Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Due to criticality of security issue and few commits already committed in 7.x-2.x branch, 7.x-2.4 tag was released containing only security fix compared to 7.x-2.3 release. This issue is just to make sure that the same patch is applied in 7.x-2.x and included in further module releases.
Comment | File | Size | Author |
---|---|---|---|
#7 | xmlsitemap-2986809-7.patch | 2.62 KB | th_tushar |
#2 | no-unpublished-nodes-xmlsitemap-2986809-2.patch | 2.51 KB | th_tushar |
Comments
Comment #2
th_tushar CreditAttribution: th_tushar as a volunteer commentedAttached is the patch file to fix the security issue.
Comment #4
th_tushar CreditAttribution: th_tushar as a volunteer commentedComment #5
Unnikrishnan.K CreditAttribution: Unnikrishnan.K as a volunteer and commentedI tried this moderately critical update of xmlsitemap 7.x-2.4 via drush composer require and it fails to update my exiting patch "add_support_for_entity_translation-1481798-76.patch" of 7.x-2.3.
Version updated to new but it throwing "Could not apply patch! Skipping."
Does anyone knows the reason to skip patch?
Comment #6
grossmann CreditAttribution: grossmann commentedI ran the patch against 2.3 and got this output
Against which version should I run the patch to get it working?
Are there any plans to release a stable version 2.4 of the module to check out with git / drush?
Comment #7
th_tushar CreditAttribution: th_tushar as a volunteer commentedHere, please use attached patch against 7.x-2.3 version to fix the security issue. Patch from #2 works for 7.x-2.x branch.
Comment #8
grossmann CreditAttribution: grossmann commentedThank you for the patch. I didn't realize there is a new commit on 2.x. I now just will use the dev version.
Is there a reason why not tag this state as stable 2.4? This was what confused me at the beginning.
Comment #9
th_tushar CreditAttribution: th_tushar as a volunteer commentedThere is a stable release with this patch. Did you check below release or project page?
https://www.drupal.org/project/xmlsitemap/releases/7.x-2.4
Comment #10
grossmann CreditAttribution: grossmann commentedThere is a release with 2.4 but the 2.4 tag is missing in the 2.x branch see https://cgit.drupalcode.org/xmlsitemap/log/
This way I could not update with drush to 2.4 (using git). See the related issue I added.
Now I can update to dev version 2.x which includes the required commit. I just wondered why this is not tagged as 2.4.
Comment #11
othermachines CreditAttribution: othermachines commentedThanks for updating 7.x-2.x branch. This caused me major headaches yesterday as I couldn't easily re-roll necessary patches.
The tag is still missing.
Comment #12
klausiSecurity releases should be as small as possible - so 2.4 not including all the other stuff is a good thing.
Now that 2.4 is released it would be a good idea to release 2.5 soon to avoid confusion what is and isn't released. We should also get #2986847: TypeError: Argument 1 passed to xmlsitemap_node_create_link() must be an instance of stdClass, boolean given in because the security release breaks cron runs in a critical way.
Comment #13
klausiThe git tag for 2.4 is not missing, you can see it at https://cgit.drupalcode.org/xmlsitemap/tag/?id=7.x-2.4
Comment #14
th_tushar CreditAttribution: th_tushar as a volunteer commentedYes @klausi, we should definitely release 2.5 soon. Here is the issue created to discuss the plan, #2986815: Plan to release 7.x-2.5 including #2986847: TypeError: Argument 1 passed to xmlsitemap_node_create_link() must be an instance of stdClass, boolean given.
Comment #15
grossmann CreditAttribution: grossmann commentedOK, I know there is a 2.4 release but it is not part of the 2.x HEAD branch and therefor drush and git fail to update to 2.4.
Having small security only fixes would require separate branches for dev and stable / security which is currently not working if using drush /git, right?
I think most projects are just committing a security fix on the dev branch and tag it with a "stable" version tag (here 2.4). This way drush / git is still working but you get all the dev commits with the security commit.
A solution might be to release the security fix as a patch against latest stable (here 2.3) so people who don't want all the pending dev commits can avoid them by just patching their version.
I don't know if there are any rules or guidelines by the drupal community how to do this.
The #2986847 issue seems to be a critical bugfix release related to this security fix. So I am looking forward to a new 2.5 release.
Thanks for your work.
Comment #16
klausiThe commit is now on the 7.x-2.x branch for one hour: https://cgit.drupalcode.org/xmlsitemap/log/
You do not have to have a branch for a git commit. The 7.x-2.4 tag was created without a branch.
Comment #17
grossmann CreditAttribution: grossmann commentedYeah sure. That's the problem I meant. Releasing just a tag with 2.4 leaves all people using drush /git to update their modules in the dark (which are quite a lot I assume) as the tag is not picked up if not in the HEAD 2.x branch.
This is the output when doing a
drush up xmlsitemap
.
Just for reference: The last 2.3 release from Dave Reid was also a security fix on top of all the dev commits.
https://www.drupal.org/project/xmlsitemap/releases/7.x-2.3