To subscribe to email notifications, create an account on support.bryght.com and then visit your email subscriptions page and add the "Security Announcements" category to your subscriptions. Also, subscribe to you can subscribe to an RSS feed of security announcements.
Since about 2a.m. this morning, all Bryght Light Drupal 5 sites are running Drupal 5.6.
Last night the Drupal project released a security and bug fix release (full release notes), and today we're releasing a new tag which includes the fixes and the backport of the Watchdog hook patch. The new tag is 2008-01-11s. We have notes on updating your current version at our instructions for maintaining tagged releases on your VPS. We have not yet released this to hosted service customers, but we intend to do so very soon, and we will post that here when we do. The release adds no new features or modules, but we did update our backport for the Watchdog hook and released the updated patch to Drupal.org (5.6-specific backport).
The release notes recommend that if you have register_globals setting in php.ini set to On, that you set it to Off immediately. Bryght VPS servers come with this setting Off by default, so you probably do not have to change anything. If you think you need to change the setting, however, login to your VPS via SSH and type sudo nano /etc/php.ini and change the setting in the configuration file.
This release does not have any database updates, but it's still a good idea to backup your site before you run the update.php script. It's all in our instructions in maintaining your version of Drupal 5 on your VPS. The error for Google Analytics in the status log still persists; the fix is still to configure the module in Administer » Settings » Google Analytics.
Since about 3a.m. this morning, all Bryght Light Drupal 5 sites are running Drupal 5.5.
Today we're releasing a new tag for the Bryght Basic profile. The new tag is 2007-12-06s. It includes a fix for a security advisory and bug fixes that came with Drupal 5.4 and the critical bug fix that comes with Drupal 5.5. As we have with previous releases on the Drupal 5 platform, we've included the Syslog/Watchdog hook patch and will update the patch shortly to the issue on Drupal.org. To update your server's installation, follow our instructions on maintaining tagged releases.
Some notes about this new tag:
The error message for Google Analytics noted in the release notes for our previous tag still persists.
As per the Drupal 5.3 announcement, we've released as tag 2007-10-24s. The update contains security patches and minor bug fixes to the Drupal core. There are no changes to or additions of modules since the previous tag.
This release does not have any database updates, but it's always a good idea to backup your site and then run the update.php script, just in case you missed some the last time around. It's all in our instructions in maintaining your version of Drupal 5 on your VPS.
Note that if you see a Google Analytics error at Administer (top menu) » logs » Status report, i.e. "Google Analytics module has not been configured yet. Please configure its settings from the Google Analytics settings page.", you can fix this by turning off the Google Analytics module (if you don't use it) or by clicking Administer (top menu) » Site configuration » Google Analytics. See our documentation on the Google Analytics module for help in configuring it for your site.
As per the security announcement regarding a cross-site scripting vulnerability in the Node Reference module, we've released tag 2007-08-15s. Yes, the lowercase 's' breaks with our previous practice of using uppercase: 'S' looks too much like '5', especially since today's date is the 15th.
We've also updated the Calendar module to 1.5. Note that if you see a "user warning" error that relates to the calendar_ical table missing when running update.php, you can safely disregard that error. See the bug report on Drupal.org and the subsequent commentary for more information. Briefly, there are no longer any database tables required for the Calendar ICal module. If the tables never existed in your database, the update.php script still attempts to remove them, resulting in the error message.
This release contains database updates, so make sure to backup your database and then run the update.php script. It's all in our instructions in maintaining your version of Drupal 5 on your VPS.
This afternoon we are releasing new functionality, bug fixes and security patches to our release of the Bryght Basic profile for VPS customers as part of the 2007-07-31 tag. While we haven't made any configuration changes, we've added the OpenID module, for logging into multiple sites (
more information about OpenID), Drupal or otherwise; the Persistent Login module, which adds "Remember me" checkbox at the bottom of the user login box; and the FeedBurner module (
more information about FeedBurner and its services), so you can redirect your RSS feeds to FeedBurner to keep track of statistics and add other features the service provides. Documentation on setting up and using those modules is forthcoming.
We have not yet deployed these changes for Bryght Lite hosted service customers.
The tag includes the official Drupal 5.2 release, which incorporates some security patches—see below for some special instructions regarding settings.php—and various bug fixes. Also, VPS customers can send Drupal system messages to Syslog, which lets you route them to a log file or to another monitoring service. (System messages can still be logged in the database using the new "Database logging" module.).
Update: those who retrieved the tag last night will want to run svn update, as we added some very minor fixes to the .info files of some of the modules.
For Bryght Hosting VPS customers, we've made available the latest Drupal security releases. Follow the instructions for updating to a new SVN tag, using the tag 2007-01-29S.
For fully hosted Bryght Light customers, these updates are of course rolled out automatically.
We've updated our servers to incorporate the fixes as per the latest security advisory. Please see James' post on Bryght.com for more information.
While this was an on-the-fly update, some sites that had the blogapi module enabled experienced downtime this morning because of unrelated updates included in the security patch. This has been corrected and all sites are online.
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License. This license applies to all text written by Bryght. All others retain full copyright to their text.