Closed (fixed)
Project:
Colorbox Node
Version:
7.x-3.x-dev
Component:
Miscellaneous
Priority:
Normal
Category:
Task
Assigned:
Reporter:
Created:
14 Mar 2022 at 05:23 UTC
Updated:
26 Apr 2022 at 13:44 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
ericdsd commentedHi sadashiv i hope ILLin still receives notifications from drupal.org, as he doesn't seem to make drupal studd anymore,
i've also sent him a message on linkedin, hoping he can get back to us.
BTW thank you for the patch.
Comment #3
iLLin commentedI approve this message.
Comment #4
ericdsd commentedGreat to hear that ;)
Comment #5
avpadernoThis module is now unsupported due to a security issue the maintainers didn’t fix (since January, 2022).
Every user who wants to maintain/co-maintain this project should contact the Drupal.org Security Team.
Comment #6
sadashiv commentedShould I move the issue to the other queue but as @iLLin replied, I think he can grant access.
Please update what should be my next step?
Thanks,
Sadashiv.
Comment #7
avpaderno@sadashiv iLLin cannot add maintainers/co-maintainers, since he now has only the permission to administer issues.
Contact the Drupal.org Security Team, as described in Becoming owner of a project that is unsupported for security reasons.
Comment #8
sadashiv commentedAs the project is unspported, I would like to takeover the project, as mentioned in the description have provided potential fix for the security issue, please add me as maintainer so that can review the security issues and fix them and make the module supported.
Thanks,
Sadashiv.
Comment #9
gislesadashiv,
nobody here can add you as maintainer because the project is unsupported due to a security issue.
As apaderno has already explained: You need to contact the security team to get your patch reviewed, and to be added as a maintainer.
Comment #10
avpadernoComment #11
avpadernoI am moving this issue back to the project queue.
Comment #12
cmlaraAdding relationship to #3260984: Inconsistent messaging around adopting unsupported for security reasons projects as this might be an issue with the wording with policy of 30 days after security issue is made public.
Adding #3271037: Develop and publish policy regarding missed SA notices relationship as the SA was never fully published for this module.
Comment #13
sadashiv commentedI mailed the security team regarding the patch I submitted, I see that now the SA is published, do I need any additional steps to verify that the patch fixes the security issue or some way the team will disclose the issue to me
Thanks,
Sadashiv
Comment #14
gisleYou need to get the security team to verify that your patch fixes the issue.
Comment #15
ericdsd commentedHi Sadahiv
did you get some answers from security team about becoming maintainer, as it will be necessary to provide a new release ?
Comment #16
sadashiv commentedNo, noreply from the security team on the email I send.
Thanks,
Sadashiv.
Comment #17
dmundra@sadashiv might be easier to communicate with them on Drupal slack https://www.drupal.org/community/contributor-guide/reference-information... in the #security-questions channel.
Comment #18
sadashiv commentedThanks for the suggestion @dmundra, have asked on slack.
Thanks,
Sadashiv.
Comment #19
ericdsd commentedHi @sadashiv, did you have any news from security team about getting maintainer status ?
Comment #20
sadashiv commentedNo, no reply on slack as well, no reply for email.
Comment #21
cmlaraAt this point it is hard to determine the cause for non-response by the Security Team.
This could be that the Security Team is currently overloaded beyond their ability to effectively respond to security concerns, that the Security Team has a fault in their communications systems for receiving contact from the community, or that the Security Team is choosing not to respond to an offer to adopt this module, or other unknown reasons.
Adding #3263727: Update Security metrics for the community as related since that process could give us some additional details to work with in these scenarios to allow the community to make more informed decisions about how to proceed.
Comment #22
mlhess commentedI just checked our email and did not see this in queue, @webmasters feel free to reassign ownership to the new maintainer, if set, remove the full html from the description. I am not at my desk at the moment, but I can do this later on today if no one sees it before then.
Comment #23
gisleI've transferred ownership to sadashiv as instructed by mlhess of the security team.
Test format was "Filtered HTML".