![]() Hundreds of thousands of people rely on the Drupal security team to notify them of known vulnerabilities. Providing security requires more than simply posting a patch to. It will be increasingly likely that vulnerabilities will be disclosed publicly before fixes are identified and published. The security team will no longer accept or triage reports for Drupal 7, coordinate/publish fixes, or publicize their release. The security processes detailed above will not exist for Drupal 7. Reports about Drupal 7 vulnerabilities might become public creating 0 day exploits. The Drupal Security Team will no longer provide support or Security Advisories for Drupal 7 core or contributed modules, themes, or other projects. The original EOL announcement from 2019 details what will be different when Drupal 7 reaches end-of-life: Zero-Day Exploits Drupal users only need to concern themselves with following the security team's announcements to stay up to date on vulnerabilities and their corresponding fixes. When the issue has been fixed, and new releases created, the security team will publicize the vulnerability and its fix.The security team will coordinate with the maintainers to ensure the issue has been resolved.This is important so that a fix can be created before the vulnerability is made public. The security team will triage the issue and if they confirm it, contact the relevant maintainers in private.You report the vulnerability to the Drupal Security Team.You discover a security vulnerability in Drupal core or a contributed module.Drupal's Security ProcessĪs a refresher, this is a high-level overview of the steps that would occur if you discover a vulnerability in a supported version of Drupal. This is not what anyone responsible for the security of a website wants to hear. It will be a bit like living in a frontier town with no infrastructure or help available when something inevitably goes wrong. When Drupal 7 reaches EOL, its code will still be open-source, but it will not benefit from any of the structure or processes that have been built to get Drupal to where it is now. The Drupal Security Team is responsible for triaging security issues for Drupal core and contributed modules, mobilizing developers to create fixes, and getting information about the vulnerability, along with the corresponding fix, in front of users as efficiently as possible. ![]() I would argue the level of security offered by Drupal's codebase is a product of its security process. Trust the ProcessÄrupal has long had a stellar reputation for security and it would be easy to think that was due to the fact that it is open-source. Keep reading this article (or listen to our Drupal 7 End-of-Life Podcast) to learn all about what it means for you. There has been a lot of talk about what it takes to upgrade to "modern Drupal," but less ink has been spilled painting a picture of what it will actually be like to still be responsible for a Drupal 7 site and its security after that date. It's not news that Drupal 7 is approaching its end-of-life (EOL), in fact, it has been a long time coming, but the EOL date ( November 1, 2023) will be here before you know it, and it seems less and less likely by the day that it will be extended further.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |