April 15, 2024
PHP 8.1.28, 8.2.18, and 8.3.6 were released on the platform. They contain the latest bug fixes and security releases for PHP.
Updates include patches for the following CVEs (
Common Vulnerabilities and Exposures):
- CVE-2024-1874 "Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows"
- CVE-2024-2756 "__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix"
- CVE-2024-3096 "password_verify can erroneously return true, opening ATO risk"
- CVE-2024-2757 "mb_encode_mimeheader runs endlessly for some inputs" (PHP 8.3 only)
As a reminder, PHP 8.0 reached End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.2 and above.
April 10, 2024
The latest version of WordPress, 6.5.2, became available on Pantheon as of April 10, 2024.
Highlights
What happened to 6.5.1?
6.5.2 is the first minor release for WordPress 6.5 rather than 6.5.1. Yesterday, it was disclosed on the Make WordPress Core development site that due to an error with the initial package, 6.5.1 could not be released.
Upgrade to WordPress 6.5.2 right from your Pantheon dashboard or Terminus for added security.
March 20, 2024
As part of our continued effort to provide the latest and best in secure software, PHP versions 7.1 and below will reach end-of-sale (EoS) on May 15, 2024. This means that sites created after May 15 will not be able to change their PHP version to PHP 7.1, 7.0, or any version of PHP 5. Sites created with custom upstreams using EoS PHP may also have unexpected behavior upon site creation.
Sites already running PHP 5, PHP 7.0, or PHP 7.1 will continue to run even after May 15.
PHP 7.1 was declared end-of-life (EoL) by the PHP Foundation on November 30, 2020, more than three years ago. PHP 5.6 reached EoL on December 31, 2018, more than five years ago. EoL software does not receive security or feature updates, and could expose sites to attack if any vulnerabilities or exploits are discovered.
Action required
Customers using custom upstreams with a PHP version less than 7.2 should update their custom upstreams by May 15 to avoid disruption. The current supported versions of PHP are 8.1, 8.2, and 8.3. Pantheon currently recommends at least PHP 8.1 for all production sites.
March 18, 2024
PHP 8.2.17 and 8.3.4 were released on the platform. They contain the latest bug fixes and security releases for PHP. As a reminder, PHP 8.0 reached End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.1 and above.
January 31, 2024
The latest version of WordPress, 6.4.3, became available on Pantheon as of January 30, 2024.
Highlights
- Security updates: Addressed two security vulnerabilities, including a PHP file upload bypass (limited to administrators), and a object injection mechanism that could be used to exploit an existing Remote Code Execution (RCE) vulnerability. Since this release fixes security vulnerabilities, users are urged to upgrade their sites immediately. For a detailed analysis of the two security patches, see this article from Patchstack.
- 5 bug fixes in Core
- 16 bug fixes in the Block Editor
Upgrade to WordPress 6.4.3 right from your Pantheon dashboard or Terminus for added security.
January 23, 2024
The latest version of WordPress, 6.4.2, became available on Pantheon as of December 6, 2023.
Highlights
- Security updates: Addressed a Remote Code Execution vulnerability. While not directly exploitable in Core, its potential severity was recognized, especially when combined with certain plugins, particularly in multisite installations.
- 7 bug fixes in Core: Resolved an issue causing inconsistencies in stylesheet and theme directories.
Upgrade to WordPress 6.4.2 right from your Pantheon dashboard or Terminus for added security.
December 1, 2023
We're thrilled to announce an impactful upgrade to Pantheon's security infrastructure, reinforcing our commitment to safeguarding your websites. In response to the escalating sophistication of distributed denial-of-service (DDoS) attacks, we've implemented innovative solutions to fortify our defenses. Particularly, we've addressed a surge in Layer 7 attacks targeting content management systems, ensuring resilience even without our Advanced Global CDN's Web Application Firewall (WAF).
Key benefits:
- Advanced DDoS protection: Our engineers have proactively countered Layer 7 attacks, mitigating risks posed by inauthentic traffic targeting web content management systems.
- Rate limiting capabilities: We've introduced rate limiting capabilities within our Global CDN, curbing abusive traffic effectively. This ensures a stable online presence, even during large-scale attacks, preventing wider stability issues.
For more in-depth insights into the measures we've taken and the value they bring to your Pantheon experience, delve into the full blog post. Your website's security and stability are our top priorities, and this enhancement is another step in our ongoing commitment to delivering a robust WebOps platform.
October 1, 2023
PHP 8.2.11 and 8.1.24 were released on the platform. They contain the latest bug fixes and security releases for PHP. As a reminder, PHP 8.0 will reach End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.1 and above.
September 1, 2023
Pantheon has deployed PHP versions 8.2.9, 8.1.22, and 8.0.30 to customer sites running on the platform. These releases address vulnerabilities disclosed in CVE-2023-3823 and CVE-2023-3824.
If you are using PHP 8.2, 8.1 or 8.0, there is nothing further that you need to do. If you are still on PHP 7.4 or earlier, though, you should schedule some time to upgrade to a supported version.While the vulnerabilities patched in these latest releases are not reported to affect PHP 7.4, the fact remains that there could be (and probably are) unpatched vulnerabilities in the end-of-life versions. Read more about it in Greg Anderson’s blog post.
July 1, 2023
In Pantheon's continual efforts to stay up to date with modern web security standards, Pantheon is removing support for a certain set of cipher suites for TLS 1.2. By removing support for specific TLS 1.2 ciphers, Pantheon is enhancing overall platform security. This change ensures that the websites hosted on Pantheon will only use stronger and more secure encryption protocols, which helps protect sensitive information transmitted between users and the websites.
The following obsolete TLS 1.2 ciphers have known vulnerabilities and have been removed:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
Pantheon has proactively identified and communicated with affected customers. No action is required at this time, but if you have any questions/concerns, please feel free to reach out to your Account Team at Pantheon or to Pantheon Support via a ticket or chat.
December 1, 2021
WordPress 5.8.2 is available on the Pantheon platform. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. This security and maintenance release features two bug fixes in addition to one security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.2 have also been updated. This release fixes security vulnerabilities and users are urged to upgrade their sites immediately.
November 1, 2021
Drupal 9.2.7 is now available for production sites. Drupal 9 sites on Pantheon use Integrated Composer, enabling one-click core updates through the Dashboard. To check for available updates, click Check Now from the Site Dashboard Dev tab.
Drupal 9.2.x will receive security coverage until June 15, 2022. Sites on 9.1.x or earlier should update to Drupal 9.1.13.
July 1, 2021
WordPress 5.7.2 is available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation.
June 1, 2021
WP-CLI 2.5.0 is now available. This release fixes security vulnerabilities, and users are urged to upgrade. For more information, see the WP-CLI 2.5.0 release notes. Detailed information on using WP-CLI on the Pantheon Platform can be found in the WP-CLI documentation.
June 1, 2021
WordPress 5.7.2 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation.
May 1, 2021
WordPress 5.7.1 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation documentation. For more information, see the WordPress 5.7.1 release notes.
May 1, 2021
Drupal 9.1.7 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Integrated Composer One-Click Updates documentation. For more information, see the Drupal 9.1.7 release notes.
May 1, 2021
Drupal 8.9.14 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation documentation. For more information, see the Drupal 8.9.14 release notes.
May 1, 2021
Drupal 7.80 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation documentation. For more information, see the Drupal 7.80 release notes.
February 1, 2021
Drupal 7.78 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. For more information, see the Drupal 7.78 release notes.
December 1, 2020
Drupal 8.9.9 is now available on the Pantheon platform. This release fixes security vulnerabilities, and sites are urged to upgrade immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. For more information, see the Drupal 8.9.9 release notes.
December 1, 2020
Drupal 7.74 is now available on the Pantheon platform. This release fixes security vulnerabilities, and sites are urged to upgrade immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. For more information, see the Drupal 7.74 release notes.
October 1, 2020
Drupal 8.9.6 is now available on the Pantheon platform. This release fixes security vulnerabilities, and sites are urged to upgrade immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. For more information, see the Drupal 8.9.6 release notes.
October 1, 2020
Drupal 8.8.10 is now available on the Pantheon platform. This release fixes security vulnerabilities, and sites are urged to upgrade immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. For more information, see the Drupal 8.8.10 release notes.
October 1, 2020
Drupal 7.73 is now available on the Pantheon platform. This release fixes security vulnerabilities, and sites are urged to upgrade immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. For more information, see the Drupal 7.73 release notes.
March 1, 2020
Advanced Global CDN extends Global CDN for customers that need unique customizations including personalization, domain masking, and extended enterprise-grade security features including a WAF, IP and geolocation blocking and blocklisting. Advanced Global CDN is available as an add-on product to all customers now.
January 1, 2020
Most UDP traffic originating from the platform has now been blocked in order to prevent platform abuse.
August 1, 2018
An improvement to our queuing system has resulted in a 60% reduction in average HTTPS provisioning times!
April 1, 2018
OCSP stapling is an improved method for quickly and safely checking the validity of certificates for HTTPS. You can use SSL Labs (e.g. https://www.ssllabs.com/ssltest/analyze.html?d=pantheon.io) and search for "stapling" to see it's enabled. OCSP responses are typically good for about 7 days, so a response will only get updated as its validity lifetime expiration time approaches.
March 1, 2018
Drupal 8.5.1 has been pushed to all Drupal 8 site dashboards. This release is classified as a security release and all users are urged to upgrade their sites as soon as possible.
Drupal 7.58 has been pushed to all Drupal 7 site dashboards. This release is classified as a security release and all users are urged to upgrade their sites as soon as possible.
Drupal 6.40 has been pushed to all Drupal 7 site dashboards. This release is classified as a security release and all users are urged to upgrade their sites as soon as possible.
February 1, 2018
Drupal 8.4.5, a security release, has been pushed to all Drupal 8 site dashboards.
Drupal 7.57, a security release, has been pushed to all Drupal 7 site dashboards. This release is classified as a security release and all users are urged to upgrade their sites as soon as possible.
July 1, 2017
Although our analysis indicated our customers were not likely subject to this vulnerability, we applied the recommended remediation for CVE-2017-7529.
May 1, 2017
Pantheon has deployed new versions of Ghostscript and Openjpeg2 to mitigate the CVE-2016-8332 vulnerability. No user action is required.
The platform is not vulnerable to this exploit, no user action is required.
February 1, 2017
A vulnerability in the Linux Kernel was discovered that could allow users to gain root privileges. The Pantheon platform was quickly updated to prevent this privilege escalation.
January 1, 2017
This is a security patch put out by WordPress and made available as a one-click upgrade in the Pantheon Site Dashboard. We suggest all users upgrade immediately if you haven’t already. See our Status Post for more information.
November 1, 2016
Drupal 8.2.3 and Drupal 7.52 releases have been pushed to all Pantheon Dashboards which include maintenance and security fixes. Learn more.
July 1, 2016
There were multiple releases of Drupal contributed modules that fix highly critical remote code execution vulnerabilities. The Drupal Security Team urges you to update the modules immediately. See more information on Drupal.org.
October 1, 2015
We upgraded upgraded Varnish 3 to Varnish 4. This allows us to keep up with operating system and security upgrades. This upgrade includes overall stabilization improvements and we expect 100% backward compatibility.
July 1, 2015
WordPress 4.2.3 is now available. This is a security release for all previous versions to protect against a cross-site scripting vulnerability that could allow users with the Contributor or Author role to compromise a site. Read Josh’s post recapping the ways we save users from automatic updates breaking their sites.
May 1, 2015
We did an emergency reboot of all servers during DrupalCon to install a patch for the Venom security vulnerability.
April 1, 2015
WordPress 4.2 came out this month to great fanfare. For more details, see Version 4.2 announcement. A few days later, the core team released a security update. We were on it, and the most recent version is available in all Pantheon WordPress Site Dashboards. We recommend updating all of your WordPress sites as soon as possible.
April 1, 2015
We now have encryption for routing to appserver, so if you’re running HTTPS you will automatically have end-to-end encryption on non-free sites.
January 1, 2015
There's no need. Customer application containers and database servers that were already on up-to-date versions were not vulnerable to GHOST. Backing services were quickly patched, and our engineers further refined our patch deployment capability for even faster responses to future vulnerabilities. For more details, see related Incident Report for Platform Operations