Čítačka správ

The Drupal.org Security Team and Infrastructure Team has discovered unauthorized access to account information on Drupal.org and groups.drupal.org.

This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.

Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly. As a precautionary measure, we've reset all Drupal.org account holder passwords and are requiring users to reset their passwords at their next login attempt. A user password can be changed at any time by taking the following steps.

1. Go to https://drupal.org/user/password
2. Enter your username or email address.
3. Check your email and follow the link to enter a new password.
   • It can take up to 15 minutes for the password reset email to arrive. If you do not receive the e-mail within 15 minutes, make sure to check your spam folder as well.

All Drupal.org passwords are both hashed and salted, although some older passwords on some subsites were not salted.

See below recommendations on additional measure that you can take to protect your personal information.

What happened?

Unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. We have worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed. We are still investigating and will share more detail when it is appropriate. Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability.

The suspicious files may have exposed profile information like username, email address, hashed password, and country. In addition to resetting your password on Drupal.org, we are also recommending a number of measures (below) for further protection of your information, including, among others, changing or resetting passwords on other sites where you may use similar passwords.

What are we doing about it?

We take security very seriously on Drupal.org. As attacks on high-profile sites (regardless of the software they are running) are common, we strive to continuously improve the security of all Drupal.org sites.

To that end, we have taken the following steps to secure the Drupal.org infrastructure:

• Staff at the OSU Open Source Lab (where Drupal.org is hosted) and the Drupal.org infrastructure teams rebuilt production, staging, and development webheads and GRSEC secure kernels were added to most servers
• We are scanning and have not found any additional malicious or dangerous files and we are making scanning a routine job in our process
• There are many subsites on Drupal.org including older sites for specific events. We created static archives of those sites.

We would also like to acknowledge that we are conducting an investigation into the incident, and we may not be able to immediately answer all of the questions you may have. However, we are committed to transparency and will report to the community once we have an investigation report.

If you find that any reason to believe that your information has been accessed by someone other than yourself, please contact the Drupal Association immediately by sending an email to password@association.drupal.org. We regret this occurred and want to assure you we are working hard to improve security.

Thank you,
Holly Ross
Drupal Association Executive Director

FAQ What happened?

The Drupal.org Security Team and Infrastructure Team has identified unauthorized access to user information on Drupal.org and groups.drupal.org, which occured via third-party software installed on the Drupal.org server infrastructure.

What information of mine was exposed?

The information includes username, email address, hashed passwords, and country for some users. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly.

Was my credit card information exposed?

We do not store credit card information on our site and have uncovered no evidence that card numbers may have been intercepted. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly.

Were projects or hosted drupal.org code altered?

We have no evidence to suggest that an unauthorized user modified Drupal core or any contributed projects or packages on Drupal.org. Software distributed on Drupal.org is open source and bundled from publicly accessible repositories with log histories and access controls.

Does this affect my own Drupal site?

This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally. However, we recommend that you follow best practices and follow any security notices from Drupal.org or third party integrations to keep your site safe. Resources include the following sites:

• https://drupal.org/security
• https://drupal.org/writing-secure-code
• https://drupal.org/security/secure-configuration

How did the access happen?

Unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. We have worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed. We are still investigating and will share more detail when it is appropriate.

What has been done to prevent this type of unauthorized access in the future?

There have been several infrastructure and application changes including:

• Open Source Lab, the group that hosts the servers for Drupal and infrastructure teams rebuilt production, staging, and development webheads
• GRSEC secure kernels were added to most servers
• An anti-virus scanner was run over file servers, and run routinely to detect malicious files being uploaded to the Drupal.org servers.
• We hardened our Apache web server configurations
• We made static archives of any site that has been end-of-lifed and will not be updated in the future
• Sites that were no longer going to receive feature or content updates were converted to static copies to minimize maintenance.
• We removed old passwords on sub-sites and non-production installations

Do you have any information about the identity of the person or group who did this?

At this point there is no information to share.

What is the security team doing to investigate the unauthorized access?

We have a forensics team made up of both Drupal Association staff and trusted community volunteers who are security experts investigating.

How is my Drupal.org password protected?

Passwords on Drupal.org are stored in a hashed format. Currently, passwords are both hashed and salted using multiple rounds of hashing (based on PHPass). Passwords on some subsites were not salted.

Who maintains the Drupal.org site?

The Drupal Association is responsible for maintaining the site, with the assistance of many trusted Drupal community volunteers.

How can I delete my profile rather than create a new password?

Please email password@association.drupal.org with the request.

What else can I do to protect myself?

First, we recommend as a precaution that you change or reset passwords on other sites where you may use similar passwords, even though all passwords on Drupal.org are salted and hashed. Some older passwords on some subsites were not salted. To make your password more secure:

• Do not use passwords that are simple words or phrases
• Never use the same password on multiple sites or services
• Use different types of characters in your password (uppercase letters, lowercase letters, numbers, and symbols).

Second, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not our practice to request personal information by e-mail. Also, beware of emails that threaten to close your account if you do not take the "immediate action" of providing personal information.

Although we do not store credit card information, as a precaution we recommend you closely monitor your financial accounts if you made a transaction on association.drupal.org or if you use a password with your fianancial institution that is similar to your Drupal.org password. If you see unauthorized activity (in the U.S.), we also suggest that you submit a complaint with the Federal Trade Commission ("FTC") by calling 1-877-ID-THEFT (1-877-438-4338).

Based on the results of the investigation into this incident, we may update the FAQs and may recommend additional measures for protecting your personal information.

Drupal.org and its sub-sites (api.drupal.org, groups.drupal.org, etc) will be going down for 30 minutes Thursday, May 9, 17:00 PDT (May 10, 0:00 UTC). This maintenance window will be used to remove a core hack. Please follow the @drupal_infra twitter account for updates during the downtime and thanks for your patience!

Scott Reynen has done some fun things in the Drupal community. Some notable examples:

• Coordinated many meetups in Denver ensuring they happen, with interesting topics, and tasty pizza options
• Helped to organize several Drupalcamps in Colorado (which will be June 29th/30 in 2013)
• Presents on various topics at Drupalcamps
• Helps as one of the 3 site maintainers for groups.drupal.org
• Is an active Project Application queue reviewer heavily interested in new-contributor-onboarding and project quality
• Takes care of abandoned projects and ownership requests in the Webmasters queue
• And does a pretty darn good job as the maintainer for modules like @font-your-face.

How did you get involved with Drupal?

About 4 years ago, I took a job as a developer with Aten Design Group, where we do mostly Drupal projects. At the time, I was pretty skeptical of content management systems, after frustrating experiences with both WordPress and Joomla. But I quickly grew to appreciate Drupal’s modular architecture.

What do you do with Drupal these days?

Most of my Drupal time is spent building websites for clients. I’m fortunate to be able to work on projects I really care about, like the International Center for Transitional Justice, the National Center for Women & Information Technology, and the United Nations Development Programme. Apart from client work, I use Drupal as a platform to explore new ideas. With a wide variety of code and a huge active community, Drupal serves as a great incubator.

You’re involved with the Drupal community locally and internationally - can you describe some of the things you do and why you like them?

I co-maintain Drupal Groups (groups.drupal.org), deal with abandoned projects on Drupal.org, do some work on project review applications, help organize the local Denver Drupal meetup, actively mentor a few people, and contribute some modules. I think I like all of this because I feel like I’m actively building the future, either through directly improving the web, or by enabling other people to improve the web.

What got you started in the project application review process?

I didn’t go through the application review process to get my own Git (previously CVS) access, and didn’t realize the process existed for a long time. So I think some feeling of debt played a part in my getting involved. But I also believe the future of Drupal depends on people who aren’t yet involved, and the application process, if not handled well, can very easily be a point where we turn away this next generation of contributors.

What are some of your favorite moments from that process?

It’s always nice to get thanks from new contributors for my feedback, or to discover a cool new module before it even has a release. But I think my favorite moment was when klausi arrived. Before that, I felt like I had to stay actively involved or the whole process might fall apart. When klausi started doing a superhuman number of reviews, I could comfortably step away from the queue for a short (or even long) period of time and avoid both catastrophe and burnout.

Read a previous Community Spotlight about Klaus Purer (klausi).

Are there any cool projects you’ve learned about through that process?

Commerce Registration is, I think, a great example of why the review process is important to the wider community. After some quick minor bug fixes in the review process, that project was approved and is now part of the Conference Organizing Distribution, used in every DrupalCon site. And the maintainer has gone on to contribute several other modules, a few to Drupal Commons that will be part of the next version of the Drupal Groups site. A more frustrating project review could have easily meant the Drupal community losing all of this.

What changes do you hope will come in the project review process?

Mostly I think we just need more people with the right mindset. Right now, the “needs review” backlog is gradually disappearing, largely thanks to a lot of new reviewers. I think we just need to keep more of these reviewers involved and make sure they know, as jthorson recently wrote, “the role of reviewers in this process is that of a 'mentor', not 'traffic cop'”.

What is your favorite part about the Drupal community?

It’s rare to hear someone say “I don’t care” in the Drupal community. There’s plenty of work that goes off the rails on passionate debate over what color to paint the bike shed, and that can grow tedious. But our bike sheds are the best-painted on the web (12 coats!), because people really care. I like that.

Tell us a little about your background or things that interest you outside Drupal?

When I was young, I hit myself in the forehead with a boomerang. I wasn’t entirely unfamiliar with the concept, but I’d never had one actually come back. This one did, just as I was turning to see where it had landed. Stitches weren't great back then, so I still have a scar. I still have problems with tools doing what I say rather than what I expect.

Scott Reynen has done some fun things in the Drupal community. Some notable examples:

• Coordinated many meetups in Denver ensuring they happen, with interesting topics, and tasty pizza options
• Helped to organize several Drupalcamps in Colorado (which will be June 29th/30 in 2013)
• Presents on various topics at Drupalcamps
• Helps as one of the 3 site maintainers for groups.drupal.org
• Is an active Project Application queue reviewer heavily interested in new-contributor-onboarding and project quality
• Takes care of abandoned projects and ownership requests in the Webmasters queue
• And does a pretty darn good job as the maintainer for modules like @font-your-face.

How did you get involved with Drupal?

About 4 years ago, I took a job as a developer with Aten Design Group, where we do mostly Drupal projects. At the time, I was pretty skeptical of content management systems, after frustrating experiences with both WordPress and Joomla. But I quickly grew to appreciate Drupal’s modular architecture.

What do you do with Drupal these days?

Most of my Drupal time is spent building websites for clients. I’m fortunate to be able to work on projects I really care about, like the International Center for Transitional Justice, the National Center for Women & Information Technology, and the United Nations Development Programme. Apart from client work, I use Drupal as a platform to explore new ideas. With a wide variety of code and a huge active community, Drupal serves as a great incubator.

You’re involved with the Drupal community locally and internationally - can you describe some of the things you do and why you like them?

I co-maintain Drupal Groups (groups.drupal.org), deal with abandoned projects on Drupal.org, do some work on project review applications, help organize the local Denver Drupal meetup, actively mentor a few people, and contribute some modules. I think I like all of this because I feel like I’m actively building the future, either through directly improving the web, or by enabling other people to improve the web.

What got you started in the project application review process?

I didn’t go through the application review process to get my own Git (previously CVS) access, and didn’t realize the process existed for a long time. So I think some feeling of debt played a part in my getting involved. But I also believe the future of Drupal depends on people who aren’t yet involved, and the application process, if not handled well, can very easily be a point where we turn away this next generation of contributors.

What are some of your favorite moments from that process?

It’s always nice to get thanks from new contributors for my feedback, or to discover a cool new module before it even has a release. But I think my favorite moment was when klausi arrived. Before that, I felt like I had to stay actively involved or the whole process might fall apart. When klausi started doing a superhuman number of reviews, I could comfortably step away from the queue for a short (or even long) period of time and avoid both catastrophe and burnout.

Read a previous Community Spotlight about Klaus Purer (klausi).

Are there any cool projects you’ve learned about through that process?

Commerce Registration is, I think, a great example of why the review process is important to the wider community. After some quick minor bug fixes in the review process, that project was approved and is now part of the Conference Organizing Distribution, used in every DrupalCon site. And the maintainer has gone on to contribute several other modules, a few to Drupal Commons that will be part of the next version of the Drupal Groups site. A more frustrating project review could have easily meant the Drupal community losing all of this.

What changes do you hope will come in the project review process?

Mostly I think we just need more people with the right mindset. Right now, the “needs review” backlog is gradually disappearing, largely thanks to a lot of new reviewers. I think we just need to keep more of these reviewers involved and make sure they know, as jthorson recently wrote, “the role of reviewers in this process is that of a 'mentor', not 'traffic cop'”.

What is your favorite part about the Drupal community?

It’s rare to hear someone say “I don’t care” in the Drupal community. There’s plenty of work that goes off the rails on passionate debate over what color to paint the bike shed, and that can grow tedious. But our bike sheds are the best-painted on the web (12 coats!), because people really care. I like that.

Tell us a little about your background or things that interest you outside Drupal?

When I was young, I hit myself in the forehead with a boomerang. I wasn’t entirely unfamiliar with the concept, but I’d never had one actually come back. This one did, just as I was turning to see where it had landed. Stitches weren't great back then, so I still have a scar. I still have problems with tools doing what I say rather than what I expect.

Zobrazit v přehledu:  Překlady

Tak tu máme další překladatelský sprint.

číst dál

Zobrazit v přehledu:  Akce

Myslíme, že je třeba zjistit jak si stojíme. Chtěli bychom vás poprosit o vyplnění tohoto krátkého dotazníku o budoucnostní brněnských drupalích setkání.

číst dál

Zobrazit v přehledu:  Akce

Už je jaro a Drupal stále kvete na výsluní. Proto si vás dovolujeme pozvat ma další Drupal hospodu. Termín je jako vždy poslední týden v měsíci. Všichni zkušení, méně zkušení, bez zkušeností i ti, co si chtějí jen popovídat, jsou vítáni.
Kdy: čtvrtek 25.4.2013 (18–23h)
Kde: restaurace U Augustina (Palackého třída 84, Brno)
Dáme řeč nejen o Drupalu a webech, kde jsme narazili na problém a podařilo se nám jej nakonec vyřešit.
Akce určena: pro kohokoliv, kdo má o Drupal zájem nebo jej ještě vůbec nezná. Úroveň znalostí a zkušeností není důležitá.
Počet míst: 12 (aktuální počet registrovaných 2 )

číst dál

Drupal 7.22, a maintenance release with numerous bug fixes (no security fixes) is now available for download. See the Drupal 7.22 release notes for a full listing.

Download Drupal 7.22

Upgrading your existing Drupal 7 sites is recommended. There are no major new features in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

There are no security fixes in this release of Drupal core.

Bug reports

Drupal 7.x is being maintained, so given enough bug fixes (not just bug reports), more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.22 is a bug fix only release. The full list of changes between the 7.21 and 7.22 releases can be found by reading the 7.22 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Update notes

See the 7.22 release notes for details on important changes in this release.

Known issues

#1962780: 500 Internal server error on Apache 1.x servers after updating to Drupal 7.22: Sites running on 1.x versions of the Apache web server may experience errors after updating to Drupal 7.22. (Although Apache 1.x was deprecated by the Apache project several years ago and switching to Apache 2.x is highly recommended, Drupal 7 normally does still run on it.) A patch to fix the problem is available in the above issue, and it has been committed to the 7.x development version so it will be included in the next bug fix release.

Drupal 7.22, a maintenance release with numerous bug fixes (no security fixes) is now available for download. See the Drupal 7.22 release notes for a full listing.

Download Drupal 7.22

Upgrading your existing Drupal 7 sites is recommended. There are no major new features in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

There are no security fixes in this release of Drupal core.

Bug reports

Drupal 7.x is being maintained, so given enough bug fixes (not just bug reports), more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.22 is a bug fix only release. The full list of changes between the 7.21 and 7.22 releases can be found by reading the 7.22 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Update notes

See the 7.22 release notes for details on important changes in this release.

Known issues

#1962780: 500 Internal server error on Apache 1.x servers after updating to Drupal 7.22: Sites running on 1.x versions of the Apache web server may experience errors after updating to Drupal 7.22. (Although Apache 1.x was deprecated by the Apache project several years ago and switching to Apache 2.x is highly recommended, Drupal 7 normally does still run on it.) A patch to fix the problem is available in the above issue, and it has been committed to the 7.x development version so it will be included in the next bug fix release.

V tomto článku bych rád upozornil na temná zákoutí proprietárních řešení pro eshop a vyzdvihnul použití open source platformy, kterou používají statisíce profesionálů na velké spoustě často i vysoce exponovaných projektů. Budu zde obhajovat použití Drupalu, ale tyto argumenty se dají vztáhnout i na jiné celosvětově úspěšné profesionální platformy.

číst dál

Zobrazit v přehledu:  Akce

Říkali jsme, že v novém roce zorganizujeme setkání a už je téměř jaro, i když to venku moc nevypadá. To nám určitě nebude bránit, abychom se zase po chvilce viděli. Proto organizujeme Drupal hospodu v posledním týdnu v březnu. Všichni zkušení, méně zkušení, bez zkušeností i ti, co si chtějí jen popovídat, jsou vítáni.
Kdy: čtvrtek 28.3.2013 (18–23h)
Kde: restaurace U Augustina (Palackého třída 84, Brno)
O čem to bude tentokrát: tématem může být Drupal i věci dějící se mimo Drupal samotný (web design, grafika, atd..)
Akce určena: pro kohokoliv, kdo má o Drupal zájem nebo jej ještě vůbec nezná. Úroveň znalostí a zkušeností není důležitá.
Počet míst: 15 (aktuální počet registrovaných 8 )

číst dál

Už dlouho jsme o tom mluvili. Nastal čas, budeme migrovat Drupal.cz na Drupal 7.

V současné době pracujeme na skriptů migrace. To znamená, že nedělame typický Drupal update.php na staré database a nové codebase. S skriptované migrace budeme schopni neustále znovu importovat stávající database do našeho Drupal 7 vývojové verzi.

číst dál

Update: Drupal 7.22 is now available.

Drupal 7.21, a maintenance release which fixes incompatibilities introduced in the Drupal 7.20 security release, is now available for download. See the Drupal 7.21 release notes for further information.

Download Drupal 7.21

Upgrading your existing Drupal 7 sites is strongly recommended, especially if you encountered problems with Drupal 7.20. There are no new features in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

There are no security fixes in this release of Drupal core; however, sites which were unable to upgrade to Drupal 7.20 (or upgraded but made modifications to disable the security fixes included within it) should upgrade to Drupal 7.21 to obtain additional security protection. See the Drupal 7.21 release notes for further information.

Bug reports

Drupal 7.x is being maintained, so given enough bug fixes (not just bug reports), more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.21 is a bug fix only release. The full list of changes between the 7.20 and 7.21 releases can be found by reading the 7.21 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Update notes

See the 7.21 release notes for details on important changes in this release.

Known issues

None.

Update: Drupal 7.22 is now available.

Drupal 7.21, a maintenance release which fixes incompatibilities introduced in the Drupal 7.20 security release, is now available for download. See the Drupal 7.21 release notes for further information.

Download Drupal 7.21

Upgrading your existing Drupal 7 sites is strongly recommended, especially if you encountered problems with Drupal 7.20. There are no new features in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

There are no security fixes in this release of Drupal core; however, sites which were unable to upgrade to Drupal 7.20 (or upgraded but made modifications to disable the security fixes included within it) should upgrade to Drupal 7.21 to obtain additional security protection. See the Drupal 7.21 release notes for further information.

Bug reports

Drupal 7.x is being maintained, so given enough bug fixes (not just bug reports), more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.21 is a bug fix only release. The full list of changes between the 7.20 and 7.21 releases can be found by reading the 7.21 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Update notes

See the 7.21 release notes for details on important changes in this release.

Known issues

None.

Zobrazit v přehledu:  Akce

POZOR ZMĚNA
sprint se presouva do virtualniho prostoru :) ozvete se mi, az budete chtit neco udelat.

Drupal 8 přešel nedávno úspěšně do fáze „Feature Freeze“.

číst dál