April 15, 2024
PHP 8.1.28, 8.2.18, and 8.3.6 were released on the platform. They contain the latest bug fixes and security releases for PHP.
Updates include patches for the following CVEs (
Common Vulnerabilities and Exposures):
- CVE-2024-1874 "Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows"
- CVE-2024-2756 "__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix"
- CVE-2024-3096 "password_verify can erroneously return true, opening ATO risk"
- CVE-2024-2757 "mb_encode_mimeheader runs endlessly for some inputs" (PHP 8.3 only)
As a reminder, PHP 8.0 reached End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.2 and above.
March 20, 2024
As part of our continued effort to provide the latest and best in secure software, PHP versions 7.1 and below will reach end-of-sale (EoS) on May 15, 2024. This means that sites created after May 15 will not be able to change their PHP version to PHP 7.1, 7.0, or any version of PHP 5. Sites created with custom upstreams using EoS PHP may also have unexpected behavior upon site creation.
Sites already running PHP 5, PHP 7.0, or PHP 7.1 will continue to run even after May 15.
PHP 7.1 was declared end-of-life (EoL) by the PHP Foundation on November 30, 2020, more than three years ago. PHP 5.6 reached EoL on December 31, 2018, more than five years ago. EoL software does not receive security or feature updates, and could expose sites to attack if any vulnerabilities or exploits are discovered.
Action required
Customers using custom upstreams with a PHP version less than 7.2 should update their custom upstreams by May 15 to avoid disruption. The current supported versions of PHP are 8.1, 8.2, and 8.3. Pantheon currently recommends at least PHP 8.1 for all production sites.
March 18, 2024
PHP 8.2.17 and 8.3.4 were released on the platform. They contain the latest bug fixes and security releases for PHP. As a reminder, PHP 8.0 reached End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.1 and above.
February 21, 2024
The latest versions of PHP 8.x are now available on the Pantheon platform. PHP 8.1.27, 8.2.16, and 8.3.3 are all bug fix releases. No action is required on your part if you are using one of these PHP versions (8.1, 8.2 or 8.3).
December 1, 2023
We're thrilled to announce an impactful upgrade to Pantheon's security infrastructure, reinforcing our commitment to safeguarding your websites. In response to the escalating sophistication of distributed denial-of-service (DDoS) attacks, we've implemented innovative solutions to fortify our defenses. Particularly, we've addressed a surge in Layer 7 attacks targeting content management systems, ensuring resilience even without our Advanced Global CDN's Web Application Firewall (WAF).
Key benefits:
- Advanced DDoS protection: Our engineers have proactively countered Layer 7 attacks, mitigating risks posed by inauthentic traffic targeting web content management systems.
- Rate limiting capabilities: We've introduced rate limiting capabilities within our Global CDN, curbing abusive traffic effectively. This ensures a stable online presence, even during large-scale attacks, preventing wider stability issues.
For more in-depth insights into the measures we've taken and the value they bring to your Pantheon experience, delve into the full blog post. Your website's security and stability are our top priorities, and this enhancement is another step in our ongoing commitment to delivering a robust WebOps platform.
November 1, 2023
- As part of Pantheon’s commitment to accessibility, diversity, and inclusion, we are proud to announce that we have completed an external audit of our platform’s accessibility features and the results are available in our WCAG 2.1 AA VPAT.
- Our teams have ongoing efforts to improve accessibility further and have outlined goals to improve our support of WCAG 2.1 AA criteria for the next two quarters.
- Our partners and customers who depend on WCAG compliant products can confidently continue to use the platform knowing that we hold accessibility to be an important function of the services we provide.
November 1, 2023
The File System team at Pantheon achieved significant speed improvements in backup processes. The Valhalla export process was overhauled, allowing backups to be constructed from new objects, cutting down export times by 25-83%. This was accomplished by initiating object retrieval immediately after receiving MANIFEST metadata, omitting empty files, and promptly archiving received files.
October 1, 2023
Global CDN now has improved compatibility with the WPML multilingual WordPress plugin. Page variations for each language can be cached at the edge. This update was rolled out automatically for all sites that use the WPML plugin and increased site cache hit ratio by 24% on average.
October 1, 2023
PHP 8.2.11 and 8.1.24 were released on the platform. They contain the latest bug fixes and security releases for PHP. As a reminder, PHP 8.0 will reach End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.1 and above.
September 1, 2023
Pantheon has deployed PHP versions 8.2.9, 8.1.22, and 8.0.30 to customer sites running on the platform. These releases address vulnerabilities disclosed in CVE-2023-3823 and CVE-2023-3824.
If you are using PHP 8.2, 8.1 or 8.0, there is nothing further that you need to do. If you are still on PHP 7.4 or earlier, though, you should schedule some time to upgrade to a supported version.While the vulnerabilities patched in these latest releases are not reported to affect PHP 7.4, the fact remains that there could be (and probably are) unpatched vulnerabilities in the end-of-life versions. Read more about it in Greg Anderson’s blog post.
February 1, 2023
Services like Redis greatly accelerate web performance by offloading heavy database and fileservice interactions to a fast in-memory cache. Pantheon Object Cache Update allows customers the ability to adopt Redis server 6.x. This capability is made possible by adopting Pantheon’s modernized infrastructure and cloud operations frameworks. To learn more about Object Cache, refer to our documentation.
September 1, 2022
PHP 8.1 is now recommended for Drupal sites version 9.3.0 and higher. An underlying bug with ProxySQL was fixed in version 2.4.3 and PHP 8.1 was updated on the platform to incorporate this fix.
January 1, 2022
Customers can now upgrade their site database and PHP by using the One-Click Upstream Update feature in the Site Dashboard or the command Terminus upstream:updates:apply
. Pantheon makes it simple to keep your site database secure and performant. Sites using Custom Upstreams can easily upgrade to supported database versions by configuring the site's pantheon.yml
.
August 1, 2020
All Pantheon customers are now provisioned with a dedicated certificate for HTTPS for each custom domain on a site environment. In addition, the go-live experience has been optimized and now lets you configure HTTPS before launch via the DNS TXT method to verify domain ownership.
July 1, 2020
Although it places load on the platform, Pantheon now excludes traffic from Petalbot, which would otherwise count towards your website's total traffic.
June 1, 2020
Global CDN now blocks requests identified as being performed by AspiegelBot (aka PetalBot) when a query string is present. This platform-wide change is intended to guard against resource exhaustion and related site downtime. Going forward these requests will result in a 403 and will not count as site traffic for Pages Served and Visits. For more information see Traffic Limits and Overages.
Capacity Expansion: Auckland, New Zealand (AKL).
April 1, 2020
The New Relic agent has been upgraded from version 9.2.0.247 to version 9.7.0.258 platform-wide. This upgrade fixes a potential segfault with PHP 7.3. For more information, see the New Relic Agent release notes.
March 1, 2020
New Points of Presence:
- Ashburn, VA (WDC)
- Chicago (PWK)
Expanded Capacity:
- Vancouver (YVR)
- Sydney, Australia (SYD)
- NY (LGA)
- Los Angeles (BUR)
- Dallas (DFW)
- Atlanta (FTY)
- Boston (BOS)
- Helsinki (HEL)
- Osaka (ITM)
- Amsterdam (AMS)
March 1, 2020
Advanced Global CDN extends Global CDN for customers that need unique customizations including personalization, domain masking, and extended enterprise-grade security features including a WAF, IP and geolocation blocking and blocklisting. Advanced Global CDN is available as an add-on product to all customers now.
January 1, 2020
Most UDP traffic originating from the platform has now been blocked in order to prevent platform abuse.
January 1, 2020
Localdev 0.6.0-beta.9 includes macOS Catalina support, and numerous improvements and bug fixes.
November 1, 2019
Improved auto-update system with support for stable and beta channels, as well as changelog display, plus other fixes.
October 1, 2019
Swiftbot can now crawl non-production environments and platform domains like test-example.pantheonsite.io to support pre-release site search testing. For details see, Bots and Indexing on Pantheon.
July 1, 2019
Now when you create a new site on Pantheon, you can select from one of four regions across the globe, including Australia, Canada, and the European Union. For more info see Pantheon Site Regions and Data Residency.
July 1, 2019
Pantheon now recommends A/AAAA records instead of CNAME records. This change is to reduce complexity, confusion, and address a few edge cases introduced with CNAMEs. For example, the use of an MX or TXT record prevents the use of a CNAME. If you are already using a CNAME you can continue to do so or you can update to A/AAAA records as shown on the dashboard.
May 1, 2019
In January 2018, Pantheon announced migration of the Pantheon CMS Container Matrix to Google Cloud. Now, all site file storage, backup processing, and backup storage has moved from Amazon Web Services to Google Cloud. This change provides higher backup performance, higher reliability, and increased innovation ahead for all of Pantheon's customers.
May 1, 2019
Whether you need your WordPress or Drupal site to meet data residency requirements or have a performance use case not solved by caching requests through Pantheon’s Global CDN, contract customers can now create sites in the European Union. Also see the blog announcement.
March 1, 2019
Early Access to run sites in Pantheon’s new European Region is now available for contract customers. See regions for details and contact us for more info.
January 1, 2019
Pantheon is happy to announce our new Disaster Recovery Service, designed for mission-critical websites that need to ensure business continuity during the unlikely event of a zone failure. See the Disaster Recovery doc below for more information.
December 1, 2018
PHP 7.1 and 7.2 were updated to the latest versions on the platform. For information on changing minor versions (e.g from 7.0 to 7.2) see Upgrade PHP Versions.
October 1, 2018
While we still recommend using a third-party email solution, for those who choose to use Pantheon's built-in message transfer agent (MTA), you may now set up an SPF record for your domain and include Pantheon's mail relays for improved delivery. For details, see: Email on Pantheon.
September 1, 2018
The platform was updated to PHP patch releases.
August 1, 2018
An improvement to our queuing system has resulted in a 60% reduction in average HTTPS provisioning times!
August 1, 2018
The latest version of Apache Tika, 1.18, is now available on the platform. See documentation on External Libraries on Pantheon for details.
May 1, 2018
PHP 5.5 and 5.3 have reached end-of-life (EOL), and PHP 5.6 and 7.0 will reach EOL in December 2018 so upgrade to PHP 7.1 or 7.2 as soon as possible.
May 1, 2018
The platform-wide build of PHP 7.2 now supports connecting to an external Microsoft SQL server via sqlsrv functions. Your CMS should use Pantheon's default database, but this unlocks use cases that require connecting to an external MS SQL server.
April 1, 2018
OCSP stapling is an improved method for quickly and safely checking the validity of certificates for HTTPS. You can use SSL Labs (e.g. https://www.ssllabs.com/ssltest/analyze.html?d=pantheon.io) and search for "stapling" to see it's enabled. OCSP responses are typically good for about 7 days, so a response will only get updated as its validity lifetime expiration time approaches.
March 1, 2018
The Surrogate-Key-Raw
header, used for debugging when using Pantheon Advanced Page Cache, is no longer sent by default. To receive this header when making a request, send the Pantheon-Debug: 1
header, like so:
curl -IsH "Pantheon-Debug:1" https://example.com | grep key
This change addressed an issue that caused Twitter card validation to fail, and also reduces overall page size and speeds up page load time when sending many keys.
February 1, 2018
On March 5th, the cost for legacy load balancers increased from $30/month to $60/month. To avoid increased charges, upgrade to the Global CDN, which includes free, automated HTTPS, by updating DNS records.
January 1, 2018
Pantheon has switched infrastructure providers from Rackspace to Google Cloud Platform. This switch requires no downtime, as we actually did it six months ago! Read the announcement here.
January 1, 2018
New Relic on Pantheon has been upgraded to version 7.7.0.203
5.0.199, which supports PHP 7.2.
December 1, 2017
- Added the HTML Tidy PHP extension.
- Fixed an issue where the Redis cache was not cleared during clone operations.
- Fixed an issue where repeated
UTM_*
parameters caused an infinite redirect loop.
November 1, 2017
Over 200,000 sites are already on Pantheon's Global CDN, but if you still have sites pointing to the legacy, deprecated infrastructure, you can now see which sites need an upgrade from your User or Organization Dashboard. Find the required DNS information from the Domains / HTTPS tab on each site environment. Complete the upgrade as soon as possible, and let us know if you have any questions.
Global CDN now respects the no-store
directive in the cache-control
header.
October 1, 2017
WebP, a new image format created by Google, is now supported by Pantheon’s Global CDN.
September 1, 2017
New Relic on Pantheon has been updated to version 7.5.0.199. You can read the release notes for this version in New Relic’s docs. This update also includes Drupal-specific fixes from previous versions, detailed in the release notes.
August 1, 2017
We improved cache clearing behavior for a large number of surrogate keys or cache tags. The fix was made internally by Pantheon and no action is required if you are already running WordPress or Drupal versions of Pantheon Advanced Page Cache. See the Pantheon Advanced Page Cache for WordPress and Drupal pages for more information.
July 1, 2017
Although our analysis indicated our customers were not likely subject to this vulnerability, we applied the recommended remediation for CVE-2017-7529.
July 1, 2017
Organizations using a Custom Upstream can now add and manage their upstreams without engaging Pantheon Support.
If your organization doesn’t yet use Custom Upstreams, and you are interested in access to this feature, tell us about your use-case.
June 1, 2017
New Relic's APM Availability Monitoring has known incompatibilities with SNI, which our HTTPS uses. Instead, we recommend configuring the free availability monitoring service within New Relic’s Synthetics Lite tool. For details, refer to New Relic APM Pro.
May 1, 2017
Pantheon has deployed new versions of Ghostscript and Openjpeg2 to mitigate the CVE-2016-8332 vulnerability. No user action is required.
The platform is not vulnerable to this exploit, no user action is required.
February 1, 2017
A vulnerability in the Linux Kernel was discovered that could allow users to gain root privileges. The Pantheon platform was quickly updated to prevent this privilege escalation.
November 1, 2016
Upgraded from 6.3.0.161 to 6.8.0.177. Includes a fix for an issue with Drupal 6 sites that could cause POST requests made using drupal_http_request to be converted into GET requests. Learn more.
October 1, 2016
You can now add custom domain names to your Multidev environments. Among other use cases, this allows you to use your company’s name in a URL when you show your work to customers or others in your organization.
September 1, 2016
Now your site’s Drush version is managed via pantheon.yml
, so it’s in version control and deployed along with the rest of your code.
August 1, 2016
Nested docroot: Serve sites from a web
subdirectory, one-level beneath the root of your code repository. Among other use cases, this helps facilitate managing dependencies via Composer.
Protected Web Paths: Specify files or directories that you don’t want to be publicly web-accessible.
PHP Version: Now your site’s PHP version is managed via pantheon.yml so it’s in version control and deployed along with the rest of your code.
June 1, 2015
We are now providing richer and more accurate information about the background actions the Pantheon platform is performing on your sites. This includes commits, workflow actions and clear caches, including more details about the tasks that were performed.
April 1, 2015
We’ve officially completed a fleet-wide codeserver update to Fedora 20.
January 1, 2015
We upgraded from PHP 5.3 to 5.3.29. This is the last release for 5.3 and current users are encouraged, if possible, to upgrade to 5.5 in your site's Dashboard.
January 1, 2015
There's no need. Customer application containers and database servers that were already on up-to-date versions were not vulnerable to GHOST. Backing services were quickly patched, and our engineers further refined our patch deployment capability for even faster responses to future vulnerabilities. For more details, see related Incident Report for Platform Operations