@levendclk, there is a fresh and different advisory for Twig < 3.14.1. https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled
The issue being discussed here was composer configuration for Drupal core that wouldn't let you manually update Twig to 3.14.0 when that was the secured version. That is now fixed, you can update to 3.14.0, and as I've just verified in response to the latest vulnerability you can also update to 3.14.1.
"Drupal core below 11.0.4"
Actually the github advisory says "<=11.04", so even 11.04 is vulnerable and will cause problems.
jamesoakley → created an issue.
It does look rather similar, doesn't it? I wonder if this is why the Drupal 11 compatibility for this module hasn't been progressed - it's just not needed any more.
I too would love to know if this module supplies anything the new core features otherwise miss.
Glad it worked. Stats show it used to be way more widely used, not sure why it's dropped off. I picked up maintaining when a previous maintainer didn't have time to keep working on it, so happy to keep it ticking along. I use it too. Great website - looks like a welcoming and faithful place - have a good Sunday.
Drupal 10.3 mandated having text format settings in the module schema. Can you please check the dev release or the patch I've just committed, then I'll push out a tagged release if this fixes things for you.
Michael, the link seems to have vanished (the mediawiki site is no longer there). I found this in Google https://openlitespeed.org/kb/litespeed-cache-for-drupal-on-openlitespeed/, but that link now redirects to the OLS homepage. Any chance you could put a guide on this website so it persists through any changes to your website?
Strange problem that I haven't met before and others haven't reported. I'll have a look and see if I can find what's wrong. Thanks for reporting it, and thanks for adding the version of core to your issue summary. Have you just installed the module and it's never worked, or has it come with you through earlier versions of Core and you're now having trouble adding this to an additional text format?
Meanwhile, while we wait for RTBC, please could someone link to the exact patch that works. I get that we're using a merge record for this, but for all my site deployments I'm simply using cweagans composer patches to apply any patches I need to core or contrib, and I'm not clear reading this history as to what patch I need to add to my composer.json file.
info.yml. file updated to remove Drupal 8 and 9 compatibility, as well as adding Drupal 11 as suggested by the bot in this issue.
The issue is being left open to pick up future API changes.
info.yml. file updated to remove Drupal 8 and 9 compatibility, as well as adding Drupal 11 as suggested by the bot in this issue.
The issue is being left open to pick up future API changes.
info.yml. file updated to remove Drupal 8 and 9 compatibility, as well as adding Drupal 11 as suggested by the bot in this issue.
The issue is being left open to pick up future API changes.
JamesOakley → created an issue.
"Never normally critical" may generally be true. But what we're discussing here is a security vulnerability fixed and published upstream by CKEditor (in March 2022), leading the Drupal security team to release a core update to ensure Drupal 9.x and above does not use the vulnerable library. Drupal 7 needs this module to power the editor, and this module does not support the versions of CKEditor that incorporate the security fix.
I'd say allowing site maintainers to update the CKEditor library to one without vulnerabilities is more pressing than "normal".
I like that thought, and with some jquery dependencies already in core it shouldn't add much overhead to do it.
If someone wants to propose a simple patch that lets a site administrator opt in to have Scripture links open in a modal popup, I'd be happy to test and commit it once it works correctly.
It seems so, although in your report there's the added detail that the problem may be in the Claro theme, which is why the problem first appeared when it became the default admin theme. Closing 🐛 "Set up database" screen is displayed even when credentials are properly defined Closed: duplicate as a duplicate
I haven't poked about as deeply into the database as you have, but (2) sounds plausible. In my case, I disable the update module in production, to stop someone lazily updating a module within the UI rather than going through composer (in the development environment). The case when I experienced being unable to check for updates ( #3159646: Checking for updates sometimes fails: "Undefined index" in log → ) was on a site where I'd brought the production database (with updates enabled) back into the development copy of the site, and I think there were updates pending at that point as well.
So I can't completely verify your suspicion, but it is very plausible.
An issue I opened, #3159646: Checking for updates sometimes fails: "Undefined index" in log → , could be a duplicate of this (or could be a different problem) - so linking across from here to there just in case.