On Tuesday, November 3rd, it was discovered that scratchvm.drupal.org, used for
testing Drupal infrastructure upgrades, was compromised by a brute force attack
on a weak account password. The attacker was NOT able to achieve root access to
the server. However, to ensure the continued security of user accounts, the
Infrastructure Team has revoked passwords for Drupal CVS accounts and for
Infrastructure Team members.

If you do not have CVS access, and are not a member of the Drupal Infrastructure
Team, YOU MAY IGNORE THIS EMAIL. Likewise, if you have a CVS account which is no
longer in use, you can ignore this email and your account will remain securely
locked out.

CVS Account Passwords

A mirror of the Drupal CVS repository was stored on the compromised server. This
included secure hashes of CVS passwords. While it is extremely unlikely that CVS
accounts could be compromised, passwords have been revoked as a precaution.

To reset your CVS account password:

1. Log in to your user account at http://drupal.org/
2. Click on "My account" in the navigation block.
3. Click the "Edit" tab for your account.
4. Click the "CVS" sub-tab under "Edit".
5. Enter a new password, and click "Save".
6. Wait AT LEAST 30 MINUTES before attempting to use your CVS account. This time is needed for the CVS server to synchronize your password.
   

Security team update

We recently released SA-2008-063 for multiple contributed modules. This was due to incorrect implementation of hook_menu in Drupal 6.

Incorrect:

'access callback' => user_access('administer nodes'),

This evaluates to TRUE and leaves the page wide open to any user who might come across it.

Correct:

'access callback' => 'user_access',
'access arguments' => array('administer nodes'),

or even more simply:

'access arguments' => array('administer nodes'),

since the access callback defaults to 'user_access'

For more documentation see: http://drupal.org/node/109157

Drupal 7 updates

UNSTABLE developer tags now available

Apologies for the missing examples in the first edition of the newsletter. We even tested it, but the revision simplenews sent out wasn't the one we intended.

EXAMPLE - BEFORE API CHANGE:

New Maintainer Newsletter

This is the first issue of the Maintainer Newsletter. All drupal.org CVS account holders, which means all users who may be maintaining a contributed module, theme, or distribution on drupal.org, are now automatically subscribed to this newsletter. Other users may optionally subscribe. This newsletter will be used for occasional announcements important for those using CVS and maintaining a contributed project. You can also subscribe to this newsletter via RSS at:
http://drupal.org/maintainer-news

CVS wisdom boiled down into a two page handout

In case you missed the talk at the Boston DrupalCon about how to maintain your contributions, be sure to check out the .pdf for the handout that accompanied the presentation:
http://drupal.org/files/maintain-release-handout.pdf
It's got some invaluable yet concise wisdom about The Right Way(tm) to use CVS for your contribution. Please read this handout now (even if you consider yourself a CVS expert) so that you do things right and don't generate additional support requests for the over-committed CVS administrators.

Drupal 6.2 minor menu system API Changes

The forthcoming point release of Drupal 6.x will feature two minor API changes.

* hook_menu access inheritance.
* one of the core-defined load functions, %user_current.