Panic, POODLEs, AngularJS, Ruby, and Giving Back

Another week has flown by, and what a week it was. Those of you in DevOps, bless you for fixing not one but two security issues this week. For the rest of you not directly involved in patching servers and software, go buy the ones that are a drink. Speaking of a drink, grab a cup of coffee, tea, or something stronger if appropriate. Let's sit for a moment, catch our breath, and see what's happening around the ecosystem.

Drupal 7 Security Issue: Don't Panic

Maggie Graham wrote up a quick overview for the customers of Promet Source. It gives all the basic info.

Description of Security Issue: The security issue is a SQL Injection vulnerability in the database abstraction API. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. 

Of course here at Pantheon, we issued emails to all of our customers with full instructions on what to do as well as a blog post by Josh Koenig titled "Pantheon's Response to Drupal 7.32 Core SQL Injection".

The Drupal security team announced an important update today for all Drupal 7 sites to prevent a remote SQL injection attack. This update is now available to all Drupal 7 sites on Pantheon. If you have Drupal 7 sites on Pantheon, please log in and deploy this update immediately.

In recognition of the severity of this issue we have taken steps to monitor and mitigate possible exploits at the platform level. However, the only way to ensure you are protected is to apply the update.

Josh followed that post up with "What We Are Seeing With Drupal SA 2014-005". Here he talks about the attack vectors that we're seeing.

It's been 24 hours since Drupal SA-CORE-2014-005 was announced, and we are already beginning to see attacks in the wild. As a platform with 10s of 1000s of Drupal sites, we have a unique perspective on the problem.

This is not a drill: black-hat scripters from sketchy domains are working through lists of known Drupal websites probing for exploits. If you have not patched all your sites, stop reading and do it right now.

I'm echoing that—if you've not patched all your sites yet, stop reading this now and go patch them! Then come back and finish your coffee. 


If drupalsa05 wasn't enough, Drupalers—and everyone else on the entire web—had to deal with POODLE. (Padding Oracle on Downgraded Legacy Encryption). Like Heartbleed before it, this is a vulnerability in SSL. SSLv3 cannot be patched or fixed; this is a design flaw. Therefore, the only safe move is to disable SSLv3 in every application you have that uses it (hint: it's probably more than just Apache). 

Red Hat put out a good overview on their site about POODLE titled "POODLE: SSLv3 vulnerability (CVE-2014-3566)". If you are using a modern Red Hat system, there are instructions on how to disable SSLv3 as well.

Background Information:

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. More details are available in the upstream OpenSSL advisory.

POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3. It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).

If you are using another OS for your server, you will need to search for the appropriate instructions.

Of course Pantheon is on top of this for our customers. Gary Dylina wrote a short piece titled "Why We're Dropping Support for SSLv3" detailing what we did to protect our customers from killer POODLEs.

Details about a recently published security vulnerability named POODLE are all over the web. It wasn’t the worst vulnerability we’ve seen in recent history, but it had potential to be bad in very narrow circumstances. I am proud of how we at Pantheon responded to this challenge.

If you need to test to see if your site is vulnerable to POODLE attacks, you can use the Qualys SSL Labs SSL Server Test

Now that the scary stuff is out of the way, let's look at some of the more benign but interesting things people are posting.

Automatically Switch Drush Versions Per Project

Marc van Gend has written up an interesting little post on how he switches versions of Drush based on the project he is working on.

Now that Drush has become standard equipment in every developer's toolbox, and Drupal 8 is around the corner, you may find yourself asking "Which Drush version should I use?" While Drush 6 has a stable release, only Drush 7 can be used with Drupal 8. Usually, I use Drush 7. It works well with both Drupal 7 and Drupal 8, and even though is doesn't have a stable release yet, it feels pretty stable to me.

He can't be the only one that has this problem. Drop by and give it a read. While you are there, leave Marc a comment telling him thank you for sharing.

Binding Drupal Data with AngularJS—A Step-by-Step Tutorial

Have you ever wondered about using AngularJS and Drupal together in the same project? If you are interested, Alban Bailly has written up a step-by-step guide for you. 

AngularJS is getting much more attention these days, and for very good reasons. Many JS frameworks have seen their day in the past couple years, but it seems to me like Angular is ahead, judging by the growing community behind it (and it may help to be backed up by Google…). While this is not the main reason why I dove into it, it helps knowing the technology I spend time learning is not going away anytime soon.

This one is long and detailed, just what you would expect from a well-written technical tutorial. Bookmark this one, pull it up Saturday afternoon and dive in for some learning time.

LoopConf Call for Speakers

There is a new conference for WordPress developers! LoopConf is taking place in May of 2015 in Las Vegas, NV. The best news is that they are looking for speakers. 

We’re excited that you’re interested in speaking at what is sure to be an amazing event. Before you dive right in and fill out the application, we figured you should probably know a few details about our event, like what’s expected of our speakers, and what kind of awesome perks you get for contributing to our conference.

Got an idea for a talk? Submit it! Don't want to talk? Buy a ticket!

Are You Giving Back?

Bruce Clingan of LightSky has posted a call to action for shops that are using Drupal. The line of thought he explores applies equally to any open source project that your company is making money off of.

LightSky has been using Drupal for quite some time, but because of a lot of factors haven’t contributed as much during that time as we probably should. Mike and I implemented a philosophical change about a year ago to make a concerted effort to give back. It has been small steps for us though, we are a small organization and in a growing phase, so our resources to give back have been limited. Starting with attending some Drupal camps, to building modules, contributing to core, and growing from there, we have made a pretty big effort on our end to help support the Drupal community and we think you should too.

Click on through and give this one a read. It is important that all of us contribute to keep the code flowing.

Developer's Corner: Ruby... The What, Why, and When

Val Mitchell has written an interesting post on Ruby. Yes, Ruby. I know this newsletter talks about Drupal and WordPress and PHP, but this post is about Ruby, deal with it.

From my experience, when non-developers hear about this fascinating programming language for the first time, they tend to think it might be something new or rather outdated, something limited and not broadly used in the industry since it's name doesn't include any plus signs, hashtags , dashes, or a weird acronym. While the story of it's naming is not that intriguing, what’s really is interesting is what Ruby has evolved into since it was released to the public in 1995.

Click on through in give it a read, especially if you have never used Ruby. It probably won't convince you to ditch PHP and move to Ruby, but that's not the point. You will never know if Ruby is the right tool for the job if you don't know what Ruby is useful for.

Twenty Fifteen is in /trunk!

Ian Stewart wrote a short—seriously, very short—announcement that Twenty Fifteen is now in trunk.

With r29892 the first pass at our new default theme, Twenty Fifteen, is in core. While a lot of hard work has gone into it already it won’t be complete without your help. Check it out and do your best to twist it, bend it, and break it everywhere you can — especially on your favourite and least favourite mobile devices. Every tester, and every ticket, helps get us closer to an amazing theme for 2015.

That's half the post right there, I told you it was short. The cool thing though, is that there is a screenshot. I'm not going to post that, if you want to see what it looks like, you are going to have to click on through.

Site Setup Journal: Act II

Previously, we talked about Jen Mylo's new project to blog about setting up a WordPress install with no developer help. She posted Act I previously and now she is back with Act II: Setting Up WordPress.

1-click installs are totally the way to go, right? I mean, 1-click sounds faster and easier than the famous 5-minute install that you get if you do it manually over FTP (according to the Codex). I immediately go into the Dreamhost control panel and went for a 1-click.

As we've come to expect from Jen, this is a great series. Whether you're actually looking for answers or just interested in someone deconstructing the WordPress install process, it's a good read.

Contributing to Open Source: a quick getting started guide

Finally, my friend—and fellow developer advocate—Erika Heidi of Digital Ocean has posted a great piece on contributing to open source. Here is a quick taste:

Breaking the Initial Barriers

If you are not sure yet about how contributing to open source can help you become a better developer, have a look at this post from @GeeH on dev-human: Open Source for Personal Gain.

Another relevant post on dev-human related to open source is from@meadsteve, about code reviews: Taking all criticism in a positive light.

If you are not involved in contributing to an open source project, get involved with one today. It's good for you, it's good for the project, it's good for the ecosystem. Remember you are standing on the shoulders of giants. Others gave so that you could get where you are, you owe it to them to give to the next generation.

Until next week!

Topics Security, Drupal