Project:Date:2018-April-18Vulnerability:Cross Site ScriptingDescription:
image2plugin (which Drupal 8 core also uses).
We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.Solution:
- If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7.
- The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.
More and more developers are choosing content-as-a-service solutions known as decoupled CMSes, and due to this trend, people are asking whether decoupled CMSes are challenging the market for traditional CMSes.
By nature, decoupled CMSes lack end-user front ends, provide few to no editorial tools for display and layout, and as such leave presentational concerns almost entirely up to the front-end developer. Luckily, Drupal has one crucial advantage that propels it beyond these concerns of emerging decoupled competitors.
Join Dries Buytaert, founder of Drupal and CTO at Acquia, as he shares his knowledge on how Drupal has an advantage over competitors, and discusses his point-of-view on why, when, and how you should implement decoupled Drupal.
Dries will touch on:
- His thoughts on decoupled CMSes - where is the CMS market headed and when?
- His opinion on whether decoupled CMSes will replace traditional CMSes
- The advantages of decoupled Drupal vs. emerging decoupled competitors
- Considerations when determining if decoupled Drupal is right for your project
CHAIRMAN, CHIEF TECHNOLOGY OFFICERACQUIA, INC.
Dries Buytaert is an open source developer and technology executive. He is the original creator and project lead for Drupal, an open source platform for building websites and digital experiences. Buytaert is also co-founder and chief technology officer of Acquia, a venture-backed technology company. Acquia provides an open cloud platform to many large organizations, which helps them build, deliver and optimize digital experiences. A Young Global Leader at the World Economic Forum, he holds a PhD in computer science and engineering from Ghent University and a Licentiate Computer Science (MsC) from the University of Antwerp. He was named CTO of the Year by the Massachusetts Technology Leadership Council, New England Entrepreneur of the Year by Ernst & Young, and a Young Innovator by MIT Technology Review. He blogs frequently on Drupal, open source, startups, business, and the future at dri.es.
The rapid evolution of diverse end-user clients and applications has given rise to a dizzying array of digital channels to support.
Websites in the past were built from monolithic architectures utilizing web content management solutions that deliver content through a templating solution tightly “coupled” with the content management system on the back-end.
Agile organizations crave flexibility, and strive to manage structured content across different presentation layers consistently in a way that’s scalable.
Accomplishing this efficiently requires that teams have flexibility in the front-end frameworks that dominate the modern digital landscape. That’s why decoupled and headless CMS is taking off. That’s why you’re here. But now you need the right technology to support the next phase of the web and beyond.
Project:Date:2018-March-28Vulnerability:Remote Code ExecutionDescription:
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
The security team has written an FAQ about this issue.Solution:
Upgrade to the most recent version of Drupal 7 or 8 core.
- If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
- If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.
Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.
- If you are running 8.3.x, upgrade to Drupal 8.3.9 or apply this patch.
- If you are running 8.4.x, upgrade to Drupal 8.4.6 or apply this patch.
This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.
This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.Reported By:Fixed By:
- Jasper Mattsson
- Samuel Mortenson Provisional Drupal Security Team member
- David Rothstein of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- Alex Pott of the Drupal Security Team
- David Snopek of the Drupal Security Team
- Pere Orga of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
- Cash Williams of the Drupal Security Team
- Daniel Wehner
- Tim Plunkett
Contact and more information
The Drupal security team can be reached by email at security at drupal.org or via the contact form.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Thunder is proud sponsor of the Media and Publishing Summit ahead of the DrupalCon in Nashville. Meet us on 9th April and during the DrupalCon to learn more about Thunder and how it is used in professional publishing.
Thunder is the Drupal 8 distribution for professional publishing. Thunder was designed by Hubert Burda Media and released as open-source software under the GNU General Public License in 2016. As members of the Thunder community, publishers, partners, and developers build custom extensions and share them with the community to further enhance Thunder.
Thunder consists of the current Drupal 8 functionality, lots of handpicked publisher-centric modules with custom enhancements (our own Thunder Admin Theme, the Paragraphs module, the Media Entity module, the Entity Browser module, and lots more), and an environment which makes it easy to install, deploy and add new functionality (e.g. the Thunder Updater).
To learn more about Thunder projects, read these case studies: German magazine Mein Schöner Garten (Gardening Magazine for Hubert Burda Media), US magazine American Heritage (American Heritage Magazine Migration – Drupal 8), and Serbian television and radio station PannonRTV (News portal for media house – PannonRTV).
About the idea:
We at the Thunder Core Team believe that publishers do not compete with each other through technology, but rather through content and brands. That is why the German publisher Hubert Burda Media established the Thunder community which aims to join forces among media companies by sharing code and innovation power. The goal is to innovate faster and spend less money overall by working together.
The Thunder community’s core product is the open-source content management system Thunder. Community members develop useful modules, use them for their own purposes and share them with the community by publishing them under the GNU General Public License. Neither Hubert Burda Media nor the other publishers in the community charge anyone for their contributions.
Any company publishing content professionally is welcome as a member of the Thunder community - both as user and as contributor. Anyone can join by contributing to the distribution. The usefulness and richness of Thunder’s functionality directly benefit from the number of contributors.
Why Drupal was chosen:
For Burda, Drupal is the content management platform of choice. It is a free and open-source content-management framework written in PHP and distributed under the GNU General Public License.
The standard Drupal core already provides the essential features, e.g. user management, menu management, RSS feeds, taxonomy, page layout customization, and system administration. It is easily adaptable and extensible with thousands of modules provided by a global community of users and developers. In addition, developers at Hubert Burda Media have had previous good experiences with Drupal. Drupal is therefore a tried and tested basis and has become even better with Drupal 8.
Describe the project (goals, requirements and outcome):
Thunder started as a way to share innovation and synergies among the many different brands and products within the Burda Corporation to save costs and speed up the time to market. It did not take long until we realized that the model that worked within the very diverse Burda universe would be useful for almost all digital publishers. That was when we decided to open source the distribution.
Due to its open source basis on Drupal 8, all features and functionality within Thunder are available to anyone wishing to benefit from Burda’s industry experience. Individual brands can add modules to tailor the system to their specific needs. Many of those “specific” customizations will prove to be valuable to more than just the organizations they originated from. We therefore designed Thunder in a way that we can easily incorporate those add-ons into the main distribution and share the features among all brands.
We aim at becoming the best open-source content management system for professional publishing. In this, we focus on the creation of content. We want to help editors to create articles, to add media, to build landing pages, in short, to share their stories with the world.
We want Thunder to be a CMS jointly developed by its users and are therefore working towards building a community of publishers, IT agencies, and anyone else who shares our ideas and contributes to Thunder.
Our aim in doing so is to stay very close to the Drupal community and the Drupal core instead of creating a Thunder fork. Whenever we want to implement a new functionality or solve a problem, we try to do this in Drupal core or in the modules Thunder uses instead of fixing things in the distribution.
It’s difficult to measure the time spent on the development of Thunder, as this is an ongoing process. Currently, there are four developers employed by Hubert Burda Media working on the distribution full-time, plus several external developers. They focus on the advancement of Thunder as well as Drupal core and the contrib modules used in the distribution. A community manager is working on coordinating and growing the Thunder community of publishers, developers, and other partners.
Timeline and Milestones:
- 30th August 2015: Repository and first commits for Thunder
- September 2015: playboy.de – the first website running on Thunder
- November 2015: instyle.de – the second website running on Thunder as well as proof of concept of the sharing model
- 17th March 2016: Official press release about Thunder
- October 2016: produceretailer.com is the first professional non-Burda website running on Thunder
- 30th January 2017: Release of Thunder 1.0
- March 2016: One year after the official launch of the Thunder initiative, 15 websites (we know of) are running on Thunder.
- 1st June 2017: Release of Thunder 2.0
- 20th July 2017: Release of Thunder Admin Theme
- 20th November 2017: First community event, the Thunder Day in Hamburg
We released Thunder 1.0 in January 2017. One year later, at least 60 professional websites that we know of now run on Thunder. In the meantime, we have also released Thunder 2.0 and the Thunder Admin Theme.
Publishing houses grabbed the idea of working together. The Austrian publisher kurier.at, for example, contributed to the liveblog module used in Thunder and developed a new functionality to split text paragraphs.
In community matters, we talked to more than 300 companies worldwide. We established the “Certified Thunder Integrator” program to help publishers to find IT agencies as well as IT agencies to find customers. As of now, there are more than 20 companies certified or in the certification process.
We aim at bringing people together to share experiences. For this purpose, we introduced a Slack team for the Thunder community as well as several social media accounts. Furthermore, we organized the first community event – the Thunder Day – with around 120 participants in November 2017.
Challenges and how we resolved them:
Distributions such as Thunder face the problem of losing control after the installation. How should a distribution actually deliver features and updates? We thought a lot about this problem and introduced the Thunder Updater, the “Thunder way to keep your site up to date”. Thunder checks if installed configurations have been changed – if not, they can be updated. Otherwise, you will get a message telling you there’s an update pending and what to do if you wish to have it. This functionality is currently an integral part of the distribution but we plan to detach it and publish it as a module on drupal.org soon so that everybody can use it.
Writing an Admin Theme is very difficult because Drupal offers so many possibilities to adapt things: If you change something it can have unexpected effects in unexpected places. To avoid surprises, we developed Sharpeye, a visual regression tool. It takes screenshots and compares them in automated tests. This gives us a good overview. We open sourced the tool and you can download it here: github.com/BurdaMagazinOrg/sharpeye
Technical details, tips, and tricks:
We invested a lot of time into automated testing but it was well worth the effort, not only for Thunder but also for Drupal core and the contrib modules we use since we discovered a lot of bugs there too.
We don’t use a closed issue tracker but publish our tickets on drupal.org, thereby creating transparency. We use Github rather than drupal.org for the development because the developer experience is much better.
Key modules/theme/distribution used:
Why these modules/theme/distribution were chosen:
Requirements / Key modules
In professional publishing, it’s all about the story. It has to be easy to create a story, to extend it, to change its narrative strand, and to enrich it with multimedia content. We use the Paragraphs module for this. Instead of putting all their content in one WYSIWYG body field including images and videos, end-users can now choose on the fly between pre-defined Paragraph Types independent from one another. Paragraph Types can be anything you want from a simple text block or image to a complex and configurable slideshow. This allows editors to structure an article into sub-elements which can easily be created, edited, and reorganized.
Editors want to enrich their articles with pictures, videos, content from social media, and whatever else you might think of. Paragraphs are one part of this, the other is the combination of the Media Entity module and the Entity Browser module. With those modules, editors can easily upload new content but also find and reuse existing entities.
Search engine optimization plays a major role in every editor’s life. Thunder therefore gas a plethora of different adjusting screws, from several meta tags for Facebook, Twitter, and Open Graph up to the simple XML sitemap.
The editor’s daily life is a lot about planning. With Thunder, you can schedule articles, ensuring they will be published at a given date and time. Even more importantly, you can also schedule the time at which an article or a picture should not be shown on the website anymore, e.g. if the contract period for a photograph has ended or an event announcement isn’t useful anymore.
Improved Authoring Experience
Our primary focus is making the editors’ work with Thunder as easy as possible. In order to achieve this, we created the Thunder Admin Theme based on findings of user tests and a survey conducted with editors working with Thunder.
Detailed Module List
Find a detailed list of the modules we use in Thunder here: burdamagazinorg.github.io/thunder-documentation/modules
Since we get a lot from the Drupal community, we give our best to contribute back, e.g. by fixing the bugs we find through automated tests and by supporting Drupal events and code sprints with developer time, talks, and sponsoring. Christian Fritsch, a member of the Thunder Core Team, contributed a lot of his time to the media initiative. Ingo Rübe, the initiator of Thunder, is a member of the Drupal Association’s Board of Directors.
- Daniel Bosen - Lead Developer
- Christian Fritsch - Senior Developer
- Mladen Todorovic - Senior Developer
- Volker Killesreiter - Senior Developer
- Julia Pradel - Community Manager
- Ingo Rübe - Initiator of Thunder
- Collin Müller - Head of Strategic Development