use of nodes can be extremely flexible when creating animated material FX, This is a fun and easy effect to get in cycles, This effect is not just good or light boxes but also things like flickering street lights and Twinkling Christmas Lights. Got any [...]
Dani Canovas creates this beautiful vibrant render. The colors, the amazing character design, this is top notch artwork! By the way, am I the only one finding this rhino snail looking cool as hell "inserts sunglasses dude emoticon"!? Artstation Link
Jayanam gives a quick walkthrough of how to use the new Shadow Catcher option for image composition. This is a tutorial about the Blender shadow catcher, a feature for compositing that is currently available in the latest build of Blender 2.78c.
- Advisory ID: DRUPAL-PSA-2017-001
- Project: Drupal core
- Version: 8.x
- Date: 2017-Apr-17
There will be a security release of Drupal 8.3.x and 8.2.x on April 19th 2017 between
17:00 - 18:00 UTC that will fix a critical vulnerability. While we don't normally provide security releases for unsupported minor releases, given the potential severity, the 8.2.x release includes the fix for sites which have not had a chance to update to 8.3.0. The Drupal Security Team urges you to reserve time for core updates at that time because exploits are expected to be developed within hours or days. Security release announcements will appear at the standard announcement locations.
This vulnerability does not affect all Drupal 8 sites; it only affects sites with certain configurations. It requires authenticated user access to exploit. The security release announcement made on April 19th 2017, will make it clear which configurations are affected. If this vulnerability affects your site, you will need to update. Please set aside time on Wednesday to look into this update.
Neither the Security Team, nor Security Team members, nor any Drupal-related company are able to release any more information about this vulnerability until the announcement is made in accordance with our security policies and responsible disclosure best practices.
We provide pre-release warnings when we believe the security risk is high and the steps to exploit are scriptableDrupal 7 core is not affected by this issue. Contact and More Information
The Drupal security team can be reached at security at Drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity.
Sergio has created many amazing stylized and cartoony renders using mostly Blender. His unique style and fun artworks were crying out for an interview here in BlenderNation, so here goes! Give us an introduction, who are you, how old are you, what do you do, where do you do it? I am Sergio Raposo Fernández. [...]
The post BlenderNation Exclusive Interview - Sergio Raposo Fernández appeared first on BlenderNation.
Yanal Sosak writes: This is one of these short but really helpful tips. In this YDT I will show you how to speed up your sculpting workflow by creating a hotkey for the sculpt mode :).
The post Yan's Daily Tips #105 - Sculpt Mode Hotkey - Blender Tutorial appeared first on BlenderNation.
Here's my latest overview of the best Blender work on Sketchfab this week. And remember: add the #Blender tag if you want me to find your work! Yooka-Laylee - Enjoying the View by essimoon on Sketchfab ''Chrono Trigger'' - Robo by JunSkywa1ker on Sketchfab low poly island by Victor Estivador on Sketchfab Clock Mob by [...]
The post My favourite Blender Art on Sketchfab: 2017, week 16 appeared first on BlenderNation.
Fernan shares a speed modeling session of Bilbo's sword.
Easter is upon us, and the renders are coming! Here is a really cool one I stumbled upon by MACHIN3, creative! What do you guys think are inside the eggs? Image Link On BlenderArtists
Zacharias Reinhardt shares a cool view of his Sci Fi Vehicle. Hi everyone! Here you can see an animation of a sci fi vehicle I created for my Blender artwork "The Journey". The renderings I created nearly a year ago. Now I finally found the time to put them online. Enjoy! ~Zacharias