Commerce Kickstart Covered for SA-CORE-2018-002

On March 21st 2018, the Drupal security team posted a public service announcement that Drupal core would be receiving a security release. The vulnerability affected Drupal 6, Drupal 7, all versions of Drupal 8, and Backdrop (a fork of Drupal during the rewrite to version 8.) On March 28th that security release landed, and the Drupal world went scrambling to apply updates. As maintainers of Commerce Kickstart we have to be conscious of Drupal core releases, especially security ones.

Release bash commands

In preparation for the upcoming security release, we had patches ready to commit. Since there would be no other Drupal core releases before the security update, we could make our prepared changes ahead of time and push them once the releases landed. Within minutes of the security release dropping and the Git backend for drupal.org becoming available, the release tags were pushed.

For our Pantheon users, our first step was to merge in Pantheon’s Drupal 7 upstream and receive the Drupal core security fix. Once the packaging system of drupal.org built the Commerce Kickstart 2.53 release, we pushed that out as well.

All in all, by 3PM CDT the drupal.org releases for Commerce Kickstart 1.51 and 2.53 were out. We experienced some packaging issues due to a malicious attack hitting drupal.org during the security announcement and a backed up packaging queue. However, we monitored chat channels and communicated the process throughout.

Thanks to the Drupal Security and Infrastructure teams for handling this release and all the stress they endured.

Matt Glaman's picture
Senior Drupal Consultant
Posted March 29, 2018
X
In 2019 Commerce Guys rebranded to Centarro.

Change is at the center of eCommerce, but our team and mission remain the same.

Our consulting, development, and support offerings apply our expertise to help you adapt to change and grow.

Find us now at: https://www.centarro.io