A recent security vulnerability has been issued for the References Module: https://www.drupal.org/node/2869138. The security team at Drupal is recommending that the module be removed. It seems OpenPublic's design is heavily reliant on the Reference Module, and removing it would entail disabling the majority of OpenPublic's apps. Any feedback on how current implementations of OpenPublic are to handle this new development would be appreciated. Thank you!

Comments

buddym created an issue. See original summary.

paultsao’s picture

paultsao CreditAttribution: paultsao commented

we are heavily using OpenPublic and would love for some feedback as well.

mpotter’s picture

mpotter CreditAttribution: mpotter at Phase2 commented

A Security Advisory was issued for the References module used in OpenPublic (Drupal 7) to mark the module as Unsupported due to lack of response from the module maintainer on a security issue. The advisory was marked as "Critical" because this is the severity of marking any module as Unsupported. The "Critical" severity rating does not apply to the original security issue that was being investigated.

A potential new maintainer has released a new version of References module. An update to OpenPublish for this and other modules that have security updates will be posted later today.

mpotter’s picture

mpotter CreditAttribution: mpotter at Phase2 commented
Status: Active » Fixed

This is fixed in 7.x-1.11

mpotter’s picture

mpotter CreditAttribution: mpotter at Phase2 commented
Issue tags: -security vulnerability, -References Module, -DRUPAL-SA-CONTRIB-2017-38
buddym’s picture

buddym CreditAttribution: buddym commented

I appreciate the continued support of this amazing profile. Thank you!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.