Pantheon release notes: Security

PHP 8.1.28, 8.2.18, and 8.3.6 were released on the platform. They contain the latest bug fixes and security releases for PHP.

Updates include patches for the following CVEs ( Common Vulnerabilities and Exposures):

• CVE-2024-1874 "Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows"
• CVE-2024-2756 "__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix"
• CVE-2024-3096 "password_verify can erroneously return true, opening ATO risk"
• CVE-2024-2757 "mb_encode_mimeheader runs endlessly for some inputs" (PHP 8.3 only)

As a reminder, PHP 8.0 reached End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.2 and above.

The latest version of WordPress, 6.5.2, became available on Pantheon as of April 10, 2024.

Highlights

• Security updates: Addressed one security vulnerabilities in the Avatar block type.
• 2 bug fixes in Core
• 12 bug fixes in the Block Editor

What happened to 6.5.1?

6.5.2 is the first minor release for WordPress 6.5 rather than 6.5.1. Yesterday, it was disclosed on the Make WordPress Core development site that due to an error with the initial package, 6.5.1 could not be released.

Upgrade to WordPress 6.5.2 right from your Pantheon dashboard or Terminus for added security.

As part of our continued effort to provide the latest and best in secure software, PHP versions 7.1 and below will reach end-of-sale (EoS) on May 15, 2024. This means that sites created after May 15 will not be able to change their PHP version to PHP 7.1, 7.0, or any version of PHP 5. Sites created with custom upstreams using EoS PHP may also have unexpected behavior upon site creation.

Sites already running PHP 5, PHP 7.0, or PHP 7.1 will continue to run even after May 15.

PHP 7.1 was declared end-of-life (EoL) by the PHP Foundation on November 30, 2020, more than three years ago. PHP 5.6 reached EoL on December 31, 2018, more than five years ago. EoL software does not receive security or feature updates, and could expose sites to attack if any vulnerabilities or exploits are discovered.

Action required

Customers using custom upstreams with a PHP version less than 7.2 should update their custom upstreams by May 15 to avoid disruption. The current supported versions of PHP are 8.1, 8.2, and 8.3. Pantheon currently recommends at least PHP 8.1 for all production sites.

PHP 8.2.17 and 8.3.4 were released on the platform. They contain the latest bug fixes and security releases for PHP. As a reminder, PHP 8.0 reached End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.1 and above.

The latest version of WordPress, 6.4.3, became available on Pantheon as of January 30, 2024.

Highlights

• Security updates: Addressed two security vulnerabilities, including a PHP file upload bypass (limited to administrators), and a object injection mechanism that could be used to exploit an existing Remote Code Execution (RCE) vulnerability. Since this release fixes security vulnerabilities, users are urged to upgrade their sites immediately. For a detailed analysis of the two security patches, see this article from Patchstack.
• 5 bug fixes in Core
• 16 bug fixes in the Block Editor

Upgrade to WordPress 6.4.3 right from your Pantheon dashboard or Terminus for added security.

The latest version of WordPress, 6.4.2, became available on Pantheon as of December 6, 2023.

Highlights

• Security updates: Addressed a Remote Code Execution vulnerability. While not directly exploitable in Core, its potential severity was recognized, especially when combined with certain plugins, particularly in multisite installations.
• 7 bug fixes in Core: Resolved an issue causing inconsistencies in stylesheet and theme directories.

Upgrade to WordPress 6.4.2 right from your Pantheon dashboard or Terminus for added security.

We're thrilled to announce an impactful upgrade to Pantheon's security infrastructure, reinforcing our commitment to safeguarding your websites. In response to the escalating sophistication of distributed denial-of-service (DDoS) attacks, we've implemented innovative solutions to fortify our defenses. Particularly, we've addressed a surge in Layer 7 attacks targeting content management systems, ensuring resilience even without our Advanced Global CDN's Web Application Firewall (WAF).

Key benefits:

• Advanced DDoS protection: Our engineers have proactively countered Layer 7 attacks, mitigating risks posed by inauthentic traffic targeting web content management systems.
• Rate limiting capabilities: We've introduced rate limiting capabilities within our Global CDN, curbing abusive traffic effectively. This ensures a stable online presence, even during large-scale attacks, preventing wider stability issues.

For more in-depth insights into the measures we've taken and the value they bring to your Pantheon experience, delve into the full blog post. Your website's security and stability are our top priorities, and this enhancement is another step in our ongoing commitment to delivering a robust WebOps platform.

PHP 8.2.11 and 8.1.24 were released on the platform. They contain the latest bug fixes and security releases for PHP. As a reminder, PHP 8.0 will reach End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.1 and above.

On September 20th, Drupal core updates were released to address a critical vulnerability in the JSON:API module. Those updates became immediately available within the Pantheon dashboard for one-click code updates. Additionally, our engineers updated our CDN to mitigate potential attacks.

If you have a Drupal site using JSON:API we suggest you update as soon as possible if you haven't done so already. And even if you aren't using JSON:API, it'll still feel good to apply an update, right? To better understand the nature of security updates, come watch the Pantheon YouTube Livestream on October 25th.

On September 20th, Drupal core updates were released to address a critical vulnerability in the JSON:API module. Those updates became immediately available within the Pantheon dashboard for one-click code updates. Additionally, our engineers updated our CDN to mitigate potential attacks.

If you have a Drupal site using JSON:API we suggest you update as soon as possible if you haven't done so already. And even if you aren't using JSON:API, it'll still feel good to apply an update, right? To better understand the nature of security updates, come watch the Pantheon YouTube Livestream on October 25th.

Pantheon has deployed PHP versions 8.2.9, 8.1.22, and 8.0.30 to customer sites running on the platform. These releases address vulnerabilities disclosed in CVE-2023-3823 and CVE-2023-3824.

If you are using PHP 8.2, 8.1 or 8.0, there is nothing further that you need to do. If you are still on PHP 7.4 or earlier, though, you should schedule some time to upgrade to a supported version.While the vulnerabilities patched in these latest releases are not reported to affect PHP 7.4, the fact remains that there could be (and probably are) unpatched vulnerabilities in the end-of-life versions. Read more about it in Greg Anderson’s blog post.

In Pantheon's continual efforts to stay up to date with modern web security standards, Pantheon is removing support for a certain set of cipher suites for TLS 1.2. By removing support for specific TLS 1.2 ciphers, Pantheon is enhancing overall platform security. This change ensures that the websites hosted on Pantheon will only use stronger and more secure encryption protocols, which helps protect sensitive information transmitted between users and the websites.

The following obsolete TLS 1.2 ciphers have known vulnerabilities and have been removed:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA

Pantheon has proactively identified and communicated with affected customers. No action is required at this time, but if you have any questions/concerns, please feel free to reach out to your Account Team at Pantheon or to Pantheon Support via a ticket or chat.

WordPress 5.8.2 is available on the Pantheon platform. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. This security and maintenance release features two bug fixes in addition to one security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.2 have also been updated. This release fixes security vulnerabilities and users are urged to upgrade their sites immediately.

Drupal 9.2.7 is now available for production sites. Drupal 9 sites on Pantheon use Integrated Composer, enabling one-click core updates through the Dashboard. To check for available updates, click Check Now from the Site Dashboard Dev tab.

Drupal 9.2.x will receive security coverage until June 15, 2022. Sites on 9.1.x or earlier should update to Drupal 9.1.13.

WordPress 5.8News – Releases – WordPress.org is available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation.

WordPress 5.7.2 is available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation.

WP-CLI 2.5.0 is now available. This release fixes security vulnerabilities, and users are urged to upgrade. For more information, see the WP-CLI 2.5.0 release notes. Detailed information on using WP-CLI on the Pantheon Platform can be found in the WP-CLI documentation.

WordPress 5.7.2 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation.

WordPress 5.7.1 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation documentation. For more information, see the WordPress 5.7.1 release notes.

Drupal 9.1.7 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Integrated Composer One-Click Updates documentation. For more information, see the Drupal 9.1.7 release notes.

Drupal 8.9.14 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation documentation. For more information, see the Drupal 8.9.14 release notes.

Drupal 7.80 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation documentation. For more information, see the Drupal 7.80 release notes.

Drupal 8.9.13 is now available on the Pantheon platform. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. For more information, see the Drupal 8.9.13 release notes.

Drupal 7.78 is now available on the Pantheon platform. This release fixes security vulnerabilities, and users are urged to upgrade their sites immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. For more information, see the Drupal 7.78 release notes.

Drupal 8.9.9 is now available on the Pantheon platform. This release fixes security vulnerabilities, and sites are urged to upgrade immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. For more information, see the Drupal 8.9.9 release notes.

Drupal 7.74 is now available on the Pantheon platform. This release fixes security vulnerabilities, and sites are urged to upgrade immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. For more information, see the Drupal 7.74 release notes.

Drupal 8.9.6 is now available on the Pantheon platform. This release fixes security vulnerabilities, and sites are urged to upgrade immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. For more information, see the Drupal 8.9.6 release notes.

Drupal 8.8.10 is now available on the Pantheon platform. This release fixes security vulnerabilities, and sites are urged to upgrade immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. For more information, see the Drupal 8.8.10 release notes.

Drupal 7.73 is now available on the Pantheon platform. This release fixes security vulnerabilities, and sites are urged to upgrade immediately. Detailed information on applying and debugging core updates can be found in the Core Updates documentation. For more information, see the Drupal 7.73 release notes.

Advanced Global CDN extends Global CDN for customers that need unique customizations including personalization, domain masking, and extended enterprise-grade security features including a WAF, IP and geolocation blocking and blocklisting. Advanced Global CDN is available as an add-on product to all customers now.

Most UDP traffic originating from the platform has now been blocked in order to prevent platform abuse.

This release also includes several options to control HSTS and the ability to choose a primary domain. For details see the blog announcement, Pantheon YAML documentation and our updated Launch Essentials guide.

An improvement to our queuing system has resulted in a 60% reduction in average HTTPS provisioning times!

OCSP stapling is an improved method for quickly and safely checking the validity of certificates for HTTPS. You can use SSL Labs (e.g. https://www.ssllabs.com/ssltest/analyze.html?d=pantheon.io) and search for "stapling" to see it's enabled. OCSP responses are typically good for about 7 days, so a response will only get updated as its validity lifetime expiration time approaches.

We’ve upgraded to PHP 5.6.35, 7.0.29, 7.1.16, and 7.2.4. See our documentation to learn how to upgrade your PHP version.

Drupal 8.5.1 has been pushed to all Drupal 8 site dashboards. This release is classified as a security release and all users are urged to upgrade their sites as soon as possible.

Drupal 7.58 has been pushed to all Drupal 7 site dashboards. This release is classified as a security release and all users are urged to upgrade their sites as soon as possible.

Drupal 6.40 has been pushed to all Drupal 7 site dashboards. This release is classified as a security release and all users are urged to upgrade their sites as soon as possible.

PHP 5.6, 7.0, 7.1, and 7.2 have been updated to the latest versions platform-wide to address a vulnerability that could allow for arbitrary code execution.

Drupal 8.4.5, a security release, has been pushed to all Drupal 8 site dashboards.

Drupal 7.57, a security release, has been pushed to all Drupal 7 site dashboards. This release is classified as a security release and all users are urged to upgrade their sites as soon as possible.

Although our analysis indicated our customers were not likely subject to this vulnerability, we applied the recommended remediation for CVE-2017-7529.

CVE-2016-8332

Pantheon has deployed new versions of Ghostscript and Openjpeg2 to mitigate the CVE-2016-8332 vulnerability. No user action is required.

CVE-2017-8295

The platform is not vulnerable to this exploit, no user action is required.

A vulnerability in the Linux Kernel was discovered that could allow users to gain root privileges. The Pantheon platform was quickly updated to prevent this privilege escalation.

This is a security patch put out by WordPress and made available as a one-click upgrade in the Pantheon Site Dashboard. We suggest all users upgrade immediately if you haven’t already. See our Status Post for more information.

Pantheon has released two security patches for WordPress 4.7. For details, see WordPress 4.7-p1 - CVE-2016-10033 and WordPress 4.7-p2 - CVE-2016-10045.

Mitigated the Dirty COW (CVE-2016-5195) Linux kernel privilege escalation vulnerability.

Drupal 8.2.3 and Drupal 7.52 releases have been pushed to all Pantheon Dashboards which include maintenance and security fixes. Learn more.

There were multiple releases of Drupal contributed modules that fix highly critical remote code execution vulnerabilities. The Drupal Security Team urges you to update the modules immediately. See more information on Drupal.org.

We upgraded upgraded Varnish 3 to Varnish 4. This allows us to keep up with operating system and security upgrades. This upgrade includes overall stabilization improvements and we expect 100% backward compatibility.

WordPress 4.2.3 is now available. This is a security release for all previous versions to protect against a cross-site scripting vulnerability that could allow users with the Contributor or Author role to compromise a site. Read Josh’s post recapping the ways we save users from automatic updates breaking their sites.

We did an emergency reboot of all servers during DrupalCon to install a patch for the Venom security vulnerability.

WordPress 4.2 came out this month to great fanfare. For more details, see Version 4.2 announcement. A few days later, the core team released a security update. We were on it, and the most recent version is available in all Pantheon WordPress Site Dashboards. We recommend updating all of your WordPress sites as soon as possible.

We now have encryption for routing to appserver, so if you’re running HTTPS you will automatically have end-to-end encryption on non-free sites.

There's no need. Customer application containers and database servers that were already on up-to-date versions were not vulnerable to GHOST. Backing services were quickly patched, and our engineers further refined our patch deployment capability for even faster responses to future vulnerabilities. For more details, see related Incident Report for Platform Operations