Ticket #693 (closed maintenance: fixed)
Module security updates: February 2014
| Reported by: | sam | Owned by: | paul |
|---|---|---|---|
| Priority: | major | Milestone: | Maintenance |
| Component: | Drupal modules & settings | Keywords: | |
| Cc: | ed | Estimated Number of Hours: | 0.0 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 1.0 |
Description (last modified by sam) (diff)
Hi Paul
You'll see from this ticket; /trac/ticket/582
That the 6.29 > 6.30 core update patches bugs that don't affect us.
However some recent security updates for modules have been released recently; https://www.transitionnetwork.org/admin/reports/updates
Affected modules are;
ctools;
https://drupal.org/node/2194547
filefield
https://drupal.org/node/2194103
image resizer
https://drupal.org/node/2194063
mimemail
https://drupal.org/node/2205939
webform
https://drupal.org/node/2194181
The ctools & webform ones look like ones we should get on top of soonish, the mimemail one looks like it could be a pain.
Are you up for testing the updates on your local box? We can then figure out how to roll them out to the live site.
Thanks
Sam
Change History
comment:2 Changed 3 years ago by paul
Hi, Sam,
I'll test these updates over the weekend and update the ticket on Monday
comment:3 Changed 3 years ago by paul
Update.
I'll test these Monday afternoon and update the ticket. Hopefully we can update the server before then end of Monday.
comment:4 in reply to: ↑ description Changed 3 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 0.0 to 0.75
I have put all the code under git version control on my localhost so that I can always go back in time :)
Replies given inline ..
Replying to sam:
Hi Paul
You'll see from this ticket; /trac/ticket/582
That the 6.29 > 6.30 core update patches bugs that don't affect us.
I haven't looked at that ticket, as I noticed that we are already on 6.30
However some recent security updates for modules have been released recently; https://www.transitionnetwork.org/admin/reports/updates
Affected modules are;
ctools;
https://drupal.org/node/2194547
The new release also provides a patch for cleanstring.inc, that overrides the patch that was applied to the previous version.
After switching to the new version of ctools, and clicking around, I couldn't see the problems:
Constant CTOOLS_PREG_CLASS_ALNUM in includes/cleanstring.inc contains \x{d800}- which is ill-formed code point. PHP issues this warning:
Warning: preg_match(): Compilation failed: disallowed Unicode code point (>= 0xd800 && <= 0xdfff) at offset 1811 in ctools_cleanstring() (line 157 of /srv/http/XXXX/www/sites/all/modules/contrib/ctools/includes/cleanstring.inc)
reported in watchdog. I have updated the makefile on my localhost.
Here are the changes for includes/cleanstring.inc that come with the latest version of ctools:
diff --git a/sites/all/modules/contrib/ctools/includes/cleanstring.inc b/sites/all/modules/contrib/ctools/includes/cleanstring.inc
index 324d070..027def1 100644
--- a/sites/all/modules/contrib/ctools/includes/cleanstring.inc
+++ b/sites/all/modules/contrib/ctools/includes/cleanstring.inc
@@ -56,11 +56,12 @@ define('CTOOLS_PREG_CLASS_ALNUM',
'\x{2108}\x{2109}\x{2114}\x{2116}-\x{2118}\x{211e}-\x{2123}\x{2125}\x{2127}'.
'\x{2129}\x{212e}\x{2132}\x{213a}\x{213b}\x{2140}-\x{2144}\x{214a}-\x{2b13}'.
'\x{2ce5}-\x{2cff}\x{2d6f}\x{2e00}-\x{3005}\x{3007}-\x{303b}\x{303d}-\x{303f}'.
-'\x{3099}-\x{309e}\x{30a0}\x{30fb}\x{30fd}\x{30fe}\x{3190}-\x{319f}\x{31c0}-'.
-'\x{31cf}\x{3200}-\x{33ff}\x{4dc0}-\x{4dff}\x{a015}\x{a490}-\x{a716}\x{a802}'.
-'\x{a806}\x{a80b}\x{a823}-\x{a82b}\x{e000}-\x{f8ff}\x{fb1e}\x{fb29}\x{fd3e}'.
-'\x{fd3f}\x{fdfc}-\x{fe6b}\x{feff}-\x{ff0f}\x{ff1a}-\x{ff20}\x{ff3b}-\x{ff40}'.
-'\x{ff5b}-\x{ff65}\x{ff70}\x{ff9e}\x{ff9f}\x{ffe0}-\x{fffd}');
+'\x{3099}-\x{309e}\x{30a0}\x{30fb}-\x{30fe}\x{3190}-\x{319f}\x{31c0}-\x{31cf}'.
+'\x{3200}-\x{33ff}\x{4dc0}-\x{4dff}\x{a015}\x{a490}-\x{a716}\x{a802}\x{a806}'.
+'\x{a80b}\x{a823}-\x{a82b}\x{e000}-\x{f8ff}\x{fb1e}\x{fb29}\x{fd3e}\x{fd3f}'.
+'\x{fdfc}-\x{fe6b}\x{feff}-\x{ff0f}\x{ff1a}-\x{ff20}\x{ff3b}-\x{ff40}\x{ff5b}-'.
+'\x{ff65}\x{ff70}\x{ff9e}\x{ff9f}\x{ffe0}-\x{fffd}');
+
filefield
https://drupal.org/node/2194103
Already patched.
image resizer
https://drupal.org/node/2194063
Already patched.
mimemail
https://drupal.org/node/2205939
Come back to this one later, as it sounds tricky.
webform
https://drupal.org/node/2194181
Already patched.
The ctools & webform ones look like ones we should get on top of soonish, the mimemail one looks like it could be a pain.
Are you up for testing the updates on your local box? We can then figure out how to roll them out to the live site.
Thanks
Sam
I think I need to look again at the wiki pages to see how to get the latest version of the makefile on the server, and the process of staging and pushing changes through to production.
comment:5 Changed 3 years ago by sam
Hi Paul
Thanks for this.
I was going to have a go at building a stg.tn.org on Ageir using your new Makefile to do a bit of testing.
Could you stick it on your github and I'll have a go?
https://github.com/paulbooker/transitionnetwork.org-d6.profile
Thanks
Sam
comment:6 Changed 3 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.75 to 1.0
Hi Sam,
Pushed the changes to Github.
Would you document what you do or advise what part of the wiki you followed.
comment:7 Changed 3 years ago by paul
If you have any problems building a stage environment, let me know, and I'll see if I can help.
Best, Paul
comment:10 Changed 3 years ago by sam
Resolved via /trac/ticket/712
