Scheduled -

Who is affected: GovCMS Drupal D9 community

Advice
GovCMS released the Drupal 9 (D9) distribution on Friday 21 January 2022. Deployment is scheduled to commence from Monday 24 January 2022 and will be conducted throughout the daytime and into the evening.
It addresses a recent security advisory issued by Drupal.org. GovCMS assessed the moderately critical risks as they applied to D9 distribution, subsequently the security risks remained moderately critical.
No outages are expected to websites during the deployment process.

What is included in the update?

* Drupal Core from 9.2.9 to 9.2.10 - https://www.drupal.org/project/drupal/releases/9.2.10
* Simple OAuth module from 5.0.5 to 5.2.0 - https://www.drupal.org/project/simple_oauth/releases/5.2.0, https://www.drupal.org/sa-contrib-2022-002
* Devel module from 4.1.1 to 4.1.3 - https://www.drupal.org/project/devel/releases/4.1.3
* Honeypot module from 2.0.1 to 2.0.2 - https://www.drupal.org/project/honeypot/releases/2.0.2
* Key module from 1.14 to 1.15.0 - https://www.drupal.org/project/key/releases/8.x-1.15
* Layout Builder Restrictions module from 2.9 to 2.11.0 - https://www.drupal.org/project/layout_builder_restrictions/releases/8.x-2.11
* Search API module from 1.20.0 to 1.21. - https://www.drupal.org/project/search_api/releases/8.x-1.21
* Swiftmailer module from 2.0.0 to 2.2.0 - https://www.drupal.org/project/swiftmailer/releases/8.x-2.2
* Swiftmailer library from 6.2.7 to 6.3.0 - https://github.com/swiftmailer/swiftmailer/releases/tag/v6.3.0
* Token module from 1.9.0. to 1.10.0 - https://www.drupal.org/project/token/releases/8.x-1.10

What modules are added/removed in the distribution?
Nothing was added/removed from the distribution


What support will be provided after these update?
The D9 distribution will continue to be supported after this update.

What actions must my organisation do now?

SaaS customers
All customers will need to check their site after the deployment to ensure there aren’t any issues.
!!! Important notice for customers with configuration management enabled
Once the deployment is completed you will need to export the new configurations files and commit them back to master. Deployments to all websites should be completed by 9am Tuesday 25 January 2022, you can confirm this at https://status.govcms.support



PaaS customers
If you use the GovCMS D9 distribution. You should aim to apply this update to your distribution as soon as possible.
Updated files released on Friday 21 January 2022 and are available from https://github.com/govCMS/GovCMS/releases/tag/2.8.0

More information

If you have any concerns, raise a ticket at https://www.govcms.support. Alternatively subscribe above to keep up to date with GovCMS notifications.
Jan 24, 09:57 AEDT

Scheduled - We are conducting regular maintenance on our systems.
Jan 18, 07:00 AEDT

Scheduled - We are conducting regular maintenance on our systems.
Jan 11, 07:00 AEDT

Scheduled -

Who is affected: GovCMS Drupal 7 (D7) community

Advice
The latest GovCMS Drupal 7 (D7) distribution was released on 14 January 2022. Deployment is scheduled on 17 January 2022 and will be conducted throughout the daytime and into the evening. 


It addresses a recent moderately critical security advisory issued by Drupal.org. GovCMS assessed this risk as it applied to D7 distribution. Subsequently the security risk remained moderately critical. 
No outages are expected to websites during the deployment process. 

What is included in the update?
This release contains: WYSIWYG Module from 7.x-2.7 to 7.x-2.9


Description: SA-CONTRIB-2022-003 
 
The module doesn't sufficiently sanitize user input before attaching a WYSIWYG editor to an input field such as a text area. If the editor used has an XSS vulnerability this would allow for example a commenter to put specially crafted markup which could trigger the vulnerability when viewed in the editor by an administrator. 
 
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content using a text format with an attached and XSS vulnerable rich text editor. 
See: Wysiwyg - Moderately critical - Cross site scripting - SA-CONTRIB-2022-003 | Drupal.org


What does the update remove from the GovCMS D7 distribution?
Nothing will be removed from the distribution in this update. 


What support will be provided for the GovCMS D7 distribution?
The GovCMS D7 distribution will continue to be supported after this update. 


 
Actions


SaaS customers
 All customers will need to check their site after the deployment to ensure there aren’t any issues.  
 
PaaS customers
Review the detailed information about this update.  

• If you manage your own distribution: this issue should have been assessed and addressed. 
  
• If you use the GovCMS distribution: we released the GovCMS D7 distribution on 14 January 2022. You should aim to apply this update to your distribution as soon as possible.  
  
• Updated files are available from: 
   Drupal.org: 
https://www.drupal.org/project/govcms/releases/7.x-3.25 
  Github.com 
https://github.com/govCMS/GovCMS7/releases/tag/7.x-3.25 
  

More information
If you have any concerns, raise a ticket at https://www.govcms.support. Alternatively subscribe above to keep up to date with GovCMS notifications.
Jan 17, 11:17 AEDT