UT Drupal Kit 2.12.2 Security Release

ITS has posted a patch-level release of the UT Drupal Kit in order to address multiple critical security vulnerabilities in the SimpleSAMLphp library.

This release is only available via Pantheon upstream repository, as SimpleSAMLphp is not bundled with the standalone download version of the UT Drupal Kit.

It is recommended that all users of the UT Drupal Kit on Pantheon update their sites with this latest version as soon as practicable.

How to Update the UT Drupal Kit

Complete instructions for updating a UT Drupal Kit site are available on the documentation wiki.

Please review the release notes thoroughly, and always make backups of your code, files, and database before proceeding with an update!

Understanding the new `pantheon.upstream.yml` file

With the 7.x-2.9 update of the UT Drupal Kit, astute developers will notice a new file in the document root of their git repo called pantheon.upstream.yml, whose contents look like this:

# IMPORTANT NOTE:
# Do not edit this file unless you are doing so in your custom upstream repository.
# Override the defaults specified here in a site-specific `pantheon.yml` file.
# For more information see: https://pantheon.io/docs/pantheon-upstream-yml
api_version: 1
php_version: 5.6

This change was announced as part of Pantheon’s move to making PHP 7 the default version of PHP for all WordPress and Drupal 8 sites. The pantheon.upstream.yml file allows maintainers of custom upstreams such as the UT Drupal Kit to keep the default PHP version for their site pegged at 5.6.

I’m already using PHP 7 in my UT Drupal Kit site. How does this affect me?

If you have already specified PHP 7 as the default version in a pantheon.yml file in your site repository, nothing will change. Configuration options defined in pantheon.yml override any defined in pantheon.upstream.yml.

My Drupal 7 site is on Pantheon, but doesn’t use the UT Drupal Kit upstream. How does this affect me?

Since Drupal 7 is not 100% compatible with PHP 7, this same pantheon.upstream.yml file is also included in Pantheon’s base Drupal 7 upstream repository. So you should have already seen this file show up as a commit waiting to be merged from the Drupal 7 upstream.

Again, no action should be needed on your part in order to maintain the status quo — if you had already put a pantheon.yml file in place to upgrade your site to PHP 7, it will override the pantheon.upstream.yml file. If you do not have a pantheon.yml file in place, your site would have already been using PHP 5.5 or 5.6, and this new file will simply preserve that as the¬†default going forward.

I’m using the UT Drupal Kit on UT Web or a VM. How does this affect me?

The pantheon.upstream.yml file is not included as part of the standalone UT Drupal Kit download, so this does not affect sites that are not hosted on Pantheon.

Will the UT Drupal Kit ever default to PHP 7 on Pantheon?

Probably not until we have a Drupal 8 version of the Kit.

As discussed in our previous post, “PHP 7, the UT Drupal Kit, and You!” there are sufficient unknowns with regard to total compatibility with Drupal core, all of the contrib modules included with the Drupal Kit, and the wide range of customizations already present in deployed sites, that we are not comfortable making this the default version.

We do have a number of Drupal Kit-based sites maintained by ITS that are running on PHP 7 without problems. If you are interested in trying this for yourself, feel free to experiment with creating a pantheon.yml file of your own and deploying PHP 7 to your DEV (or better yet, a multidev!) environment and putting your site through its paces.

Where can I learn more?