Transition Technology: Ticket #785: SA-CONTRIB-2014-086 - Custom BreadCrumbs - Cross Site Scripting (XSS)

hours, totalhours changed

paul — Thu, 11 Sep 2014 15:54:35 GMT

hours changed from 0.0 to 0.25
totalhours changed from 0.0 to 0.25

owner, status, type changed; milestone set

ed — Thu, 11 Sep 2014 16:06:13 GMT

owner changed from ed to paul
status changed from new to assigned
type changed from defect to maintenance
milestone set to Maintenance

Thanks for asking Paul - component is correct - i've set 'milestone' to maintenance, owner to paul, 'type' to maintenance.

hours, totalhours changed

paul — Thu, 11 Sep 2014 16:29:52 GMT

hours changed from 0.0 to 0.25
totalhours changed from 0.25 to 0.5

Thanks Ed.

@Sam @Ed Would you have a quick look over the stage site to confirm that nothing has changed with the breadcrumb trails.

I'll not rebuild the stage / production platforms to accommodate this security update (as before) to a contributed module. Instead I will manually switch the module on the production - as per the stage site - and update the profile on github. This should save us time as building platforms is slow on Aegir.

So, in future I'll only build new platforms, migrate, .. for core releases *but* for updates to contributed module - I'll simply switch in the new module & update the profile on github.

https://booker-stage-20140717.transitionnetwork.org

paul — Thu, 11 Sep 2014 17:19:39 GMT

Sorry,

No update is required.

Custom Breadcrumbs 6.x-2.x versions are NOT affected

paul — Thu, 11 Sep 2014 17:22:24 GMT

If the breadcrumbs are working fine on stage; I'll leave the profile changes so that we later move to supported release for this module.

ed — Fri, 12 Sep 2014 14:58:47 GMT

Looks OK to me.

hours, totalhours changed

paul — Fri, 12 Sep 2014 16:50:03 GMT

hours changed from 0.0 to 0.125
totalhours changed from 0.5 to 0.625

Thanks Ed.

If we have any available cycles this month we could have a look at updating other contributed module to later releases, as newer releases have been known to include security fixes by stealth :(

hours, totalhours changed

paul — Fri, 10 Oct 2014 13:39:25 GMT

hours changed from 0.0 to 0.25
totalhours changed from 0.625 to 0.875

@Ed I think we can close this ticket.

Actually there are only a couple of modules that we could explore updating:

Context 6.x-2.1+3-dev to 6.x-3.2 (security update) Views Datasource 6.x-1.0-beta2+5-dev to 6.x-1.0-beta2

For the first module there are some notes from JK: Need to manage change from 2.x branch to 3.x.

The reason there are not many version updates is because every time we build a new platform (for a new release of drupal) we automatically pull in the latest versions of contributed modules - unless a module is pinned to a specific version.

https://booker-stage-20140717.transitionnetwork.org/admin/reports/updates

ed — Fri, 10 Oct 2014 13:45:34 GMT

close away paul - DIY - no need to wait for me :)

status changed; resolution set

paul — Fri, 10 Oct 2014 13:53:36 GMT

status changed from assigned to closed
resolution set to fixed

I got the power ..