Security issue DRUPAL-SA-CONTRIB-2017-38

[Al-Rozhkov]

https://www.drupal.org/node/2869138

There is a known security issue with the module that has not been fixed by the maintainer.

I didn't find any details about vulnerability. This module has 120k installs in d7 and one of the most popular modules in Backdrop according to information from https://backdropcms.org/project/usage

[Al-Rozhkov]

D7 project was updated and available again. https://www.drupal.org/project/references

[klonos]

Since this was a security release, I've committed the changes made in the d.org module as is. @Al-Rozhkov are you using this module in production? If so, can you please have a quick check and of you think it's OK, lets tag a new release.

[klonos]

Pinging @jromine (listed as the current maintainer), @herbdool (tagged the 1.0.0 release) & @jenlampton (input/advice on how to proceed with a new release).

[klonos]

...feel free to unassign yourselves if you think there's nothing you can do.

[herbdool]

Thanks @klonos. First step I can make a new release and mention it's a security fix. Second, @jenlampton or @serundeputy can mark the old release as having a security issue (can't do it from github yet). Third, we'll probably need to find a new maintainer. @jromine I believe you've stepped away from Backdrop, am I correct?

[jromine]

I'm still following the project, but not active at present. Glad to see someone port this fix; I was about to look at doing that myself.

[jackaponte]

Wow, thanks for putting this on my radar y'all; hadn't noticed the new References D7 release. What a relief!

[Al-Rozhkov]

I think we can close this.

[klonos]

@jenlampton or @serundeputy can mark the old release as having a security issue (can't do it from github yet).

Can't do that on b.org either; we do the opposite: mark the new release as a security release. I think it doesn't make sense otherwise either, since all releases prior to a security release should then be marked as having security issues. Anyways, point is: Done: