In #2367319: Implement automatic background updates for highly critical security issues there has been some discussion about ways that something like the update module could give advanced notification that a critical update is coming.

Within the security team we're discussing when/how to pre-announce issues of different levels.

Here's a rough concept of the functionality for discussion:

  • Some new content/data on drupal.org that would get posted in advance of a security advisory with a structured format
  • A Drupal site periodically retrieves and parses that information to see if an upcoming release will affect that site
  • The site can then take appropriate actions like displaying a red warning or emailing the site admin
  • etc.?

The pre-announcements are likely to have very little details other than the date/time an update is coming and the severity. We might also limit our use of this mechanism to extreme cases.

Comments

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles commented
Title: Create system for pre-announcing extreme security issues in core/contrib » Create system for distributing pre-announcements of extreme security issues in core/contrib
Issue summary: View changes
coltrane’s picture

coltrane
he/him
CreditAttribution: coltrane commented
Related issues: +#2369383: Provide basic SA details in 'security update available' message

I propose that the goal should be expanded to be about improving security knowledge as it relates to a particular site.

Consider the issue at #2369383: Provide basic SA details in 'security update available' message which asks for detailed SA data within security update messages. The mechanism for alerting pre-announcements could piggyback on a system that shows expanded SA details, given shared development.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles commented

I agree that issue has a good goal, though it addresses the point after the issue is published rather than before so it can potentially leverage the existing content we have on d.o: a security advisory. If it turns out that there are synergies in combining them that works for me. Those synergies aren't immediately obvious to me, though.

masipila’s picture

masipila CreditAttribution: masipila commented

Hi,

I think that the pre-announcement functionality doesn't have to be more complex than it has to be:

In the rear case that the sec team thinks that a pre-announcement is needed (pre-auth remote exploit or something critical enough), all that we need IMO is to spread the word that a new highly critical security advisory + new release will be published on yyyy-mm-dd at hh:mm UTC.

  • This announcement would then be published as a special content type on d.o that the sites can poll when cron is run.
  • The pre-announcement doesn't have to tell which contrib module is affected (see below for my 2 cents). All we have to tell at this point is the major version(s) that are affected and the timestamp when the fix will be released.
  • The update module would then show the red hilight + send an email to the site owner if the email alerts are enabled on update module settings
  • Obviously, the pre-announcement should also be sent to the official sec mailing list as well

I would say that this functionality would be all that is needed. I don't like the idea that the pre-announcement would include the affected contrib module name because this would give unnecessary heads up for the attackers to find the sechole before we have the fix available. There are some extremely widely used modules which are still small in terms of the amount of code so publishing the name of the module might already be too much information that we want to publish.

Let's not over engineer this one. I think that the only thing that we are trying to solve with the pre-announcements is to make sure that as many site maintainers would get the alert in time so that they can plan their schedules so that they are prepared when the SA is released.

Cheers,
Markus

corbacho’s picture

corbacho CreditAttribution: corbacho commented

I like a lot this idea.

Could we add to this pre-announcement information about how to protect yourself (if possible)

Taking as example this Security Pre-announcement of Typo3:

Please consider deactivating "register_globals"; this setting is deprecated
nowadays (PHP 5.3+) and is generally not needed for TYPO3.

timodwhit’s picture

timodwhit CreditAttribution: timodwhit commented

I like this idea, I think it would be good to be able to add multiple users to the email string for the SA message.

For example you may have a sites email as: webmaster@example.com, but your devs is/are dev1@example.com/dev2@example.com. Webmaster might not be checked as often, but this would allow for the devs to be aware of it.

Just an idea.

omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented

This feature would have to be forced as always enabled to be really effective, so it can't depend on the 'update' module, because this module can be disabled on production sites. But it is probably obvious already.

gpk’s picture

gpk CreditAttribution: gpk commented

Agree strongly with #5 that the pre-announcement must include information about how to protect yourself. In the case of SA-CORE-2014-005, hackers would have already have identified thousands or millions of potential victim Drupal sites and had all their botnets primed, it would only have taken them a minute or two to engineer their attacks and start deploying them. How many site admins could have patched or upgraded all their sites in a time window of a few minutes?

In this case AFAICS the only protection would have been for all Drupal 7 sites in existence to be taken completely offline manually before the details of the vulnerability were revealed.

[Update] though one has to wonder, if a vulnerability is rated at the most critical level, would hackers have reasoned ... the vulnerability must be in database.inc...... and would they have found it......

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

dww’s picture

dww
we/he/they
CreditAttribution: dww at TEN7 commented
Parent issue: » #3041885: Display relevant Security Advisories data for Drupal

FYI: This is nearing completion at #3041885: Display relevant Security Advisories data for Drupal

phenaproxima’s picture

phenaproxima
he/him
Primary language English
Location Massachusetts
CreditAttribution: phenaproxima at Acquia commented
Status: Active » Closed (duplicate)

This very much seems like a duplicate of #3041885: Display relevant Security Advisories data for Drupal, so closing this out.