[Security-news] End of life announcement and changes to Drupal 7 support - PSA-2023-06-07

Wed Jun 7 15:25:55 UTC 2023

View online: https://www.drupal.org/psa-2023-06-07

Date: 2023-June-07
Description: 
-------- DRUPAL 7'S END OF LIFE IS JANUARY 5, 2025
---------------------------

On February 23, 2022, we announced that we would be extending the End-of-Life
for Drupal 7 until at least November 1, 2023.

Today, we are officially announcing that Drupal 7 will reach its end of life
on January 5, 2025.

With this final extension, the Drupal Security Team is also adjusting the
level of support provided.

*This will be the final extension.*

.... Reduced support for moderately critical Drupal 7 issues

Effective August 1, 2023, the Drupal Security Team may choose to publicly
post moderately critical and less critical issues affecting Drupal 7 in the
public issue queue for resolution, as long as they are not  mass-exploitable.
(Security risk levels defined [1].)

Drupal 9 and above are not affected by this change. When a security issue
affects both Drupal 7 and Drupal 10, for example, the Drupal 10 security
advisory may be released without a corresponding Drupal 7 fix, and the Drupal
7 issue made public at that point.

.... Drupal 7 branches of unsupported modules are no longer eligible for new
       maintainership

Community support for contributed modules will continue as it has to date.
However, beginning August 1, 2023, once the Drupal 7 branch of a contributed
module is marked unsupported it will not be eligible for new maintainership
and will not be marked supported again. This will be true if an existing
maintainer marks the module unsupported, or if the security team marks it
unsupported for lack of response. If there are Drupal 7 modules that you or
your clients rely on, then *we strongly encourage you to adopt  these modules
[2]  proactively.*
The Drupal security team will not issue security advisories for any
unsupported libraries that Drupal 7 contributed modules rely on, such as
CKEditor 4.

.... PHP 5.5 and below will no longer be supported on Drupal 7

Effective August 1, 2023, we will no longer support PHP versions lower than
5.6 for Drupal 7.   We may issue further PSAs increasing the minimum PHP
requirement any time before Drupal 7's end of life.

.... Security fixes will no longer be provided for Drupal 7 Windows-only
       issues

Effective August 1, 2023, we will no longer provide Drupal 7 security fixes
for Windows-only issues. If you are running a Drupal 7 site on Windows, you
should look into migrating to another operating system for hosting your site.

.... Drupal.org will no longer package Drupal 7 distributions

Effective August 1, 2023, Drupal.org will no longer create Drupal 7
distribution packages with Drush make files. If you need a distribution
built, you can use drush make locally.

-------- THIS IS THE FINAL EXTENSION OF DRUPAL 7 COMMUNITY SUPPORT
-----------

Current support is made possible thanks to the Drupal core maintainers, the
Drupal Security Team, and organizations and volunteers who contribute to
Drupal 7 issues.

You can donate to support the work of the Drupal Security Team on our
Security Team Donations [3] page.

To learn more about sponsoring Drupal core maintainers and contributors, read
xjm's blog post: Why sponsor a core committer? [4]

-------- WHAT THE DRUPAL 7 END OF LIFE MEANS FOR YOU
-------------------------

Once Drupal 7 reaches End of Life, this means:

   1) The Drupal Security Team will no longer provide support or Security
      Advisories for Drupal 7 core and contributed modules.
   2) Security issues for Drupal 7 may be disclosed in public, and zero-days
      (i.e, security vulnerabilities being exploited in the wild without
      advance warning) may occur.
   3) Drupal.org will no longer support tasks related to Drupal 7 including
      documentation navigation, automated testing, packaging, etc
   4) All Drupal 7-compatible releases on project pages will be flagged as not
      supported.
   5) Some Drush functionality for Drupal 7 will stop working as the 
underlying
      Drupal.org infrastructure will be removed.
   6) Drupal.org file archive packaging (tar and zip files) for Drupal 7 will
      be shut off.
      The archives may be removed.
   7) There will be no more core commits on Drupal core 7.x.
   8) Package tarballs may no longer be downloadable.
   9) External vulnerability scans will flag Drupal 7 as insecure.

If you are still maintaining a Drupal 7 site, we recommend migrating to
Drupal 10 before the end of life date.

.... Announcing the Drupal Association migration partners program

The Drupal Association is working to certify migration partners to help
Drupal 7 site owners.

Certified Migration Partners will be promoted on Drupal.org, alongside a
migration resource library, to any end users looking for help.

Priority will be given to past extended support vendors and top contributors.

To learn more about the Drupal  7 Certified Migration Partners visit the
Drupal 7 EOL landing page [5]

Coordinated By: 
The project lead, members of the Security team, and core committers
contributed to this document.

[1] https://www.drupal.org/drupal-security-team/security-risk-levels-defined
[2]
https://www.drupal.org/docs/develop/managing-a-drupalorg-theme-module-or-distribution-project/maintainership/offering-to-become-a-project-owner-maintainer-or-co-maintainer/how-to-become-project-owner-maintainer-or-co
[3] https://donorbox.org/drupal-security
[4] https://xjmdrupal.org/blog/why-sponsor-a-core-committer
[5] https://www.drupal.org/about/drupal-7/end-of-life