GovCMS D7 update 7.x-3.25 (January 2022)

Scheduled Maintenance Report for GovCMS

Completed

The scheduled maintenance has been completed.

Posted Jan 18, 2022 - 11:20 AEDT

In progress

Scheduled maintenance is currently in progress. We will provide updates as necessary.

Posted Jan 17, 2022 - 11:20 AEDT

Scheduled

Who is affected: GovCMS Drupal 7 (D7) community

Advice
The latest GovCMS Drupal 7 (D7) distribution was released on 14 January 2022. Deployment is scheduled on 17 January 2022 and will be conducted throughout the daytime and into the evening.

It addresses a recent moderately critical security advisory issued by Drupal.org. GovCMS assessed this risk as it applied to D7 distribution. Subsequently the security risk remained moderately critical.
No outages are expected to websites during the deployment process.

What is included in the update?
This release contains: WYSIWYG Module from 7.x-2.7 to 7.x-2.9

Description: SA-CONTRIB-2022-003

The module doesn't sufficiently sanitize user input before attaching a WYSIWYG editor to an input field such as a text area. If the editor used has an XSS vulnerability this would allow for example a commenter to put specially crafted markup which could trigger the vulnerability when viewed in the editor by an administrator.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content using a text format with an attached and XSS vulnerable rich text editor.
See: Wysiwyg - Moderately critical - Cross site scripting - SA-CONTRIB-2022-003 | Drupal.org

What does the update remove from the GovCMS D7 distribution?
Nothing will be removed from the distribution in this update.

What support will be provided for the GovCMS D7 distribution?
The GovCMS D7 distribution will continue to be supported after this update.

Actions

SaaS customers
All customers will need to check their site after the deployment to ensure there aren’t any issues.

PaaS customers
Review the detailed information about this update.

If you manage your own distribution: this issue should have been assessed and addressed.
If you use the GovCMS distribution: we released the GovCMS D7 distribution on 14 January 2022. You should aim to apply this update to your distribution as soon as possible.
Updated files are available from:
Drupal.org:  https://www.drupal.org/project/govcms/releases/7.x-3.25
Github.com  https://github.com/govCMS/GovCMS7/releases/tag/7.x-3.25

More information
If you have any concerns, raise a ticket at https://www.govcms.support. Alternatively subscribe above to keep up to date with GovCMS notifications.

Posted Jan 17, 2022 - 11:17 AEDT

This scheduled maintenance affected: GovCMS Projects (Individual websites).