Friendly Reminder
As a reminder - you can just click the "follow" link on the right side of the page to start receiving updates on an issue, you don't need to post a comment.
Want to replace Colorbox with another module? Please use #3261738: Alternative Colorbox modules for all discussion and feedback.
A new release is incoming
Hi all - @paulmckibben from the Drupal Slack posted:
I haven't had time to read this entire thread, but I am now a maintainer of the colorbox module. We have work in progress on the outstanding security issues and hope to put out a new release very soon.
Problem/Motivation
The intent of this issue is to help the maintainer(s) coordinate community efforts in the creation of a new stable release. Community involvement is only intended as a suggestion; it is up to maintainers to ultimately decide the creation of, and what goes into, a stable release. If you are not interested in using this issue, please mark the issue as Fixed or Closed (works as designed).
Release-blocker issues
- issues tbd
Good-to-fix issues
- issues tbd
Above and beyond tasks
- Create issue fix list for stable release using the grn tool.
Remaining tasks
- Establish a list of release-blockers and 'good-to-fix' issues for a stable release.
- Resolve above issues blocking the release of a stable release.
- Craft changelog for new release.
- Create new release.
Do you have resources you'd like to contribute to this template? Have feedback on the stable release request issue template? We want your feedback: #3239062: 'Stable Release Request' Issue Template
Original issue summary
Identify the changes to be included in the next stable release of Colorbox
Comment | File | Size | Author |
---|
Comments
Comment #2
xeM8VfDh CreditAttribution: xeM8VfDh commentedwhat's the status here? Is this module dead? The notice on the home page is concerning.
Comment #3
DamienMcKennaI suspect there might be a new release soon.
Comment #4
xeM8VfDh CreditAttribution: xeM8VfDh commentedOh wow, that's surprising and hopeful news @DamienMcKenna. Do you suspect said release would address the security concerns that have flagged this module as unsupported?
Many thanks to everyone working on it!
Comment #5
KlemenDEV CreditAttribution: KlemenDEV as a volunteer and at Pylo commentedThis is great to hear, it would be a shame to lose this module with 200k+ users :) Any info on when?
Comment #6
Beezer75 CreditAttribution: Beezer75 commentedFollowing - I'd like to continue to use this module for sure.
Comment #7
solarDog CreditAttribution: solarDog as a volunteer commentedFollowing - I am grateful for this module!
Comment #8
caspervoogt CreditAttribution: caspervoogt at Plethora commentedI use this module a lot. Happy to help test
Comment #9
hughworm CreditAttribution: hughworm as a volunteer commentedIt's not clear whether the security issue affects the D7 version of the module. Can I find out?
Comment #10
SnowCoder CreditAttribution: SnowCoder commentedAs this is a highly used module, I would hope someone would be quick on this and able to update the security concerns that are being flagged for it. I for one use this module in every site I've created. Hoping for a quick turnaround.
Comment #11
droddis CreditAttribution: droddis commented@hughworm
I'm guessing it is but there's no real information. I'm getting an UNSUPPORTED module warning from a number of my D7 sites, but not seeing anything on the /update page. I'm guessing that means that ColorBox is affected but for some reason isn't populating when running the look for updates script.
Comment #12
glbr CreditAttribution: glbr as a volunteer commented@hugworm, @droddis I'm getting the unsupported warning across all my D9 sites. I don't think the security team distinguishes between versions when they mark a module unsupported. Instead they do that based on a lack of response from maintainers for a security issue affecting the module. Most sites running colorbox are still on D7 but it's not clear what the vulnerability is or which piece of software needs an update.
And it isn't clear that this problem or those listed as children here have anything to do with the security issue. Probably not, I would guess, from the process described at the page below.
See "what happens if I don't respond?" here: https://www.drupal.org/drupal-security-team/contacted-by-the-security-team-now-what
Comment #13
hughworm CreditAttribution: hughworm as a volunteer commentedThere's a team of 5 maintainers. I wonder if we could have a statement from one of them?
Comment #14
hughworm CreditAttribution: hughworm as a volunteer commentedSent on twitter "@Sam_152 @NesleePinto27 @josephwheaton I see you're maintainers of the Colorbox module which has been given "unsupported" status by the security team. I'd love to know whether you plan an immenent Drupal 7 release to fix this?"
Comment #15
gillesbailleuxFollowing
Comment #16
DamienMcKennaAs a reminder - you can just click the "follow" link on the right side of the page to start receiving updates on an issue, you don't need to post a comment.
Comment #17
xeM8VfDh CreditAttribution: xeM8VfDh commentedglad to see some other dedicated users jump on this issue, hopefully we gain some traction soon. I too am happy to test!
Comment #18
glbr CreditAttribution: glbr as a volunteer commentedIssue #3260722: Offer to co-maintain Colorbox has been opened. The reporter stated they are mainly interested in the D7 version so someone interested in co-maintaining with a focus on D8+ might want to connect there.
Comment #19
drupalfan2 CreditAttribution: drupalfan2 as a volunteer commentedUnsupported: 1.7.
I am also interested in 8.x-1.8.
Comment #20
Jon Pollard CreditAttribution: Jon Pollard at Turtlereality Web Design commentedI am also interested in the D9 version. If there is a security issue facing both 7 & 9 versions, is it possibly the same issue?
Comment #21
ThirstySix CreditAttribution: ThirstySix as a volunteer and at GTECH commented+1 For Drupal 9 version
Comment #22
kenrbnsn CreditAttribution: kenrbnsn commentedDoes anybody know what the security problem is that caused this to happen? If we knew what the problem is, maybe more of us would jump in to try to fix it.
Comment #23
solideogloria CreditAttribution: solideogloria commented@droddis See #3097138: Unsupported modules don't show in Update Manager
It happens when a module is unsupported but there is no replacement to update to.
Comment #24
drupalfan2 CreditAttribution: drupalfan2 as a volunteer commentedThis link to #3097138 is for Drupal 7. We are talking about Drupal 9.
Comment #25
solideogloria CreditAttribution: solideogloria commentedDroddis was talking about D7. That's why I pinged him.
Comment #26
drupalfan2 CreditAttribution: drupalfan2 as a volunteer commentedWe all should talk about a new Drupal 9 version.
Comment #27
solideogloria CreditAttribution: solideogloria commentedThere are 3 times as many users of Colorbox for Drupal 7 as there are the 8.x branch. So both versions need maintenance.
Comment #28
drupalfan2 CreditAttribution: drupalfan2 as a volunteer commentedWe have 5 maintainers. Somebody should mail them.
Comment #29
alienzed CreditAttribution: alienzed commentedI nominate drupalfan2 for emailing the 5 maintainers!
Comment #30
xeM8VfDh CreditAttribution: xeM8VfDh commentedit would be great if both the D7 and D8/9 versions were addressed.
That said, while I realize there are more D7 version users, D7 itself is end-of-life in 10 months, while D9 isn't end-of-life for another 22 months.
Comment #31
andreaciravolo CreditAttribution: andreaciravolo commentedI am also interested in the D9 version.
I have tried on both the D9 and the D7 and I get the same warning: "Not supported! Error
Colorbox 8.x-1.7 Project not supported: This project is no longer supported, and is no longer available for download. Disabling everything included by this project is strongly recommended! Includes: Colorbox "
I ask someone more experienced if I should disable Colorbox, waiting for news, or leave it active? What are the risks? Thanks Andre
Comment #32
afarsal CreditAttribution: afarsal commentedHello dear team,
It's good to have both versions (7 & 9 &...) and I hope that the end-of-life of drupal 7 will be extended longer.
Thank you very much and thanks drupal team.
Comment #33
Kulturmensch CreditAttribution: Kulturmensch as a volunteer commentedNeed a patch for 9.3, too.
Comment #34
drupalfan2 CreditAttribution: drupalfan2 as a volunteer commentedI contacted Neslee (https://www.drupal.org/u/neslee-canil-pinto)
and sent him 2 messages (drupal profile contact form, and on his website).
So please contact the other maintainers now.
Thank you.
Comment #35
frjo CreditAttribution: frjo commentedOne of the original maintainers here, I stoped using Drupal a few years ago and handed over all my modules.
Comment #36
drupalfan2 CreditAttribution: drupalfan2 as a volunteer commentedOkay, do you know who the new active maintainer is?
Comment #37
glbr CreditAttribution: glbr as a volunteer commented@drupalfan2, respectfully, there seems to be something about "unsupported module" that you are missing. Former maintainers who have moved on for whatever reasons owe you no explanation. As mentioned in one of my earlier comments, the community process does seem to be working - potential maintainers seem to be working with the security team to become maintainers. That, and getting the security issue fixed, which probably has nothing to do with this issue, may take a bit of time.
@frjo, thanks for you contributions to a module that is clearly still appreciated by many in the Drupal community.
Comment #38
lorisbel CreditAttribution: lorisbel commentedIs it possible to know the issue's details that make the project not yet supported? Thanks
Comment #39
DamienMcKennaPer the security team's processes - no, we wait at least 30 days before allowing the details to be made public in order to give time for new prospective maintainers to take on the responsibility and fix it.
Colorbox is a somewhat high profile module, please be patient while the process is running its course.
Comment #40
drupalfan2 CreditAttribution: drupalfan2 as a volunteer commented>> we wait at least 30 days before allowing the details to be made public
Why?
Comment #41
DamienMcKenna>> we wait at least 30 days before allowing the details to be made public
> Why?
We don't want people knowing what the exploit is and learning how to hack sites using it before there's a fix available.
Comment #42
drupalfan2 CreditAttribution: drupalfan2 as a volunteer commentedBut the maintainer or future maintainer should know what the expoit is, otherwise they can not decide if they are able to help or not.
Comment #43
xeM8VfDh CreditAttribution: xeM8VfDh commentedIt sounds like potential new maintainers are in contact with core/security folks to discuss and manage a handoff. I could be wrong, but thats what #37 and the other issue seem to suggest.
Comment #44
WebbehAdjusting issue summary for release notes, and adding helpful reminder for folks to keep this issue on topic.
To expand on this, this refers to a public disclosure, not a disclosure to module maintainers. Thanks for the feedback, but let's keep this issue on track with issue completion for a new release.
Comment #45
drupalfan2 CreditAttribution: drupalfan2 as a volunteer commentedAttention - Attention - Attention
217,583 sites are using the Colorbox module.
217,583 sites are at risk of being hacked.
None of the 217 thousend site owners or webmasters know how big the problem is an how vulnerable there data is because they continue to use the colorbox module.
But their sites might be hacked.
Every effort should be made to close the security issue as soon as possible and without waiting.
Comment #46
KlemenDEV CreditAttribution: KlemenDEV as a volunteer and at Pylo commentedI 100% agree with #45. 217,583 is quite a number.
I understand how open source projects work and that no one is really to blame or to be expected to fix this, but on the other hand, this is quite bad for Drupal and its name.
Comment #47
OllibolliHmm, no hard feelings on this, but there seem to be numerous people willing to help out to get this sorted out quickly.
When it comes to security concerns there is no time to lose to get these issues fixed. Security has always been a trademark for Drupal and there should be quick ways to fix projects or burry them completly when no fixing is foreseeable.
Comment #48
afarsal CreditAttribution: afarsal commented100% agree with #45 and #47.
We use drupal because it is reliable. Why wait for a maintainer ?
Thanks.
Comment #49
ab_connor CreditAttribution: ab_connor as a volunteer commentedI decided to get rid of colorbox and switch to baguettebox. I don't trust a project where its maintainers have no time for the security of their users. It's quite easy and baguettebox has the same features. Look here: https://www.drupal.org/node/266126
Comment #50
Rikibu CreditAttribution: Rikibu commentedWe only can hope and wait for a fix. But are there any alternative solutions to put node content into lightboxes?
I tried baguette.js and magnific popup - both are working on node content pages as formatter, but when I use them on views generated pages, the lightbox effect is not shown.
Comment #51
ab_connor CreditAttribution: ab_connor as a volunteer commented@Rikibu :
README says: To make it work with Views you should either set "Use field template" checkbox or manually add "baguettebox" class in View field style settings.
Comment #52
Rikibu CreditAttribution: Rikibu commented@ab_connor
ah, thanks... i need better glasses :-)
but maybe this one helps another user here to work around the colorbox issue...
Comment #53
xeM8VfDh CreditAttribution: xeM8VfDh commentedbaguettebox is a nice alternative to know about, but I came to Colorbox because Juicebox exhibited a similar issue as this one--basically vanishing maintainers and broke when core updated. Colorbox seems like the most popular lightbox module I'm aware of, so its probably worth keeping this one alive.
Good to know about baguette though, in case no traction is gained here.
Comment #54
TTNT CreditAttribution: TTNT commentedI tried both baguette and magnific, I can't get any of them to work. Following installation instructions for both, magnific does get the library loaded but doesn't do anything when the formatter is selected. Baguette simply doesn't want to find the library at all (and yes I read the release notes about the folder name change, it didn't matter). Colorbox seems to just... work. So yea, I'll also post in the respective issue queues to get pointers on to how to install them, but on the other hand it would be nice to get colorbox back.
Comment #55
TTNT CreditAttribution: TTNT commentedSo I replaced colorbox with baguette as follows:
Just in case someone else wants to get rid of colorbox until there is a stable D9 branch.
Comment #56
WebbehFolks - for replacement module discussion, please use #3261738: Alternative Colorbox modules. This issue is intended for the next stable release discussion and planning.
Comment #57
xeM8VfDh CreditAttribution: xeM8VfDh commentedThanks @Webbeh
Is there any update or predicted time for an update as to whether new maintainers have been assigned and/or if the ball is moving forward? I suspect most people here don't want to jump ship to a new module, and regular updates from people in the know would be helpful to assuage doubts and provide clarity.
Comment #58
candelas CreditAttribution: candelas as a volunteer commentedI just want to say thanks thanks thanks to the past maintainers, the future ones and the security team.
I can understand people being nervous, but, please, respect the generous work they have given to us.
And we all can, if we don't have the knowledge, donate money to make this solved sooner.
Have a good day! :)
Comment #59
WebbehHi all - @paulmckibben from the Drupal Slack posted:
Comment #60
paulmckibbenHi all, I am a new maintainer. I, along with a few others, are actively working on a fix for several outstanding security issues in both the 8.x and 7.x versions of colorbox. We are very close to a release, and a return to "supported" status, for both. Please hang tight. Thanks!
Comment #61
KlemenDEV CreditAttribution: KlemenDEV as a volunteer and at Pylo commentedNice, thank you @paulmckibben and team for your work on the module :)
Comment #62
Rikibu CreditAttribution: Rikibu commented@paulmckibben
thanks for giving the colorbox module a secure future :-)
great news.
Comment #63
le72Thank you @paulmckibben.
Comment #64
stuhannaford CreditAttribution: stuhannaford commentedThanks @paulmckibben
Comment #65
EricVL CreditAttribution: EricVL commentedThis is great. Thanks @paulmckibben
Comment #66
jabeler CreditAttribution: jabeler commentedThanks @paulmckibben :)
Comment #67
dak5859 CreditAttribution: dak5859 commentedThanks @paulmckibben. Good news.
Comment #68
xeM8VfDh CreditAttribution: xeM8VfDh commentedthanks @paulmckibben and everyone else working on it, great work!
Comment #69
paulmckibbenThe 8.x-1.8 release is out. All known security issues are fixed. However, security coverage will not be restored until a thorough audit of the codebase for both 7.x and 8.x can be completed. Thanks!
Putting this issue in "Needs Review" state, with the intent to close it in the next few days pending any other feedback.
Comment #70
rafaolf CreditAttribution: rafaolf at Appnovation commentedThank you @paulmckibben, really appreciated!
Comment #71
xeM8VfDh CreditAttribution: xeM8VfDh commentedthanks @paulmckibben
I have just deployed 1.8 and it works fine for me. I am not sure if there is anything I should specifically be testing other than the default functionality (if there is some security testing that needs to be done).
Let us know if there is specific testing that needs to be done.
EDIT: I'm on core 9.3.4
Comment #72
goldin CreditAttribution: goldin commentedSpectacular news @paulmckibben! Thank you. I have also tested basic functionality on 1.8 (and with core 9.3.4 – just out), and it's working fine.
Comment #73
andreaciravolo CreditAttribution: andreaciravolo commentedPerfect @paulmckibben, I tested it on D 9.3.3 it is ok. Thank you all
Comment #74
glbr CreditAttribution: glbr as a volunteer commentedTested with core 9.3.4. Works. The code changes for 8.x-1.8 look fine to me. Thanks!
Comment #75
J-LeeMany thanks to paulmckibben for the takeover.
1.8 with Drupal 9.3.4 looks good. Did not see another issue after a quick look.
Comment #76
drupalfan2 CreditAttribution: drupalfan2 as a volunteer commentedThank you.
Comment #77
grumpy74 CreditAttribution: grumpy74 commented🙏 Thank you @paulmckibben !
Comment #78
ThirstySix CreditAttribution: ThirstySix as a volunteer and at GTECH commentedThank you @paulmckibben,
Yes, I have tested with 9.3.4 with V1.8. Working fine.
Comment #79
WebbehPer #69 (and incorrect status update in #72).
Comment #80
hughworm CreditAttribution: hughworm as a volunteer commentedThanks all.
However.... I just deployed the update to a D7 site and unfortunately it broke a video_embed_field field popup, so I have reverted.
It seems to be caused by these new lines in colorbox.js:
Commenting out the "photo: true" enabled wef videos to load.
Should I raise a new issue?
Comment #81
WebbehPer #80, create a new issue for that bug.
Comment #82
afarsal CreditAttribution: afarsal commentedFine. Thank you @paulmckibben and thanks Drupal team.
Comment #83
caspervoogt CreditAttribution: caspervoogt at Plethora commentedtested 1.8 and working beautifully. Thanks, maintainers!
Comment #84
xeM8VfDh CreditAttribution: xeM8VfDh commentedlooks like my Available Updates Report page is no longer warning me about Colorbox 🎉🎉🎉
I see a full code audit is required before the module is officially given the green light by the security team, but we are all really glad to see this moving (so incredibly quickly) in the right direction.
Thanks again everyone.
Comment #85
paulmckibben@hughworm, re:
I tried this myself, and the bug appears to be in the video_embed_field module. It is creating an incorrect link, adding both the "colorbox-load" and "colorbox" classes. It should only add the "colorbox-load" class.
I filed an issue against the video_embed_field module, and there's a patch there: #3262515: Incorrect colorbox class on thumbnail with colorbox.
Comment #86
HaemishM CreditAttribution: HaemishM commentedI updated to the version for Drupal 9.3. I'm using it with a view that loads content fields from a custom content type, using replacement tokens on the "Custom Caption" for the popup. It seems as if the content in the popup is now fed as raw text, so any HTML tags in the content get printed out exactly on the popup (strong tags show up around words, can't put line breaks or have different parts of the output as CSS targeted elements). It all just fills the cBoxTitle div without any formatting.
Comment #87
bas123 CreditAttribution: bas123 as a volunteer commented@paulmckibben,
Thanks for jumping in and saving the day so quickly for the "measly"😉 214,753 sites reported using this module!
I have been frantically looking for alternatives with a keen eye on the Slick Carousel and its suite of Slideshows etc. and have been in communication with the very helpful Gaus Surahman (gausarts) who has provided me with very useful alternatives should they become necessary!
I just updated a Drupal 8.9.20 | Open Social (social 10.3.8) with near future plans to bring it into Drupal ^9 | Open Social ^11.
In the process of that update it appears that Colorbox 8.x-1.8 was in fact installed to replace version 8.x-1.2.
To be clear, Are we now safe from all vulnerabilities that caused the recent Security Alerts (and depreciation), so that we may safely continue our configurations?
And is it only a matter of a review and stamp of approval by the Drupal Security Team that would clear any warnings etc.?
Comment #88
xeM8VfDh CreditAttribution: xeM8VfDh commentedworking for me on latest 9.3.5 as well.
I am using it in a view.
Comment #89
Nick Hope CreditAttribution: Nick Hope commentedThank you to those who worked on this.
Unfortunately links in custom captions (including those generated by tokens from link fields) no longer work as html links.
Comment #90
paulmckibben@bas123, the current Colorbox releases are safe from all known vulnerabilities. We are thoroughly reviewing both the 7.x and 8.x branches and are also trying to address backward compatibility issues. You should no longer be getting a warning in the update manager of your site, but please understand that the Colorbox module currently does not have coverage from the security team. We'll have security coverage again once we reach a point that we (the maintainers and the security team) are satisfied that both branches are adequately hardened.
Comment #91
paulmckibbenEveryone: if you encounter a backward compatibility issue, please write up a new issue rather than comment here. It will be easier to track that way. Thank you.
Comment #92
Sseto CreditAttribution: Sseto commentedUpdated Colorbox on 9.3.5 and it works perfectly. Thanks for the quick update team!
Comment #93
Nick Hope CreditAttribution: Nick Hope commentedComment #94
bas123 CreditAttribution: bas123 as a volunteer commented@paulmckibben,
Thanks for that, and again great work!
I will be working on now updating my Open Social Sites to version 11 which runs on Drupal 9.2x (Currently), and trust that the Colorbox's that I use for both images and video in user profiles will not be among the possible stumbling blocks to that end.
In the meantime, I have been in communication with Gaus Surahman (gausarts) as I mentioned above, and believe I may look to transition once the upgrades are complete from colorbox to Slick Lightbox and/or Carousel for these purposes.
Have you (or anyone else here) made such a transition? The primary reason for me would be what appears to be a greater range of display options and captioning styles, plus I believe the general user is now more accustomed to seeing and using this type of slider due to it's popularity across the web.
Thoughts welcome!
Comment #95
c.altosax CreditAttribution: c.altosax commentedColorbox is an important part of a website that I maintain, but we are leaving it disabled until security coverage is reinstated. Are there any estimates of when the audit might be complete? Is there somewhere that we can watch for updates on that?
HUGE thank you to the new maintainers and also to the security team for the great work being done here.
Comment #96
paulmckibben@c.altosax I'm trying to get a better idea from the security team as to what it will take to restore security coverage. I'm sorry to say, I don't have a timeframe, but hopefully soon.
Comment #97
goldin CreditAttribution: goldin commented@paulmckibben Thank you for the effort you put in to restore security coverage for Colorbox!
Comment #98
Nick Hope CreditAttribution: Nick Hope commentedAlso from me, thank you very much @paulmckibben.
Comment #99
kmontyGiven 1.9 was released earlier this week and the module has security coverage again, it seems this is fixed and this issue is no longer relevant. Thanks Paul!
Comment #100
xeM8VfDh CreditAttribution: xeM8VfDh commentedamazing, well done to everyone involved :)
Comment #102
bas123 CreditAttribution: bas123 as a volunteer commentedSo, now someone has undone a feature that was reinstalled a few months back!
I do not know if anyone here has any feedback on this, but I'm taking a shot!
This involves the use of Colorbox Navigation Buttons when used with Blazy Video Embed Field using Colorbox as Media Switcher
See: https://www.drupal.org/project/colorbox/issues/3277985
Comment #103
DamienMcKenna@bas123: Please open a new issue for that regression.
Comment #104
bas123 CreditAttribution: bas123 as a volunteer commentedDamienMcKenna,
Did I not do that with: https://www.drupal.org/project/colorbox/issues/3277985
Or do I need to do this somewhere else?
Comment #105
DamienMcKennaOk, that's fine, let's continue the discussion over in that issue.