SA-CORE-2018-002 security update
This document is archived but may contain useful information for troubleshooting future updates. For updated update steps, visit How to upgrade YMCA Website Services.
To update your OpenY site with security fix from Drupal core https://www.drupal.org/sa-core-2018-002 OpenY team is suggesting 2 options- via patch and via Drupal core upgrade(or OpenY upgrade). Drupal core upgrade or OpenY upgrade is not always possible, but security issue should be fixed asap. So consider to apply patch and plan OpenY upgrade later.
How to apply patch
Patching OpenY releases 8.0.1 - 8.1.0 (Drupal core 8.2.x)
For patching your very old OpenY release it is highly recommended to upgrade OpenY to latest version or at least to one of the 8.1.1-8.1.6 (Drupal core 8.3.x) with Drupal core upgrade to 8.3.9 https://www.drupal.org/project/drupal/releases/8.3.9 . In case if it is not possible right now, follow steps below:
- Login to your production server environment via SSH and find
docrootfolder of your site codebase. If you installed OpenY by following a tutorial https://www.youtube.com/watch?v=V3K4-RLjxQo - you should:
ssh -l root YOUR_SERVER_DOMAIN_NAME
cd /var/www/html
wget https://raw.githubusercontent.com/YCloudYUSA/yusaopeny-project/8.1.x/scripts/patches/8.2.x.patch
Now you are ready to patch your site. But before patching - make a backup of the file which is about to be patched
cp docroot/core/lib/Drupal/Core/DrupalKernel.php /var/backups/DrupalKernel.php
To patch your site run the command to test if the patch can be applied:
patch -p1 --dry-run < 8.2.x.patch
You should see a result
# patch -p1 --dry-run < 8.2.x.patch
checking file docroot/core/lib/Drupal/Core/DrupalKernel.php
checking file docroot/core/lib/Drupal/Core/Security/RequestSanitizer.php
In case if result different - stop on this step and let us know you have issue. In case if all good proceed with a command below, which will patch your site:
patch -p1 < 8.2.x.patch
You should see the same output as previously, but now your site is patched.
TIP: In case if you are using git repository for your site run
git add docroot/core/lib/Drupal/Core/DrupalKernel.php docroot/core/lib/Drupal/Core/Security && git commit -m "Patching OpenY core" && git push
to store your patched core into your own repository.
Patching OpenY releases 8.1.1 - 8.1.6 (Drupal core 8.3.x)
For patching your relatively old OpenY release it is highly recommended to upgrade OpenY to latest version or at least to one of the 8.1.7-8.1.10 (Drupal core 8.4.x) with Drupal core upgrade to 8.4.6 https://www.drupal.org/project/drupal/releases/8.4.6 . In case if it is not possible right now, follow steps below:
- Login to your production server environment via SSH and find
docrootfolder of your site codebase. If you installed OpenY by following a tutorial https://www.youtube.com/watch?v=V3K4-RLjxQo - you should:
ssh -l root YOUR_SERVER_DOMAIN_NAME
cd /var/www/html
wget https://raw.githubusercontent.com/YCloudYUSA/yusaopeny-project/8.1.x/scripts/patches/8.3.x.patch
Now you are ready to patch your site. But before patching - make a backup of the file which is about to be patched
cp docroot/core/lib/Drupal/Core/DrupalKernel.php /var/backups/DrupalKernel.php
To patch your site run the command to test if the patch can be applied:
patch -p1 --dry-run < 8.3.x.patch
You should see a result
# patch -p1 --dry-run < 8.3.x.patch
checking file docroot/core/lib/Drupal/Core/DrupalKernel.php
checking file docroot/core/lib/Drupal/Core/Security/RequestSanitizer.php
In case if result different - stop on this step and let us know you have issue. In case if all good proceed with a command below, which will patch your site:
patch -p1 < 8.3.x.patch
You should see the same output as previously, but now your site is patched.
TIP: In case if you are using git repository for your site run
git add docroot/core/lib/Drupal/Core/DrupalKernel.php docroot/core/lib/Drupal/Core/Security && git commit -m "Patching OpenY core" && git push
to store your patched core into your own repository.
Patching OpenY releases 8.1.7 - 8.1.9 (Drupal core 8.4.x)
For patching your OpenY release it is highly recommended to upgrade OpenY to latest version (8.1.10 or never) or at least to one of the 8.1.10 (Drupal core 8.4.x) with Drupal core upgrade to 8.4.6 https://www.drupal.org/project/drupal/releases/8.4.6 . In case if it is not possible right now, follow steps below:
- Login to your production server environment via SSH and find
docrootfolder of your site codebase. If you installed OpenY by following a tutorial https://www.youtube.com/watch?v=V3K4-RLjxQo - you should:
ssh -l root YOUR_SERVER_DOMAIN_NAME
cd /var/www/html
wget https://raw.githubusercontent.com/YCloudYUSA/yusaopeny-project/8.1.x/scripts/patches/8.4.x.patch
Now you are ready to patch your site. But before patching - make a backup of the file which is about to be patched
cp docroot/core/lib/Drupal/Core/DrupalKernel.php /var/backups/DrupalKernel.php
To patch your site run the command to test if the patch can be applied:
patch -p1 --dry-run < 8.4.x.patch
You should see a result
# patch -p1 --dry-run < 8.4.x.patch
checking file docroot/core/lib/Drupal/Core/DrupalKernel.php
checking file docroot/core/lib/Drupal/Core/Security/RequestSanitizer.php
In case if result different - stop on this step and let us know you have issue. In case if all good proceed with a command below, which will patch your site:
patch -p1 < 8.4.x.patch
You should see the same output as previously, but now your site is patched.
TIP: In case if you are using git repository for your site run
git add docroot/core/lib/Drupal/Core/DrupalKernel.php docroot/core/lib/Drupal/Core/Security && git commit -m "Patching OpenY core" && git push
to store your patched core into your own repository.
==========================
How to patch your Digitalocean OpenY install
In case if you have followed tutorial https://www.youtube.com/watch?v=V3K4-RLjxQo you should have your OPenY installed on you DigitalOcean server(droplet) in a predictable for current document folder. That’s why we prepared a short how to patch your OpenY site in a most simple way if you are not a Tech Guru, but just a user
- Log in as an admin user to your site admin UI by visiting
/user/loginURI page. - Go to
/admin/reports/statusafter login and search for Drupal Version string. It should be something like 8.2.x, 8.3.x or 8.4.x (x - some number too, like 8.4.2, for example). Based on your finding follow the steps below to your version - Login to your ВigitalOcean cloud console at digitalocean.com and find Access Console in the dropdown for the droplet you are using for the OpenY
- You should see a popup window with a black screen where console asks you for the login. Use
rootuser and a password generated for you upon droplet creation. - After login to a console run the command below, respectively to the version of your Drupal core.
One line script to patch 8.2.x Drupal core for OpenY
Type manually exact line
bash < <(curl -s https://raw.githubusercontent.com/YCloudYUSA/yusaopeny-project/8.1.x/scripts/patches/run8.2.x.sh)
and hit Enter.
You should see OpenY was patched message.
One line script to patch 8.3.x Drupal core for OpenY
Type manually exact line
bash < <(curl -s https://raw.githubusercontent.com/YCloudYUSA/yusaopeny-project/8.1.x/scripts/patches/run8.3.x.sh)
and hit Enter.
You should see OpenY was patched message.
One line script to patch 8.4.x Drupal core for OpenY
Type manually exact line
bash < <(curl -s https://raw.githubusercontent.com/YCloudYUSA/yusaopeny-project/8.1.x/scripts/patches/run8.2.x.sh)
and hit Enter.
You should see OpenY was patched message.