search

drush-ops / drush

Drush is a command-line shell and scripting interface for Drupal, a veritable Swiss Army knife designed to make life easier for those who spend their working hours hacking away at the command prompt.
https://www.drush.org
2.33k stars 1.08k forks source link

SECURITY UPDATE available after upgrading to latest Drupal version (8.6.15) #4050

Open eric-yellin opened 5 years ago

eric-yellin commented 5 years ago

After upgrading Drupal core to latest 8.6.15 version with Drush then running: 'drush ups' the output shows:

Name     Installed Version   Proposed version   Message
Drupal   8.6.15              8.6.15             SECURITY UPDATE available

Expected behavior: No message to upgrade core should appear after upgrading to the latest version.

Drush version: 8.1.17 PHP version: 7.2 OS: Linux

weitzman commented 5 years ago

Maybe run drush cr and retry.

tjharman commented 5 years ago

I also have this problem. "drush cr" doesn't work. Unpacking the latest version manually doesn't work either (i.e. doing a manual upgrade, not using drush)

Here's a log of me updating via drush for about the 5th time today :)

root@micro:~# drush @tjh up
Update information last refreshed: Tue, 23/04/2019 - 09:46
 Name    Installed Version  Proposed version  Message
 Drupal  8.6.15             8.6.15            SECURITY UPDATE available

Code updates will be made to drupal core.
WARNING:  Updating core will discard any modifications made to Drupal core files, most noteworthy among these are .htaccess and robots.txt.  If you have made any modifications to these files, please back them up before updating so that you can re-create your modifications in the updated version of the file.
Note: Updating core can potentially break your site. It is NOT recommended to update production sites without prior testing.

Do you really want to continue? (y/n): y
Project drupal was updated successfully. Installed version is now 8.6.15.
Backups were saved into the directory /root/drush-backups/diary/20190422214626/drupal.                                                                                                                                                                                [ok]
No database updates required                                                                                                                                                                                                                                          [success]
root@micro:~# drush @tjh cr
Cache rebuild complete.                                                                                                                                                                                                                                               [ok]
root@micro:~# drush @tjh up
Update information last refreshed: Tue, 23/04/2019 - 09:46
 Name    Installed Version  Proposed version  Message
 Drupal  8.6.15             8.6.15            SECURITY UPDATE available

Code updates will be made to drupal core.
WARNING:  Updating core will discard any modifications made to Drupal core files, most noteworthy among these are .htaccess and robots.txt.  If you have made any modifications to these files, please back them up before updating so that you can re-create your modifications in the updated version of the file.
Note: Updating core can potentially break your site. It is NOT recommended to update production sites without prior testing.

Do you really want to continue? (y/n): n
Rolling back all changes. Run again with --no-core to update modules only.
Cancelled.                                                                                                                                                                                                                                                            [cancel]
No database updates required                                                                                                                                                                                                                                          [success]
root@micro:~# drush --version
 Drush Version   :  8.2.3
s427 commented 5 years ago

I have the same problem, with Drush 8.1.15 and on Windows 10. (Drupal 8.6.15) I tried drush cr and drush updatedb (-> "no database updates required") but it hasn't solved the problem.

paddydoyle commented 5 years ago

Am also seeing this with drush version 8.2.3. Have tried drush rf, drush cr and drush updatedb but it still says "8.6.15 SECURITY UPDATE available".

Drush version: 8.2.3 PHP version: 7.0 OS: Linux

pobtastic commented 5 years ago

The problem is that the code cycles through the releases for any release with a term of "Security update" ... it only bails when the version found matches the currently installed version. Hence now 8.7.0-rc1 is out (and is a security release) it populates the array and then hits this regardless of the version being higher;

if (!empty($project_data['security updates'])) {
  $project_data['status'] = DRUSH_UPDATESTATUS_NOT_SECURE;
}

If you're like me and stuck on the 8.x branch due to needing deprecated commands (in our case, for CI usage mainly dl) then just update your /lib/Drush/UpdateService/StatusInfoDrush.php file;

      // Stop searching once we hit the currently installed version.
      if ($project_data['existing_version'] === $version) {
        break;
      }
      // Skip over versions greater than our currently installed version.
      elseif ($project_data['existing_version'] < $version) {
        continue;
      }

I'll make a patch if there's any chance of this being included? Was incredibly confused to see that version_minor isn't used?

weitzman commented 5 years ago

Sure, a PR would be welcome.

This command was written when drupal core only had 1 supported branch at a time.

pobtastic commented 5 years ago

I'll have a think about how to achieve it ... as the above isn't the answer, it's just a workaround for getting our CI jobs to pass. It needs to ignore version_major + version_minor ~ not all releases higher than the current version (else it'll ignore 8.6.16 too!) It's fine for us for now as we're on the ball with new security releases.

greg-1-anderson commented 5 years ago

This is not a super easy problem to solve. If there is a newer security release on the same major.minor series that you are currently on, then you are definitely NOT secure. However, what if you are on the most recent release of your major.minor series, but there are also security releases available on a later major.minor series? These releases should cause your Drupal site to be flagged as insecure UNLESS all of those security releases have been applied to the release that you have installed.

In order to get this right, you'll have to look at the release notes for all of the security releases that appear on later branches. (You can perhaps optimize this by pruning releases that came out before the release currently installed on the active Drupal site, under the assumption that every security release fixes all known vulnerabilities.) You will need to pull out all occurrences of strings similar to "SA-CORE-yyyy-nn", and see if all of those also appear in the release notes of the security release already applied (or some earlier security release, if you do not prune releases as previously suggested).

Perhaps a good first step would be to add another output field that extracts and displays the list of "SA-CORE-yyyy-nn" advisories fixed in each release.

TrevorBradleyCDN commented 5 years ago

Just a note that this isn't that there's some hidden 8.6.15.1 that updates 8.6.15.0. Drush (8) is continually asking to update 8.6.15, no matter how many times 8.6.15 installed.

tjharman commented 5 years ago

@TrevorBradleyCDN Read the issue, the reason this is happening is mentioned and understood now.

TrevorBradleyCDN commented 5 years ago

@tjharman Missed pobastic's earlier comment. Understood now - It's glitching on 8.7.0-beta being an available update.

Thanks!