Issue 161 - October, 23rd 2014A major security flaw(SA-CORE-2014-005) was fixed last week in the Drupal 7.32 release. If you haven't upgraded your Drupal 7 sites by now your unpatched Drupal sites could be compromised. Drupalize.me has written up a guide to assist with upgrading. If you have a Drupal 7 site I would also recommend looking at this logic tree from @BevanR.
"Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users."
"Upgrading your existing Drupal 7 is strongly recommended. There are no new features or non-security-related bug fixes in this release."
From Our Sponsor
We are so excited about the release of D8 beta! Have you been testing it out? Drupal 8 is completely supported by Dev Desktop and Acquia Cloud Free. Experiment, explore, and test Drupal 8 with the suite of tools that you deserve. Sign up for Acquia Cloud Free to start developing with D8 today!
Why it's time for dev shops to start offering support, and how to get there.
Paul Johnson discusses how we can encourage new contributors to Drupal in the context of Dries Keynote at DrupalCon Amsterdam.
A great article from Gábor Hojtsy. Here's a great quote. "In short, hard power and a volunteer based open source community are not compatible on the long run. You either need to lose the volunteerism or gain soft power which authority does not help you with."
Pantheon's Josh Koenig shares the attacks they have been seeing on Drupal 7 sites in the first 24 hours after Drupal SA 2014-005 was announced.
Blink reaction shares how they are investing in Drupal 8. Very cool.
Amitai Burstein discusses an Angular-based administrative project called ng-admin.
Matt Korostoff walks through his first Drupal 8 site set up. Great and informative post.
Every Friday at noon Pacific (3pm New York, 9pm Berlin, 6am Saturday in Sydney) chx will be in #drupal-contribute helping people fix critical issues.
This is not a module, it's a Drush command that makes it possible to check for known indications of your site having been exploited with the vulnerability fixed in SA-CORE-2014-005.
Site Audit is a Drupal static site analysis platform that generates reports with actionable best practice recommendations.
The Security Review module automates testing for many of the easy-to-make mistakes that render your site insecure.
This module scans the currently installed Drupal, contributed modules and themes, re-downloads them and determines if they have been changed. Changes are marked clearly and if the diff module is installed then Hacked! will allow you to see the exact lines that have changed.
An interesting new module from studio.gd.
Bryan Ollendyke has created a fork of Pressflow. He includes some interesting charts and performance numbers in this post.
Wanna get the word out about your great Drupal job? Get your job in front of hundreds of Drupal job seekers every day at Jobs.Drupal.Org.
Other Media London/GB
Howard Hughes Medical Institute (HHMI) Chevy Chase/MD/US