Does anyone know why security fix for feeds and mimemail weren't included in the latest (2.44) release while they have been available for quite a while?
Feeds (1 security update)
Current OA version: 7.x-2.0-alpha8+33-dev (2014-Feb-11) (Git hash a8468a)
Latest version: 7.x-2.0-beta1 (2015-Jul-11)
Mime Mail (2 security updates)
Current OA version: 7.x-1.0-alpha2+25-dev (2013-Jul-07)
Latest version: 7.x-1.0-beta4 (2015-Aug-02)
Also, these modules are supposed to get updated in the next OA release:
Fieldable Panels Panes (FPP) (1 security update)
Current OA version: 7.x-1.6
Latest version: 7.x-1.7 (2015-Sep-02)
Paragraphs (1 security update)
Current OA version: 7.x-1.0-beta6
Latest version: 7.x-1.0-rc3 (2015-Sep-03)
Comments
Comment #2
mpotter CreditAttribution: mpotter commentedThanks for the note:
The Feeds and Mimemail modules don't have full releases, so their security updates aren't going through the normal security team review yet. The 2.44 release was needed for critical core issues and all of these other issues are considered minor updates. Mimemail is more interesting as we seem to have that pinned to an old revision and I'm not sure why, so I'll look into that.
The updates in FPP and Paragraphs will be in the 2.45 release later this week.
Remember that our policy is that we do monthly maintenance and security updates unless it's a critical issue.
Comment #3
JKingsnorth CreditAttribution: JKingsnorth commentedHi mpotter - is the release schedule mentioned in the documentation somewhere? I couldn't find it immediately. Writing it out explicitly on the project page or in the docs might reduce the number of 'module x needs a security update' issues that are created, and reassure people that the project is very actively maintained.
Comment #4
Argus CreditAttribution: Argus as a volunteer commented@jkingsnorth: I don't think it is mentioned in the documentation yet. The new release schedule was presented in The Winter 2015 release webinar. I will create a doc page for it, but I don't think there is a written out policy for updating contrib modules in OA.
Comment #5
Argus CreditAttribution: Argus as a volunteer commentedUpdated the docs
Comment #6
mpotter CreditAttribution: mpotter commentedThanks Argus! ++
Comment #7
dpoletto CreditAttribution: dpoletto commentedHello @mpotter, I upgraded this morning (CET here!) to latest Open Atrium 2.45 and I noticed that Paragraphs module (paragraphs) is still at 7.x-1.0-beta6 version (So the "There are security updates available for one or more of your modules or themes. To ensure the security of your server, you should update immediately!" message still pops up).
Feeds, Mime Mail and Fieldable Panels Panes (FPP) modules look all updated to their latest versions reported above by @lex0r.
Comment #8
mpotter CreditAttribution: mpotter commentedThe security issue in Paragraphs is super minor and doesn't affect normal Atrium users. It is documented in this issue #2549453: XSS vulnerability on paragraph bundle name (overview page) and is only an issue if you create paragraph bundle names that include markup. Since only site admins can do this, it's very minor (site admins can do all sorts of stuff to mess up a site if they want).
Since Paragraphs is used more extensively in Atrium, we just didn't have time to test everything that might be affected by moving to the latest Paragraphs release. We needed to get 2.45 out before Barcelona. We'll be doing more module updates in October for the 2.50 release.
Comment #9
dpoletto CreditAttribution: dpoletto commentedGreat!
Comment #10
JKingsnorth CreditAttribution: JKingsnorth commentedThanks for the docs update Argus