Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
Chaos Tool Suite (ctools) - Moderately critical - Information disclosure - SA-CONTRIB-2021-009
Security Advisory likely affects wxt 3x and also wxt 4x
Proposed resolution
upgrade ctools to version 3.6
apply patches in this issue for wxt 3x and 4x, composer up drupal/ctools; add updated composer.lock tag and release.
Remaining tasks
remove conflicting patch #2874176-2: Incorrect cache metadata for EntityView block
https://www.drupal.org/files/issues/entityview-cache-metadata-2874176-2....
set ctools to version 3.6
| Comment | File | Size | Author |
|---|---|---|---|
| #5 | wxt3x-sa_contrib_2021_009_upgrade_ctools-3213872-5.patch | 1.02 KB | joseph.olstad |
| #4 | wxt-upgrade_ctools_for_sa_CONTRIB-2021-009-3213872-4.patch | 784 bytes | colan |
Comments
Comment #2
joseph.olstadComment #3
colanAdded missing links to the SA and issue comment.
Comment #4
colanI don't see a patch here so no idea why it's already set to NR, and this should go into HEAD first and then backported to older branches later if there's interest.
Please see attached.
Also, I could find no evidence that the other patch is in 4.x so there's nothing to do there, unless I'm missing something. And
composer installworks fine.If there are no problems, you can just use
git amto merge it, which preserves metadata, and you don't need to add it yourself (or bother with thegit commitcommand below).Comment #5
joseph.olstad3x patch , removes patch that is no longer needed in 3.6
Comment #6
joseph.olstadComment #7
joseph.olstadComment #9
sylus commentedThanks so much!
Committed and attributed, I will probably do a release this weekend :)
Comment #10
joseph.olstadHi @sylus, this was pushed for 4.0.x (Thanks!) however I checked the 8.x-3.x branch and the 3x patch wasn't pushed?
is there plans for 3x?
Comment #11
colanAccording to the project page, that branch is no longer supported. I'd recommend upgrading to 4.
Comment #12
colanSorry, didn't mean to switch branches (but this'll probably be a Wontfix).
Comment #13
joseph.olstadjust wondering, I can do some composer dependency override and patch ignore tricks for 3x otherwise.
Comment #14
joseph.olstadactually, I see it in 3x now
it's probably just in github but not on d.o repo
Comment #15
joseph.olstadnvm, was looking at ctools_block
still needs review for 3x
Comment #17
sylus commentedPushed to the 8.x-3.x line as well :D
Thanks everyone!
Comment #18
colanThanks for that. Can we get an ETA for the 4.x release as this is a security issue? I asked in https://message.gccollab.ca/channel/drupal but never got a response.
If you're too busy, is there anything I can do to help? e.g. Act as a co-maintainer to cut a release, etc.?
(I don't like asking for things on d.o without volunteering.)
Comment #19
joseph.olstadYes I was just going to ask about that
wondering about a 4.0.5 tag?
Comment #20
joseph.olstad@colan, yes thanks for offering to assist Sylus as a co-maintainer. just noticed that.
might be a good idea to share the responsibility
Perhaps @colan could be made responsible for security advisory updates, releasing and tagging?
Comment #21
colanIf the help would be appreciated (if not, that's fine), it would be helpful if someone could point out docs for non-d.o stuff (if that would even be necessary for this kind of thing). While I maintain many projects here, there seems to be a GitHub component on this project. (We normally do all of our CI/CD with GitLab CI so I'm not up-to-speed on whatever GitHub does these days.)
The d.o stuff would be no problem at all, but I don't know about the other stuff yet.
Aside: We've rolled our own patch for this as we need to do a site release today, and I haven't heard back on what's going on here. Applying the patch above doesn't actually work because these get applied after the other ones so it's non-trivial. We needed to get the real diff and apply that.