Developer Portal Security Updates

Google Cloud Apigee
1

I see Security update related alerts on the Developer Portal and Pantheon. Thing is I applied all the updates available in Pantheon but I am still getting alerts for some modules.

5282-updates-through-pantheon.png
5282-updates-through-pantheon.png804×566 171 KB

5283-security-updates-on-portal.png
5283-security-updates-on-portal.png1273×583 32 KB

I referred to following existing issues logged by other community user, but have further questions

https://community.apigee.com/questions/30224/developer-portal-updates.html

https://community.apigee.com/questions/22929/should-customers-using-pantheon-hosted-drupal-appl.html

The Developer portal shows updates for two modules in my case: Legal and Media. These modules are already present in both Profiles/ and Sites/ location. The Profiles/ location modules are getting updated (though not the July updates) but are not effective because they are being overridden by the Sites/ modules. I don’t believe we have added these modules to the Sites/ location. So, I have the following questions:

  1. In case of Legal module, the version in Profiles/ matches the recommended version as per Security alert. So can I remove the module from Sites/ ?

  2. In case of Media module, the version in Profiles/ folder is 7.x-2.8 (older) which is newer that Sites/ but older than the recommended version 7.x-2.9 per the Security alert. So, should I get the latest recommended version and place that in Sites/ folder?

In such case, how do we manage our long term approach because security vulnerabilities may us to place the modules in Sites/ folder and then these module may end up not getting updated through Pantheon because the Sites/ folder module is overriding the Profiles/ folder module.

2

All Apigee created modules are placed in the /profiles/apigee/modules/custom directory, and all Drupal.org modules are placed in /profiles/apigee/modules/contrib directory. Any modules placed in /sites/all/modules are there because your team has added them.

Note that is is common Drupal convention to place modules in either /sites/all/modules/contrib, or /sites/all/modules/custom. You can use any directory structure you want however, or place all modules directly in /sites/all/modules.

If you place any modules in /sites/all/modules (or any subdirectory), those module versions will override any of the modules place in /profiles/apigee/modules.

So, for question #1, the legal module, yes you should remove the older version in /sites/all/modules.

For #2, the current version of media module is 7.x-2.8 which you should have if you pulled down latest from our Apigee upstream. As of today (July 17th 2017) the current version of our Drupal distribution is 17.06.29.00, which you can view by logging in as an admin and going to Reports > Status Report in the admin toolbar.

5311-screen-shot-2017-07-17-at-30218-pm.png
5311-screen-shot-2017-07-17-at-30218-pm.png628×183 9.99 KB

Make sure you have pulled in all updates to your Dev environment and followed the Pantheon workflow.

As for security updates, we push out security updates as soon as possible, usually within 48 hours, and faster if it is a critical issue. However, you can put a security update in faster if you want into your /sites/all/modules dir, and remove it after our upstream version is updated as explained by Anil in the post you mentioned above.

3

Thanks @Chris Novak, that helps