Does anyone know why security fix for feeds and mimemail weren't included in the latest (2.44) release while they have been available for quite a while?

Feeds (1 security update)
Current OA version: 7.x-2.0-alpha8+33-dev (2014-Feb-11) (Git hash a8468a)
Latest version: 7.x-2.0-beta1 (2015-Jul-11)

Mime Mail (2 security updates)
Current OA version: 7.x-1.0-alpha2+25-dev (2013-Jul-07)
Latest version: 7.x-1.0-beta4 (2015-Aug-02)

Also, these modules are supposed to get updated in the next OA release:

Fieldable Panels Panes (FPP) (1 security update)
Current OA version: 7.x-1.6
Latest version: 7.x-1.7 (2015-Sep-02)

Paragraphs (1 security update)
Current OA version: 7.x-1.0-beta6
Latest version: 7.x-1.0-rc3 (2015-Sep-03)

Comments

lex0r created an issue. See original summary.

mpotter’s picture

mpotter CreditAttribution: mpotter commented

Thanks for the note:

The Feeds and Mimemail modules don't have full releases, so their security updates aren't going through the normal security team review yet. The 2.44 release was needed for critical core issues and all of these other issues are considered minor updates. Mimemail is more interesting as we seem to have that pinned to an old revision and I'm not sure why, so I'll look into that.

The updates in FPP and Paragraphs will be in the 2.45 release later this week.

Remember that our policy is that we do monthly maintenance and security updates unless it's a critical issue.

JKingsnorth’s picture

JKingsnorth CreditAttribution: JKingsnorth commented

Hi mpotter - is the release schedule mentioned in the documentation somewhere? I couldn't find it immediately. Writing it out explicitly on the project page or in the docs might reduce the number of 'module x needs a security update' issues that are created, and reassure people that the project is very actively maintained.

Argus’s picture

Argus CreditAttribution: Argus as a volunteer commented
Component: Miscellaneous » Documentation
Assigned: Unassigned » Argus
Category: Bug report » Feature request

@jkingsnorth: I don't think it is mentioned in the documentation yet. The new release schedule was presented in The Winter 2015 release webinar. I will create a doc page for it, but I don't think there is a written out policy for updating contrib modules in OA.

Argus’s picture

Argus CreditAttribution: Argus as a volunteer commented
Status: Active » Fixed

Updated the docs

mpotter’s picture

mpotter CreditAttribution: mpotter commented

Thanks Argus! ++

dpoletto’s picture

dpoletto CreditAttribution: dpoletto commented

Hello @mpotter, I upgraded this morning (CET here!) to latest Open Atrium 2.45 and I noticed that Paragraphs module (paragraphs) is still at 7.x-1.0-beta6 version (So the "There are security updates available for one or more of your modules or themes. To ensure the security of your server, you should update immediately!" message still pops up).

Feeds, Mime Mail and Fieldable Panels Panes (FPP) modules look all updated to their latest versions reported above by @lex0r.

mpotter’s picture

mpotter CreditAttribution: mpotter commented

The security issue in Paragraphs is super minor and doesn't affect normal Atrium users. It is documented in this issue #2549453: XSS vulnerability on paragraph bundle name (overview page) and is only an issue if you create paragraph bundle names that include markup. Since only site admins can do this, it's very minor (site admins can do all sorts of stuff to mess up a site if they want).

Since Paragraphs is used more extensively in Atrium, we just didn't have time to test everything that might be affected by moving to the latest Paragraphs release. We needed to get 2.45 out before Barcelona. We'll be doing more module updates in October for the 2.50 release.

dpoletto’s picture

dpoletto CreditAttribution: dpoletto commented

Great!

JKingsnorth’s picture

JKingsnorth CreditAttribution: JKingsnorth commented

Thanks for the docs update Argus

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.