Blogroll Category: Technology

I read blogs, as well as write one. The 'blogroll' on this site reproduces some posts from some of the people I enjoy reading. There are currently 183 posts from the category 'Technology.'

Disclaimer: Reproducing an article here need not necessarily imply agreement or endorsement!

PHPKonf: Istanbul PHP Conference 2017

PHP - Mon, 27/03/2017 - 19:00
Categories: Technology

New CloudLinux 6 kernel 2.6.32-673.26.1.lve1.4.22.el6 released to production

CloudLinux - Fri, 24/02/2017 - 22:22
b2ap3 large kernel updated2 In case you haven't been patched yet with KernelCare, CL6 kernel-2.6.32-673.26.1.lve1.4.22.el6 has been released to stable

Changelog:

To update:   $ yum install kernel-2.6.32-673.26.1.lve1.4.22.el6 kmod-lve-1.4-22.el6 $ reboot
Categories: Technology

Imunify360/Imunify Sensor 1.1.3-5 released

CloudLinux - Fri, 24/02/2017 - 20:18

We are pleased to announce that the new Imunify360/Imunify Sensor 1.1.3-5 is now available. The latest Imunify360/Imunify Sensor version is the result of work done by our development team and embodies further improvements to the product, and fixes for bugs recently found.

Should you encounter any problems with the product or have any questions, comments or suggestions, please contact our support team at helpdesk.cloudlinux.com: Imunify360 department. We’d be more than happy to help you.

Changelog:

  • DEF-976: install OWASP ModSecurity rule vendor only when no other potentially conflicting rule vendors are detected;
  • DEF-996: fixed rpm scriptlet error on reinstall;
  • DEF-993: fixed regression when localhost IPs are not added to the whitelist automatically.

To instal new Imunify360/Imunify Sensor version 1.1.3 please follow the instructions in the documentation.

To upgrade Imunify360/Imunify Sensor run the command: 

yum update imunify360-firewall

More information on Imunify360 can be found here.

Categories: Technology

New CloudLinux 7 kernel released

CloudLinux - Fri, 24/02/2017 - 14:39

The new updated CloudLinux 7 kernel (version 3.10.0-427.18.2.lve1.4.38.el7) with fixed CVE-2017-6074 issue is available for download from our production repository.

Changelog since current stable kernel-3.10.0-427.18.2.lve1.4.27.el7:

To install run the command:

CloudLinux 7:

yum install kernel-3.10.0-427.18.2.lve1.4.38.el7 kmod-lve-1.4-38.el7

CloudLinux 6 Hybrid:

yum install kernel-3.10.0-427.18.2.lve1.4.38.el6h kmod-lve-1.4-38.el6h
Categories: Technology

Beta: New CloudLinux 7 kernel released

CloudLinux - Fri, 24/02/2017 - 11:21

The new updated CloudLinux 7 kernel (version 3.10.0-427.18.2.lve1.4.38.el7) with fixed CVE-2017-6074 issue is available for download from our updates-testing repository.

Changelog since current stable kernel-3.10.0-427.18.2.lve1.4.27.el7:

To install run the command:

yum install kernel-3.10.0-427.18.2.lve1.4.38.el7 kmod-lve-1.4-38.el7 --enablerepo=cloudlinux-updates-testing
Categories: Technology

Imunify360/Imunify Sensor 1.1.3 released

CloudLinux - Fri, 24/02/2017 - 08:52

We are pleased to announce that the new Imunify360/Imunify Sensor 1.1.3 is now available. The latest Imunify360/Imunify Sensor version is the result of work done by our development team and embodies further improvements to the product, and fixes for bugs recently found.

Should you encounter any problems with the product or have any questions, comments or suggestions, please contact our support team at helpdesk.cloudlinux.com: Imunify360 department. We’d be more than happy to help you.

Improvements:

  • DEF-942: created Imunify360 mod_sec vendor;
  • DEF-927: loading white and black IP lists to CSF when switching to CSF coop mode;
  • DEF-913: created modsecurity rule for Wordpress REST API vulnerability;
  • DEF-742: implemented real-time synchronizing black and white lists sync with CSF;
  • DEF-740: added log collector for mod_security audit logs;
  • DEF-894: added cache for whitelist;
  • DEF-839: improved behavior when Wordpress returned 200 on unsuccessful auth rule;
  • WEB-417: IP lists user interface behavior depending on current agent strategy;
  • WEB-309, WEB-332: fixed attribution page.

Fixes:

  • DEF-818, DEF-898, DEF-914: misc python exceptions fixes.

To install new Imunify360/Imunify Sensor version 1.1.3 please follow the instructions in the documentation.

To upgrade Imunify360/Imunify Sensor run the command:

yum update imunify360-firewall

More information on Imunify360 can be found here.

Categories: Technology

Incident report on memory leak caused by Cloudflare parser bug

CloudFlare - Thu, 23/02/2017 - 23:01

Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.

It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.

For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug.

We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response.

Because of the seriousness of such a bug, a cross-functional team from software engineering, infosec and operations formed in San Francisco and London to fully understand the underlying cause, to understand the effect of the memory leakage, and to work with Google and other search engines to remove any cached HTTP responses.

Having a global team meant that, at 12 hour intervals, work was handed over between offices enabling staff to work on the problem 24 hours a day. The team has worked continuously to ensure that this bug and its consequences are fully dealt with. One of the advantages of being a service is that bugs can go from reported to fixed in minutes to hours instead of months. The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under 7 hours with an initial mitigation in 47 minutes.

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).

We are grateful that it was found by one of the world’s top security research teams and reported to us.

This blog post is rather long but, as is our tradition, we prefer to be open and technically detailed about problems that occur with our service.

Parsing and modifying HTML on the fly

Many of Cloudflare’s services rely on parsing and modifying HTML pages as they pass through our edge servers. For example, we can insert the Google Analytics tag, safely rewrite http:// links to https://, exclude parts of a page from bad bots, obfuscate email addresses, enable AMP, and more by modifying the HTML of a page.

To modify the page, we need to read and parse the HTML to find elements that need changing. Since the very early days of Cloudflare, we’ve used a parser written using Ragel. A single .rl file contains an HTML parser used for all the on-the-fly HTML modifications that Cloudflare performs.

About a year ago we decided that the Ragel parser had become too complex to maintain and we started to write a new parser, named cf-html, to replace it. This streaming parser works correctly with HTML5 and is much, much faster and easier to maintain.

We first used this new parser for the Automatic HTTP Rewrites feature and have been slowly migrating functionality that uses the old Ragel parser to cf-html.

Both cf-html and the old Ragel parser are implemented as NGINX modules compiled into our NGINX builds. These NGINX filter modules parse buffers (blocks of memory) containing HTML responses, make modifications as necessary, and pass the buffers onto the next filter.

It turned out that the underlying bug that caused the memory leak had been present in our Ragel-based parser for many years but no memory was leaked because of the way the internal NGINX buffers were used. Introducing cf-html subtly changed the buffering which enabled the leakage even though there were no problems in cf-html itself.

Once we knew that the bug was being caused by the activation of cf-html (but before we knew why) we disabled the three features that caused it to be used. Every feature Cloudflare ships has a corresponding feature flag, which we call a ‘global kill’. We activated the Email Obfuscation global kill 47 minutes after receiving details of the problem and the Automatic HTTPS Rewrites global kill 3h05m later. The Email Obfuscation feature had been changed on February 13 and was the primary cause of the leaked memory, thus disabling it quickly stopped almost all memory leaks.

Within a few seconds, those features were disabled worldwide. We confirmed we were not seeing memory leakage via test URIs and had Google double check that they saw the same thing.

We then discovered that a third feature, Server-Side Excludes, was also vulnerable and did not have a global kill switch (it was so old it preceded the implementation of global kills). We implemented a global kill for Server-Side Excludes and deployed a patch to our fleet worldwide. From realizing Server-Side Excludes were a problem to deploying a patch took roughly three hours. However, Server-Side Excludes are rarely used and only activated for malicious IP addresses.

Root cause of the bug

The Ragel code is converted into generated C code which is then compiled. The C code uses, in the classic C manner, pointers to the HTML document being parsed, and Ragel itself gives the user a lot of control of the movement of those pointers. The underlying bug occurs because of a pointer error.

/* generated code */ if ( ++p == pe ) goto _test_eof;

The root cause of the bug was that reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer. This is known as a buffer overrun. Had the check been done using >= instead of == jumping over the buffer end would have been caught. The equality check is generated automatically by Ragel and was not part of the code that we wrote. This indicated that we were not using Ragel correctly.

The Ragel code we wrote contained a bug that caused the pointer to jump over the end of the buffer and past the ability of an equality check to spot the buffer overrun.

Here’s a piece of Ragel code used to consume an attribute in an HTML <script> tag. The first line says that it should attempt to find zero of more unquoted_attr_char followed by (that’s the :>> concatenation operator) whitespace, forward slash or then > signifying the end of the tag.

script_consume_attr := ((unquoted_attr_char)* :>> (space|'/'|'>')) >{ ddctx("script consume_attr"); } @{ fhold; fgoto script_tag_parse; } $lerr{ dd("script consume_attr failed"); fgoto script_consume_attr; };

If an attribute is well-formed, then the Ragel parser moves to the code inside the @{ } block. If the attribute fails to parse (which is the start of the bug we are discussing today) then the $lerr{ } block is used.

For example, in certain circumstances (detailed below) if the web page ended with a broken HTML tag like this:

<script type=

the $lerr{ } block would get used and the buffer would be overrun. In this case the $lerr does dd(“script consume_attr failed”); (that’s a debug logging statement that is a nop in production) and then does fgoto script_consume_attr; (the state transitions to script_consume_attr to parse the next attribute).
From our statistics it appears that such broken tags at the end of the HTML occur on about 0.06% of websites.

If you have a keen eye you may have noticed that the @{ } transition also did a fgoto but right before it did fhold and the $lerr{ } block did not. It’s the missing fhold that resulted in the memory leakage.

Internally, the generated C code has a pointer named p that is pointing to the character being examined in the HTML document. fhold is equivalent to p-- and is essential because when the error condition occurs p will be pointing to the character that caused the script_consume_attr to fail.

And it’s doubly important because if this error condition occurs at the end of the buffer containing the HTML document then p will be after the end of the document (p will be pe + 1 internally) and a subsequent check that the end of the buffer has been reached will fail and p will run outside the buffer.

Adding an fhold to the error handler fixes the problem.

Why now

That explains how the pointer could run past the end of the buffer, but not why the problem suddenly manifested itself. After all, this code had been in production and stable for years.

Returning to the script_consume_attr definition above:

script_consume_attr := ((unquoted_attr_char)* :>> (space|'/'|'>')) >{ ddctx("script consume_attr"); } @{ fhold; fgoto script_tag_parse; } $lerr{ dd("script consume_attr failed"); fgoto script_consume_attr; };

What happens when the parser runs out of characters to parse while consuming an attribute differs whether the buffer currently being parsed is the last buffer or not. If it’s not the last buffer, then there’s no need to use $lerr as the parser doesn’t know whether an error has occurred or not as the rest of the attribute may be in the next buffer.

But if this is the last buffer, then the $lerr is executed. Here’s how the code ends up skipping over the end-of-file and running through memory.

The entry point to the parsing function is ngx_http_email_parse_email (the name is historical, it does much more than email parsing).

ngx_int_t ngx_http_email_parse_email(ngx_http_request_t *r, ngx_http_email_ctx_t *ctx) { u_char *p = ctx->pos; u_char *pe = ctx->buf->last; u_char *eof = ctx->buf->last_buf ? pe : NULL;

You can see that p points to the first character in the buffer, pe to the character after the end of the buffer and eof is set to pe if this is the last buffer in the chain (indicated by the last_buf boolean), otherwise it is NULL.

When the old and new parsers are both present during request handling a buffer such as this will be passed to the function above:

(gdb) p *in->buf $8 = { pos = 0x558a2f58be30 "<script type=\"", last = 0x558a2f58be3e "", [...] last_buf = 1, [...] }

Here there is data and last_buf is 1. When the new parser is not present the final buffer that contains data looks like this:

(gdb) p *in->buf $6 = { pos = 0x558a238e94f7 "<script type=\"", last = 0x558a238e9504 "", [...] last_buf = 0, [...] }

A final empty buffer (pos and last both NULL and last_buf = 1) will follow that buffer but ngx_http_email_parse_email is not invoked if the buffer is empty.

So, in the case where only the old parser is present, the final buffer that contains data has last_buf set to 0. That means that eof will be NULL. Now when trying to handle script_consume_attr with an unfinished tag at the end of the buffer the $lerr will not be executed because the parser believes (because of last_buf) that there may be more data coming.

The situation is different when both parsers are present. last_buf is 1, eof is set to pe and the $lerr code runs. Here’s the generated code for it:

/* #line 877 "ngx_http_email_filter_parser.rl" */ { dd("script consume_attr failed"); {goto st1266;} } goto st0; [...] st1266: if ( ++p == pe ) goto _test_eof1266;

The parser runs out of characters while trying to perform script_consume_attr and p will be pe when that happens. Because there’s no fhold (that would have done p--) when the code jumps to st1266 p is incremented and is now past pe.

It then won’t jump to _test_eof1266 (where EOF checking would have been performed) and will carry on past the end of the buffer trying to parse the HTML document.

So, the bug had been dormant for years until the internal feng shui of the buffers passed between NGINX filter modules changed with the introduction of cf-html.

Going bug hunting

Research by IBM in the 1960s and 1970s showed that bugs tend to cluster in what became known as “error-prone modules”. Since we’d identified a nasty pointer overrun in the code generated by Ragel it was prudent to go hunting for other bugs.

Part of the infosec team started fuzzing the generated code to look for other possible pointer overruns. Another team built test cases from malformed web pages found in the wild. A software engineering team began a manual inspection of the generated code looking for problems.

At that point it was decided to add explicit pointer checks to every pointer access in the generated code to prevent any future problem and to log any errors seen in the wild. The errors generated were fed to our global error logging infrastructure for analysis and trending.

#define SAFE_CHAR ({\ if (!__builtin_expect(p < pe, 1)) {\ ngx_log_error(NGX_LOG_CRIT, r->connection->log, 0, "email filter tried to access char past EOF");\ RESET();\ output_flat_saved(r, ctx);\ BUF_STATE(output);\ return NGX_ERROR;\ }\ *p;\ })

And we began seeing log lines like this:

2017/02/19 13:47:34 [crit] 27558#0: *2 email filter tried to access char past EOF while sending response to client, client: 127.0.0.1, server: localhost, request: "GET /malformed-test.html HTTP/1.1”

Every log line indicates an HTTP request that could have leaked private memory. By logging how often the problem was occurring we hoped to get an estimate of the number of times HTTP request had leaked memory while the bug was present.

In order for the memory to leak the following had to be true:

The final buffer containing data had to finish with a malformed script or img tag
The buffer had to be less than 4k in length (otherwise NGINX would crash)
The customer had to either have Email Obfuscation enabled (because it uses both the old and new parsers as we transition),
… or Automatic HTTPS Rewrites/Server Side Excludes (which use the new parser) in combination with another Cloudflare feature that uses the old parser. … and Server-Side Excludes only execute if the client IP has a poor reputation (i.e. it does not work for most visitors).

That explains why the buffer overrun resulting in a leak of memory occurred so infrequently.

Additionally, the Email Obfuscation feature (which uses both parsers and would have enabled the bug to happen on the most Cloudflare sites) was only enabled on February 13 (four days before Tavis’ report).

The three features implicated were rolled out as follows. The earliest date memory could have leaked is 2016-09-22.

2016-09-22 Automatic HTTP Rewrites enabled
2017-01-30 Server-Side Excludes migrated to new parser
2017-02-13 Email Obfuscation partially migrated to new parser
2017-02-18 Google reports problem to Cloudflare and leak is stopped

The greatest potential impact occurred for four days starting on February 13 because Automatic HTTP Rewrites wasn’t widely used and Server-Side Excludes only activate for malicious IP addresses.

Internal impact of the bug

Cloudflare runs multiple separate processes on the edge machines and these provide process and memory isolation. The memory being leaked was from a process based on NGINX that does HTTP handling. It has a separate heap from processes doing SSL, image re-compression, and caching, which meant that we were quickly able to determine that SSL private keys belonging to our customers could not have been leaked.

However, the memory space being leaked did still contain sensitive information. One obvious piece of information that had leaked was a private key used to secure connections between Cloudflare machines.

When processing HTTP requests for customers’ web sites our edge machines talk to each other within a rack, within a data center, and between data centers for logging, caching, and to retrieve web pages from origin web servers.

In response to heightened concerns about surveillance activities against Internet companies, we decided in 2013 to encrypt all connections between Cloudflare machines to prevent such an attack even if the machines were sitting in the same rack.

The private key leaked was the one used for this machine to machine encryption. There were also a small number of secrets used internally at Cloudflare for authentication present.

External impact and cache clearing

More concerning was that fact that chunks of in-flight HTTP requests for Cloudflare customers were present in the dumped memory. That meant that information that should have been private could be disclosed.

This included HTTP headers, chunks of POST data (perhaps containing passwords), JSON for API calls, URI parameters, cookies and other sensitive information used for authentication (such as API keys and OAuth tokens).

Because Cloudflare operates a large, shared infrastructure an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site.

An additional problem was that Google (and other search engines) had cached some of the leaked memory through their normal crawling and caching processes. We wanted to ensure that this memory was scrubbed from search engine caches before the public disclosure of the problem so that third-parties would not be able to go hunting for sensitive information.

Our natural inclination was to get news of the bug out as quickly as possible, but we felt we had a duty of care to ensure that search engine caches were scrubbed before a public announcement.

The infosec team worked to identify URIs in search engine caches that had leaked memory and get them purged. With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains. The leaked memory has been purged with the help of the search engines.

We also undertook other search expeditions looking for potentially leaked information on sites like Pastebin and did not find anything.

Some lessons

The engineers working on the new HTML parser had been so worried about bugs affecting our service that they had spent hours verifying that it did not contain security problems.

Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it. Our internal infosec team is now undertaking a project to fuzz older software looking for potential other security problems.

Detailed Timeline

We are very grateful to our colleagues at Google for contacting us about the problem and working closely with us through its resolution. All of which occurred without any reports that outside parties had identified the issue or exploited it.

All times are UTC.

2017-02-18 0011 Tweet from Tavis Ormandy asking for Cloudflare contact information
2017-02-18 0032 Cloudflare receives details of bug from Google
2017-02-18 0040 Cross functional team assembles in San Francisco
2017-02-18 0119 Email Obfuscation disabled worldwide
2017-02-18 0122 London team joins
2017-02-18 0424 Automatic HTTPS Rewrites disabled worldwide
2017-02-18 0722 Patch implementing kill switch for cf-html parser deployed worldwide

2017-02-20 2159 SAFE_CHAR fix deployed globally

2017-02-21 1803 Automatic HTTPS Rewrites, Server-Side Excludes and Email Obfuscation re-enabled worldwide

NOTE: This post was updated to reflect updated information.

Categories: Technology

Episode 119 on expanding Azure skills with Kirk Evans—Office 365 Developer Podcast

Microsoft Office - Thu, 23/02/2017 - 18:00

In episode 119 of the Office 365 Developer Podcast, Richard diZerega and Andrew Coates are joined by Kirk Evans to discuss how Office and SharePoint developers can expand their Azure skills.

https://officeblogspodcastswest.blob.core.windows.net/podcasts/EP119_KirkE.mp3

Download the podcast.

Weekly updates Show notes

Got questions or comments about the show? Join the O365 Dev Podcast on the Office 365 Technical Network. The podcast RSS is available on iTunes or search for it at “Office 365 Developer Podcast” or add directly with the RSS feeds.feedburner.com/Office365DeveloperPodcast.

About Kirk Evans

KirkEKirk is a Principal Program Manager for AzureCAT at Microsoft where he helps some of Microsoft’s largest customers deliver solutions in Azure. Kirk is a popular blogger and speaker at conferences and trainings around the world. Prior to his work in Auzre, Kirk was a SharePoint Premier Field Engineer and certified SharePoint Master. Kirk lives with in Dallas, Texas and is the biggest Georgia Bulldogs fan in the state. You can find more of Kirk’s publications on his blog and twitter.

About the hosts

RIchard diZeregaRichard is a software engineer in Microsoft’s Developer Experience (DX) group, where he helps developers and software vendors maximize their use of Microsoft cloud services in Office 365 and Azure. Richard has spent a good portion of the last decade architecting Office-centric solutions, many that span Microsoft’s diverse technology portfolio. He is a passionate technology evangelist and a frequent speaker at worldwide conferences, trainings and events. Richard is highly active in the Office 365 community, popular blogger at aka.ms/richdizz and can be found on Twitter at @richdizz. Richard is born, raised and based in Dallas, TX, but works on a worldwide team based in Redmond. Richard is an avid builder of things (BoT), musician and lightning-fast runner.

 

ACoatesA Civil Engineer by training and a software developer by profession, Andrew Coates has been a Developer Evangelist at Microsoft since early 2004, teaching, learning and sharing coding techniques. During that time, he’s focused on .NET development on the desktop, in the cloud, on the web, on mobile devices and most recently for Office. Andrew has a number of apps in various stores and generally has far too much fun doing his job to honestly be able to call it work. Andrew lives in Sydney, Australia with his wife and two almost-grown-up children.

Useful links

StackOverflow

Yammer Office 365 Technical Network

The post Episode 119 on expanding Azure skills with Kirk Evans—Office 365 Developer Podcast appeared first on Office Blogs.

Categories: Technology

Doing our part for the community

Drupal - Thu, 23/02/2017 - 17:25

The Drupal Association Engineering Team delivers value to all who are using, building, and developing Drupal. The team is tasked with keeping Drupal.org and all of the 20 subsites and services up and running. Their work would not be possible without the community and the project would not thrive without close collaboration. This is why we are running a membership campaign all about the engineering team. These are a few of the recent projects where engineering team + community = win!

Icon of screen with person in center of itWant to hear more about the work of the team, rather than read about it? Check out this video from 11:15-22:00 where Tim Lehnen (@hestenet) talks about the team's recent and current work.

Leading the Documentation System migration

We now have a new system for Documentation. These are guides Drupal developers and users need to effectively build and use Drupal. The new system replaces the book outline structure with a guides system, where a collection of pages with their own menu are maintained by the people who volunteer to keep the guides updated, focused, and relevant. Three years of work from the engineering team and community collaborators paid off. Content strategy, design, user research, implementation, usability testing and migration have brought this project to life.

Basic structure doc page for Drupal 8 Creating Custom Modules section
Pages include code 'call-outs' for point-version specific information or warnings.

Thanks to the collaborators: 46 have signed up to be guide maintainers, the Documentation Working Group members (batigolix, LeeHunter, ifrik, eojthebrave), to tvn, and the many community members who write the docs!

Enabling Drupal contribution everywhere

Helping contributors is what we do best. Here are some recent highlights from the work we're doing to help the community:

Our project to help contributors currently in development is revamping the project applications process. More on this soon on our blog.

When a community need doesn't match our roadmap

We have a process for prioritizing community initiatives so we can still help contributors. Thanks to volunteers who have proposed and helped work on initiatives recently, we've supported the launch of the Drupal 8 User guide and the ongoing effort to bring Dreditor features into Drupal.org itself.  

Thanks to the collaborators: jhodgdon, eojthebrave, and the contributors to the user guide. Thanks also to markcarver for the Dreditor effort.

How to stay informed and support our work.

The change list and the Drupal.org roadmap help you to see what the board and staff have prioritized out of the many needs of the community.

You can help sustain the work of the Drupal Association by joining as a member. Thank you!

Categories: Technology

Visualize work in powerful new ways

Microsoft Office - Thu, 23/02/2017 - 17:00

We’re constantly pursuing the latest innovations to help your team create powerful diagrams. That pursuit continues with several recently released updates for Microsoft Visio Pro for Office 365, including robust database reverse engineering capabilities and new third-party content that meets various industry standards. With these updates, you can visualize your work in exciting and meaningful ways, boosting efficiencies and helping your team make informed decisions with confidence.

Visualize database structures from source data

Visio’s database reverse engineering tool allows you to create a visual representation of a database from its source data. Visio can connect to a number of database solutions, including SQL Server, MySQL and Oracle, to create a real-time illustration of that database, which updates in Visio as the underlying information changes. This kind of reverse engineering helps you drill into specific database elements, like tables and views, to better understand how they relate to one another—all without showing the actual source data.

Using an intuitive wizard, you can select the source database and specific elements to include in the visual, giving you full control over the resulting diagram. In addition to tables and views, you can also incorporate stored procedures and specific table objects, like primary keys, indexes and triggers. Best of all, the database diagram updates when the source information changes, helping ensure everyone has access to the latest data.

Quickly launch a reverse engineering template from the home screen.

Users across industries can benefit from this feature. Healthcare is a perfect example—hospitals store huge amounts of patient data in secure databases. Using reverse engineering in Visio, IT and business analysts can build diagrams that explain the relationship between patient data and healthcare history, including prescriptions, insurance, appointments and more.

You can download the Visio Pro for Office 365 add-in for database reverse engineering here.

Download templates for industry-specific diagrams

You can now access authorized third-party content directly from within Visio Pro for Office 365 for your specialized diagramming needs. Fifty templates and 100 sample diagrams have been developed with trusted partners, including several that meet industry-specific standards.

Business processes

Trisotech has developed a set of templates to help you create diagrams that conform to accepted business standards, including case management models using Case Management Model and Notation (CMMN), professional process models with Business Process Model and Notation (BPMN), and business decisions and rules using Decision Model and Notation (DMN). “The availability of these new CMMN, BPMN and DMN templates, along with various samples, will help promote the adoption of recognized standards by business users in Visio, and therefore help our customers standardize their process design,” says Denis Gagné, CEO of Trisotech.

Visualize work in powerful new ways 2

Design the process for a customer quote request using templates from Trisotech.

Software development and engineering

Programmers and engineers can benefit from templates that meet industry-wide standards, such as Unified Modeling Language (UML) 2.5 for designing software logic flow and Institute of Electrical and Electronics Engineers (IEEE) compliance for creating electrical diagrams. Of these, we recently added three new templates for UML 2.5 to help system architects, software engineers and software developers create diagrams of software-based systems and business processes. The UML diagrams help streamline software development and maintenance. They accurately represent the software’s behavior and structure in a format both technical and non-technical project team members can understand. The three new templates enable you to create:

  • Component diagrams showing components, ports and interfaces and the relationships among them.
  • Deployment diagrams illustrating the deployment architecture of software artifacts to nodes.
  • Communication diagrams highlighting the interactions between lifelines that use sequenced messages in a free-form arrangement.

Visualize work in powerful new ways 3

Easily create UML-verified communication diagrams.

IT

Industry-proven NetZoom capabilities from Altima Technologies enable IT professionals to leverage data center templates and sample diagrams available directly from within Visio. “NetZoom Visio Stencils is the largest single-source collection of fully detailed, and regularly updated, manufacturer-specific device stencils for IT, A/V, security, network and data centers. The Visio Content Store integration brings the stencil library to the entire Visio community, worldwide,” says Jacquie Staggs, general manager of services at Altima Technologies, Inc.

Visualize work in powerful new ways 4

Develop main and local branch diagrams using NetZoom stencils.

Education

Map shapes historically have been some of the most popular pieces of educational content in Visio. Teachers and students can now use maps from Visio Guy in the classroom to learn about the locations of states and territories and interact with them easily in the diagram.

Interact with maps from Visio Guy.

Transform the classroom with Visio

Visio Pro for Office 365 is bringing more than 20 templates and 20 sample diagrams that span core education, education planning, games, sports and hobbies. The core education templates for the classroom cover many subjects, including algebra, chemistry and physics. Great visual illustrations bring the subject matter to life for educators and students, enabling better comprehension and accelerated learning.

Visualize work in powerful new ways 6

We are also excited to introduce education templates focused on extracurricular activities like music, sports and gaming. With these templates, you can easily create fun diagrams leveraging the smart shapes in Visio Pro for Office 365 to foster learning in these subjects.

Visualize work in powerful new ways 7

We’ve only just begun incorporating third-party content into Visio. Subscribe to Visio Pro for Office 365 to stay up to date with the latest and greatest of Visio. Also, visit our UserVoice to submit suggestions for new products, and follow us on Facebook, YouTube and Twitter for the latest Visio news.

For developers and partners, get in touch and submit your shapes, templates or solutions today!

—The Visio team

The post Visualize work in powerful new ways appeared first on Office Blogs.

Categories: Technology

Security warning: major vulnerability found in Linux kernels that affects most kernels

CloudLinux - Wed, 22/02/2017 - 22:26

A new major local privilege escalation vulnerability in the Linux kernel was disclosed today by Andrey Konovalov (see CVE-2017-6074). It is a memory corruption vulnerability where the same memory location is freed by kernel twice. The vulnerability can be exploited to escalate privileges and allows an unprivileged local user to gain root access to the server.

This vulnerability affects most kernels! 

The KernelCare team, as always, is urgently working on releasing patches, with some distributions being promptly covered by the end of today (Wednesday, February 22nd, 2017), and most by tomorrow (see release schedule below). Major Linux distributions are working on releasing kernel updates with a fix as well. RedHat and Debian already released updated kernels - however, they will require you to reboot servers. But if you run KernelCare, you can livepatch your servers and protect yourself from critical vulnerabilities, including this one, WITHOUT any downtime.

When you install KernelCare, whether a paid or a trial version, it will bring your kernels up-to-date with all patches instantly. It installs with a single line of code in just minutes, without a reboot, and it will ensure you never miss another kernel security patch as they will be automatically installed to your live kernel going forward.

If you’d like to update your kernels as soon as the fix is released, you can get KernelCare for free for 30 days now, or purchase licenses here (from $2.25 per server/mo). 

To learn more about KernelCare, visit this page

 

Timeline for patch releases for KernelCare:
  • Ubuntu 16.04 - to be released
  • Ubuntu 14.04 - to be released
  • RHEL 7 - Feb 22, 2017
  • RHEL 6 - Feb 22, 2017
  • RHEL 5 - to be released
  • CentOS 7 - Feb 22, 2017
  • CentOS 6 - Feb 22, 2017
  • CentOS 5 - to be released
  • CloudLinux OS 7 - to be released
  • CloudLinux OS 6 - to be released
  • CloudLinux OS 5 - to be released
  • CentOS 6 Plus - to be released
  • CentOS 7 Plus - to be released
  • CentOS 6 Alt - to be released
  • CentOS 7 Alt - to be released
  • Debian 7 & 8 - to be released
  • Proxmox 3.10 - to be released
  • Proxmox 4.2/4.4 - to be released

If you have KernelCare, it will bring your kernels up-to-date with these patches automatically, without a reboot. KernelCare supports most popular Linux distributions

Categories: Technology

DownloadFile- Critical - Unsupported - SA-CONTRIB-2017-023

Drupal Contrib Security - Wed, 22/02/2017 - 17:22
Description

DownloadFile is a module to direct download files or images.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed download file module, there is nothing you need to do.

Solution

If you use the download_file module for Drupal 7.x you should uninstall it.

Also see the download file project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Technology

Unpublished 404 - Critical - Unsupported - SA-CONTRIB-2017-021

Drupal Contrib Security - Wed, 22/02/2017 - 17:19
Description

The purpose of this module is to emit a 404 error when a user tries to access a unpublished pages.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed unpublished 404 module, there is nothing you need to do.

Solution

If you use the unpublished_404 module for Drupal 7.x you should uninstall it.

Also see the unpublished 404 project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Technology

Views - Moderately Critical - Access Bypass - SA-CONTRIB-2017-022

Drupal Contrib Security - Wed, 22/02/2017 - 17:18
Description

The Views module allows site builders to create listings of various data in the Drupal database.

The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permision to view it.

This is mitigated by the fact that a View must exist that lists Taxonomy Terms which contain private data. If all the data on Taxonomy Terms is public or there are no applicable Views, then your site is unaffected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • views 7.x-3.x versions prior to 7.x-3.15.

Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the views module for Drupal 7.x, upgrade to views 7.x-3.15

Also see the Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Technology

Willis Towers Watson—increasing business agility with global commitment to Office 365

Microsoft Office - Wed, 22/02/2017 - 17:00

WTW FI

Today’s post was written by Ron Markezich, corporate vice president for Microsoft.

When Willis Group and Towers Watson merged in January 2016, Willis Towers Watson (WTW) became a leading advisory, broking and solutions company operating in more than 140 countries. The merger created an opportunity for WTW to streamline its IT environment, consolidate vendors and commit to a business productivity platform that empowers every one of its 40,000 employees.

According to Eoghan Doyle, global head of Infrastructure and Operations at WTW, the overall utilization of Microsoft technologies is also driven by the business value of a common platform that enables digital transformation:

“Willis Towers Watson drives business performance for our clients by helping them unlock potential. We aim to do the same for our global workforce. The Microsoft Secure Productive Enterprise E5 solution provides the advanced enterprise security, collaboration and intelligence from Office 365, which our colleagues can use to drive business results. By globally adopting Secure Productive Enterprise solutions, we can increase business agility and productivity, while delivering integrated technology in support of our business objectives. We look forward in particular to cloud-based telephony, interactive self-service business analytics and advanced threat protection to empower everyone in a mobile-first, modern workplace.”

An added benefit for WTW is the $3 million in savings it will achieve from a consistent, integrated set of cloud-based technologies, compared to continuing with its third-party services.

As we continue to innovate on the security and compliance features in our cloud services—capabilities like accelerated eDiscovery analysis workflow and advanced security intelligence—customers in the professional services industry can stay ahead of today’s evolving threat landscape. It’s really gratifying to see how WTW is broadly adopting the Microsoft Cloud to help transform its global business.

We’re looking forward to watching as WTW transforms with the Microsoft Cloud to achieve its vision of doing business in a digital world.

—Ron Markezich

The post Willis Towers Watson—
increasing business agility with global commitment to Office 365
appeared first on Office Blogs.

Categories: Technology

Timezone Detect - Moderately Critical - Cross Site Request Forgery - SA-CONTRIB-2017-020

Drupal Contrib Security - Wed, 22/02/2017 - 16:45
Description

This module enables sites to automatically detect and set user timezones via JavaScript.

The module does not sufficiently protect against Cross-Site Request Forgery (CSRF): an attacker could use this vulnerability to manipulate a user's timezone setting. The security implication of this issue depends on the site. It can range from minor annoyance to some level of a bigger bug on a site that relies on the timezone for some more important purpose.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Timezone Detect 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Timezone Detect module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Timezone Detect project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Technology

Alt-PHP updated

CloudLinux - Wed, 22/02/2017 - 05:07

The new updated Alt-PHP packages are available from our production repository.

Changelog:

alt-php70-7.0.16-1

  • (core) 73916: zend_print_flat_zval_r doesn't consider reference;
  • (core) 73876: Crash when exporting **= in expansion of assign op;
  • (core) 73969: segfault in debug_print_backtrace;
  • (core) 73973: assertion error in debug_zval_dump;
  • (dom) 54382: getAttributeNodeNS doesn't get xmlns* attributes;
  • (dtrace) 73965: DTrace reported as enabled when disabled;
  • (fpm) 67583: double fastcgi_end_request on max_children limit;
  • (fpm) 69865: php-fpm does not close stderr when using syslog;
  • (gd) 73968: Premature failing of XBM reading;
  • (gmp) 69993: test for gmp.h needs to test machine includes;
  • (intl) 73956: Link use CC instead of CXX;
  • (ldap) 73933: error/segfault with ldap_mod_replace and opcache;
  • (mysqli) 73949: leak in mysqli_fetch_object;
  • (mysqlnd) 69899: segfault on close() after free_result() with mysqlnd;
  • (opcache) 73983: crash on finish work with phar in cli + opcache;
  • (openssl) 71519: add serial hex to return value array;
  • (pdo_firebird) 72583: All data are fetched as strings;
  • (pdo_pgsql) 73959: lastInsertId fails to throw an exception for wrong sequence name;
  • (phar) 70417: PharData::compress() doesn't close temp file;
  • (posix) 71219: configure script incorrectly checks for ttyname_r;
  • (session) 69582: session not readable by root in CLI;
  • (spl) 73896: spl_autoload() crashes when calls magic _call();
  • (standard) 69442: closing of fd incorrect when PTS enabled;
  • (standard) 47021: SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked";
  • (standard) 72974: imap is undefined service on AIX;
  • (standard) 72979: money_format stores wrong length AIX;
  • (zip) 70103: ZipArchive::addGlob ignores remove_all_path option.

alt-php71-7.1.2-1

  • (core): Improved GENERATOR_CREATE opcode handler;
  • (core) 73877: readlink() returns garbage for UTF-8 paths;
  • (core) 73876: Crash when exporting **= in expansion of assign op;
  • (core) 73962: bug with symlink related to cyrillic directory;
  • (core) 73969: segfault in debug_print_backtrace;
  • (core) 73994: arginfo incorrect for unpack;
  • (core) 73973: assertion error in debug_zval_dump;
  • (dom) 54382: getAttributeNodeNS doesn't get xmlns* attributes;
  • (dtrace) 73965: DTrace reported as enabled when disabled;
  • (fcgi) 73904: php-cgi fails to load -c specified php.ini file;
  • (fcgi) 72898: PHP_FCGI_CHILDREN is not included in phpinfo();
  • (fpm) 69865: php-fpm does not close stderr when using syslog;
  • (gd) 73968: Premature failing of XBM reading;
  • (gmp) 69993: test for gmp.h needs to test machine includes;
  • (hash): Added hash_hkdf() function;
  • (hash) 73961: environmental build dependency in hash sha3 source;
  • (intl): Fix bug #73956 (Link use CC instead of CXX);
  • (ldap) 73933: error/segfault with ldap_mod_replace and opcache;
  • (mysqli) 73949: leak in mysqli_fetch_object;
  • (mysqlnd) 69899: segfault on close() after free_result() with mysqlnd;
  • (opcache) 73983: crash on finish work with phar in cli + opcache;
  • (openssl) 71519: add serial hex to return value array;
  • (openssl) 73692: Compile ext/openssl with openssl 1.1.0 on Win;
  • (openssl) 73978: openssl_decrypt triggers bug in PDO;
  • (pdo_firebird) 72583: All data are fetched as strings;
  • (pdo_pgsql) 73959: lastInsertId fails to throw an exception for wrong sequence name;
  • (phar) 70417: PharData::compress() doesn't close temp file;
  • (posix) 71219: configure script incorrectly checks for ttyname_r;
  • (session) 69582: session not readable by root in CLI;
  • (spl) 73896: spl_autoload() crashes when calls magic _call();
  • (standard) 69442: closing of fd incorrect when PTS enabled;
  • (standard) 47021: SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked";
  • (standard) 72974: imap is undefined service on AIX;
  • (standard) 72979: money_format stores wrong length AIX;
  • (standard) 73374: intval() with base 0 should detect binary;
  • (standard) 69061: mail.log = syslog contains double information;
  • (zip) 70103: ZipArchive::addGlob ignores remove_all_path option.

To install run the command:

yum groupinstall alt-php
Categories: Technology

Beta: PHP for EasyApache 4 updated

CloudLinux - Wed, 22/02/2017 - 04:55

The new updated PHP for EasyApache 4 packages are available from our updates-testing repository.

Changelog:

ea-php70-7.0.16-1.cloudlinux

  • EA-5863: removed patch from 7.0.12-2 as it was adding duplicate info;
  • EA-5946: force requirement of ea-libtidy instead of .so from BuildRequires ea-libtidy-devel;
  • EA-5839: added opcache.validate_permission to opcache ini;
  • EA-5807: enabled php-tidy on rhel 6 and above;
  • ALTPHP-310: updated to 7.0.16:

 

  • (core) 73916: zend_print_flat_zval_r doesn't consider reference;
  • (core) 73876: Crash when exporting **= in expansion of assign op;
  • (core) 73969: segfault in debug_print_backtrace;
  • (core) 73973: assertion error in debug_zval_dump;
  • (dom) 54382: getAttributeNodeNS doesn't get xmlns* attributes;
  • (dtrace) 73965: DTrace reported as enabled when disabled;
  • (fpm) 67583: double fastcgi_end_request on max_children limit;
  • (fpm) 69865: php-fpm does not close stderr when using syslog;
  • (gd) 73968: Premature failing of XBM reading;
  • (gmp) 69993: test for gmp.h needs to test machine includes;
  • (intl) 73956: Link use CC instead of CXX;
  • (ldap) 73933: error/segfault with ldap_mod_replace and opcache;
  • (mysqli) 73949: leak in mysqli_fetch_object;
  • (mysqlnd) 69899: segfault on close() after free_result() with mysqlnd;
  • (opcache) 73983: crash on finish work with phar in cli + opcache;
  • (openssl) 71519: add serial hex to return value array;
  • (pdo_firebird) 72583: All data are fetched as strings;
  • (pdo_pgsql) 73959: lastInsertId fails to throw an exception for wrong sequence name;
  • (phar) 70417: PharData::compress() doesn't close temp file;
  • (posix) 71219: configure script incorrectly checks for ttyname_r;
  • (session) 69582: session not readable by root in CLI;
  • (spl) 73896: spl_autoload() crashes when calls magic _call();
  • (standard) 69442: closing of fd incorrect when PTS enabled;
  • (standard) 47021: SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked";
  • (standard) 72974: imap is undefined service on AIX;
  • (standard) 72979: money_format stores wrong length AIX;
  • (zip) 70103: ZipArchive::addGlob ignores remove_all_path option.

ea-php71-7.1.2-1.cloudlinux

  • ALTPHP-312: updated PHP version to 7.1.2:

 

  • (core): Improved GENERATOR_CREATE opcode handler;
  • (core) 73877: readlink() returns garbage for UTF-8 paths;
  • (core) 73876: Crash when exporting **= in expansion of assign op;
  • (core) 73962: bug with symlink related to cyrillic directory;
  • (core) 73969: segfault in debug_print_backtrace;
  • (core) 73994: arginfo incorrect for unpack;
  • (core) 73973: assertion error in debug_zval_dump;
  • (dom) 54382: getAttributeNodeNS doesn't get xmlns* attributes;
  • (dtrace) 73965: DTrace reported as enabled when disabled;
  • (fcgi) 73904: php-cgi fails to load -c specified php.ini file;
  • (fcgi) 72898: PHP_FCGI_CHILDREN is not included in phpinfo();
  • (fpm) 69865: php-fpm does not close stderr when using syslog;
  • (gd) 73968: Premature failing of XBM reading;
  • (gmp) 69993: test for gmp.h needs to test machine includes;
  • (hash): Added hash_hkdf() function;
  • (hash) 73961: environmental build dependency in hash sha3 source;
  • (intl): Fix bug #73956 (Link use CC instead of CXX);
  • (ldap) 73933: error/segfault with ldap_mod_replace and opcache;
  • (mysqli) 73949: leak in mysqli_fetch_object;
  • (mysqlnd) 69899: segfault on close() after free_result() with mysqlnd;
  • (opcache) 73983: crash on finish work with phar in cli + opcache;
  • (openssl) 71519: add serial hex to return value array;
  • (openssl) 73692: Compile ext/openssl with openssl 1.1.0 on Win;
  • (openssl) 73978: openssl_decrypt triggers bug in PDO;
  • (pdo_firebird) 72583: All data are fetched as strings;
  • (pdo_pgsql) 73959: lastInsertId fails to throw an exception for wrong sequence name;
  • (phar) 70417: PharData::compress() doesn't close temp file;
  • (posix) 71219: configure script incorrectly checks for ttyname_r;
  • (session) 69582: session not readable by root in CLI;
  • (spl) 73896: spl_autoload() crashes when calls magic _call();
  • (standard) 69442: closing of fd incorrect when PTS enabled;
  • (standard) 47021: SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked";
  • (standard) 72974: imap is undefined service on AIX;
  • (standard) 72979: money_format stores wrong length AIX;
  • (standard) 73374: intval() with base 0 should detect binary;
  • (standard) 69061: mail.log = syslog contains double information;
  • (zip) 70103: ZipArchive::addGlob ignores remove_all_path option.

To upgrade run the command:

yum upgrade ea-php* --enablerepo=cl-ea4-testing
Categories: Technology

Beta: MySQL Governor updated

CloudLinux - Tue, 21/02/2017 - 17:06

The new updated MySQL Governor is available from updates-testing repository.

MySQL Governor 1.2-15

Changelog:

  • MYSQLG-154: fixed an issue when "dbctl list" displayed IO limits equal to the default when they were less than 1mb/s;
  • MYSQLG-155: MySQL reads restrict users list correctly;
  • MYSQLG-151: systemd related fixes.

To update:

$ yum update governor-mysql --enablerepo=cloudlinux-updates-testing $ service db_governor restart

To install:

$ yum install governor-mysql --enablerepo=cloudlinux-updates-testing $ /usr/share/lve/dbgovernor/mysqlgovernor.py --install
Categories: Technology

What I wish I knew—learn from the founder and entrepreneur coach of TheRickMartinez.com

Microsoft Office - Tue, 21/02/2017 - 17:00

This week, as we celebrate entrepreneurs across the U.S., we have the opportunity to recognize the work they put into their small businesses, the challenges they have faced and the growth they’ve achieved.

Being an entrepreneur is no easy feat. It takes an extraordinary amount of time, thought and energy to overcome hurdles that get in the way while getting started. It is important for entrepreneurs not only to learn from each other but also know how to build their business and their team. They must ensure they have the right tools to bring the two together. There are technology solutions that can make an entrepreneur’s day-to-day tasks easier. From staying connected with their clients through Skype for Business, to easily sharing their work with their team through OneDrive for Business, to maintaining a professional reputation by using the Office Suite—these are just a few tools entrepreneurs can use to improve their business.

We were interested in learning from entrepreneurs so we could better understand the grit, the emotions and the resources they used to be successful. Today, Rick Martinez, founder and entrepreneur coach for TheRickMartinez.com, shares his journey of starting his small business.

Here is his experience:

“My journey as an entrepreneur has brought me full circle. Today, I’m living my dream as a coach to up-and-coming entrepreneurs. It’s a far cry from my first company, a medical staffing business that provided care in military hospitals. I grew that first business from me alone at a desk in my one-bedroom apartment to 600 employees in offices in several states. My registered nurse credential equipped me to navigate the medical space, but running a business was daunting at first. I hadn’t gone to business school; I didn’t have an MBA. But I was driven; I wanted to do things.

“I learned. My company grew. I was now a CEO of a large medical staffing business. My days were mired in issues, from employee problems to the complexities and litigiousness of the medical space. Fitness was my outlet, and it was at a competition that my entire life trajectory changed. A weight fell during a weight-lifting event, crushing my leg: 225 pounds concentrated right above my right knee cap. As a trauma nurse, I saw at once that this was a serious injury, but it paled next to the spiritual impact. Lying on the ground, looking up at the sky, suddenly it hit me: I’d lost my way. My true goal was to care for soldiers, not to administer government contracts. Those were people’s kids in those beds; America’s heroes. I’d lost touch with my original dream. I had become an administrator, not a caregiver. I wanted to touch lives, not push paper. I knew then that I would sell my company. I’d always had this vision of my “someday” ideal life: writing, working one-on-one with people, helping them to make their lives better. So why invest years working at something that wasn’t nourishing my soul, with the goal of eventually living the life I wanted to live? Why not make this shift now?

“I sold the company and became a coach with a group called Entrepreneurs Organization. Traveling all over the world giving one-day seminars to CEOs of small companies, I found that I loved working with early-stage entrepreneurs. But I didn’t like teaching tactical skills like marketing, cash flows, personnel administration. There was usually something deeper blocking these entrepreneurs. They were unable to move themselves—and thus their company—to the next level. That’s how I developed my current coaching business. Now I work with clients one on one to help them move from their current level of success to the next level. What sets me apart from other career coaches? I know my ideal client; I’ve literally walked in their shoes. They are that person who has already achieved a level of success but is trying to move forward to a new level, yet doesn’t know how. My mission is to help rising entrepreneurs clarify their goals and find the focus they need to attain them.

“As I tell them, it’s not the threads on you, it’s the threads of you; it’s the threads of your soul that make you the person you are. That’s the attraction factor; it’s never the suit or the tie. Authenticity fuels your business. I feel almost a moral obligation to get up and prove that every day, especially as I work with these young entrepreneurs and help them stay grounded. Your values are your core; they’re your roots. It’s vital to understand and act upon those values. So here I am, once again, working one on one with people who need me. I started my career in the ultimate caring profession: nursing. After bringing skilled care to people on a large scale, I’m again giving my energy to working directly with clients individually to help them realize their entrepreneurial dreams.”

Learn more

Watch the following video where leaders from Inc 5000’s list of America’s fast-growing companies discuss the power of mentorship and share insights that can help make your business more successful.

Learn from the experts by reading about their experiences and picking up on the wisdom gained while building a business. For more insights from entrepreneurs, get the free eBook, “What I wish I knew: Success secrets from America’s fastest-growing companies.”

Interested in learning more about Office 365? We offer a platform of integrated tools that will give each small business owner and their teams the ability to stay connected and organized with their day-to-day tasks. Start your 30-day free trial today!

Related content

The post What I wish I knew—
learn from the founder and entrepreneur coach of TheRickMartinez.com
appeared first on Office Blogs.

Categories: Technology

Pages

Subscribe to oakleys.org.uk aggregator - Technology