Transition Technology: Ticket Query

#774: * Advisory ID: DRUPAL-SA-CORE-2014-004

paul — Wed, 06 Aug 2014 19:52:54 GMT

View online: https://www.drupal.org/SA-CORE-2014-004

Advisory ID: DRUPAL-SA-CORE-2014-004
Project: Drupal core [1]
Version: 6.x, 7.x
Date: 2014-August-06
Security risk: 13/25 ( Moderately Critical)

AC:None/A:None/CI:None/II:None/E:Proof/TD:100 [2]

Exploitable from: Remote
Vulnerability: Denial of service

Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

All Drupal sites are vulnerable to this attack whether XML-RPC is used or not.

In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled).

This is a joint release as the XML-RPC vulnerability also affects WordPress (see the announcement [3]).

/A CVE identifier [4] will be requested, and added upon issuance, in

accordance with Drupal Security Team processes./

Drupal core 7.x versions prior to 7.31.
Drupal core 6.x versions prior to 6.33.

Install the latest version:

If you use Drupal 7.x, upgrade to Drupal core 7.31 [5].
If you use Drupal 6.x, upgrade to Drupal core 6.33 [6].

If you are unable to install the latest version of Drupal immediately, you can alternatively remove the xmlrpc.php file from the root of Drupal core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module. These steps are sufficient to mitigate the vulnerability in Drupal core if your site does not require the use of XML-RPC or OpenID functionality. However, this mitigation will not be effective if you are using a contributed module that exposes Drupal's XML-RPC API at a different URL (for example, the Services module); updating Drupal core is therefore strongly recommended.

Also see the Drupal core [7] project page.

Willis Vandevanter [8]
Nir Goldshlager [9]

Andrew Nacin [10] of the WordPress Security Team
Michael Adams [11] of the WordPress Security Team
Frédéric Marand [12]
David Rothstein [13] of the Drupal Security Team
Damien Tournoud [14] of the Drupal Security Team
Greg Knaddison [15] of the Drupal Security Team
Stéphane Corlosquet [16] of the Drupal Security Team
Dave Reid [17] of the Drupal Security Team

The Drupal Security Team [18] and the WordPress [19] Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [20].

Learn more about the Drupal Security team and their policies [21], writing secure code for Drupal [22], and securing your site [23].

[1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] https://wordpress.org/news/2014/08/wordpress-3-9-2/ [4] http://cve.mitre.org/ [5] http://drupal.org/drupal-7.31-release-notes [6] http://drupal.org/drupal-6.33-release-notes [7] http://drupal.org/project/drupal [8] https://www.drupal.org/user/1867894 [9] https://www.drupal.org/user/2891345 [10] http://profiles.wordpress.org/nacin [11] http://profiles.wordpress.org/mdawaffe [12] https://www.drupal.org/user/27985 [13] https://www.drupal.org/user/124982 [14] https://www.drupal.org/user/22211 [15] https://www.drupal.org/u/greggles [16] https://www.drupal.org/user/52142 [17] https://www.drupal.org/user/53892 [18] http://drupal.org/security-team [19] http://wordpress.org [20] http://drupal.org/contact [21] http://drupal.org/security-team [22] http://drupal.org/writing-secure-code [23] http://drupal.org/security/secure-configuration

_ Security-news mailing list Security-news@… Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

#820: *.transitionnetwork.org 2015 security certificate

chris — Fri, 26 Dec 2014 09:47:49 GMT

The current wild-card *.transitionnetwork.org cert will run out on 24th Jan, this is a ticket to track the time spent renewing it.

See also ticket:795, SHA1 Deprecation: Regenerate all certs using SHA256.

#569: 403s served to editors, admin very slow

ed — Tue, 09 Jul 2013 07:52:32 GMT

Rob is getting 403s when trying to submit his work. Report from 07:12am this morning (Tuesday)

Ed tried to add a blog post at node add:

https://www.transitionnetwork.org/node/add/blog It took nearly 15 seconds to get this published https://www.transitionnetwork.org/blogs/ed-mitchell/2013-07/eds-test-blog-item-check-403

Running admin functions takes ages.This request took well over 30 seconds:

https://www.transitionnetwork.org/admin/content/node/overview

Please advise?

#563: 503 Errors

chris — Wed, 19 Jun 2013 10:59:54 GMT

Original Description

The site is generating a lot of 503 errors, 83 since 6:30am today and there were around 750 yesterday.

#843: 8.8.8.8 (US/United States/google-public-dns-a.google.com) blocked for port scanning

chris — Tue, 07 Apr 2015 23:05:33 GMT

Never seen this before:

Date: Tue,  7 Apr 2015 23:46:09 +0100 (BST)
From: root@puffin.webarch.net
To: chris@webarchitects.co.uk
Subject: lfd on puffin.webarch.net: 8.8.8.8 (US/United States/google-public-dns-a.google.com) blocked for port scanning
Time:    Tue Apr  7 23:46:09 2015 +0000
IP:      8.8.8.8 (US/United States/google-public-dns-a.google.com)
Hits:    20
Blocked: Temporary Block
Sample of block hits:
Apr  7 23:45:36 puffin kernel: [19823338.636822] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:19:68:02:00:12:1e:13:6c:db:08:00 SRC=8.8.8.8 DST=81.95.52.103 LEN=162 TOS=0x00 PREC=0x00 TTL=45 ID=65064 PROTO=UDP SPT=53 DPT=48825 LEN=142

I thought set the Google DNS servers for the machine via /etc/resolv.conf but that contains:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1

There is /etc/resolvconf/resolv.conf.d/original containing:

nameserver 8.8.8.8
nameserver 8.8.4.4

But I don't know what DNS resolver BOA has installed and the server is using.

#744: Add CSS Injector module to the D6 mix

annesley — Thu, 19 Jun 2014 10:50:03 GMT

CSS Injector module allows admin dynamic adding of CSS in to a live production server without code updates. this is to respond quickly to client needs whilst implementing the requests in the correct place in the themes on the next promotion from dev.

#534: Add accounts for Ben

chris — Fri, 26 Apr 2013 17:16:23 GMT

Ben is a new member of the TTech team and accounts need setting up for him, this is a ticket to track the time taken to do this.

#632: Add accounts for Sam

chris — Mon, 25 Nov 2013 14:41:25 GMT

Following ticket:534

#649: Add commenting to /films/ content type in January

ed — Thu, 12 Dec 2013 10:53:16 GMT

seen here:

https://www.transitionnetwork.org/admin/content/node-type/films

https://www.transitionnetwork.org/films https://www.transitionnetwork.org/films/occupy-love

#643: Add paginator for /films view

ed — Mon, 09 Dec 2013 11:40:08 GMT

Please add pages links for this view: https://www.transitionnetwork.org/admin/build/views/edit/Films?destination=films#views-tab-page_1

10 per page should do it

#684: Adding Paul and Nick to Transition Network on github.org

chris — Thu, 23 Jan 2014 10:42:23 GMT

It looks like Ed and Jim are the only one with permissions to add members to Transition Network on GitHub as they are listed as owners and the rest of us are members.

Paul and Nick can you post you account names to this ticket so you can be added?

Jim could you make me and/or Ben owners as well so we can add people?

#611: Adding Trac Account for Alan

chris — Thu, 17 Oct 2013 12:55:21 GMT

Alan, the other sysadmin at Webarchitects is in a better position than me to help with some of the more complex sysadmin issues so I hope it's OK that I have added an account for him here following the wiki:TracUserAdmin notes.

He is looking at helping with these tickets:

ticket:599 Server time drift
ticket:555 Load spikes causing the TN site to be stopped for 15 min at a time
ticket:593 Migrating Puffin to a ZFS file server

I don't expect he will be recording much time, I hope that is OK, he already has sudo access to all the servers.

#888: Adverts on Transition Network Front Page loaded via flickrit.com embedded content

chris — Sun, 06 Dec 2015 12:25:49 GMT

It it intentional or accidental that adverts from https://secureads.bitbillions.com/ are being loaded on the front page of https://www.transitionnetwork.org/ via the embedded content from flickrit.com?

#610: Aegir database intensive (migrate, clone, restore) tasks hang for larger sites

jim — Tue, 15 Oct 2013 10:18:59 GMT

Large sites (TN.org and variants) will simply not complete their migrate, clone or restore tasks in Aegir.

However, smaller sites are fine, and all tasks work for them.

The process largely completes -- codebase installs, database is cloned, symlinks for sites aliases and files created... BUT the process never completes in Aegir, so the final steps of switching a site's served location never occurs.

Useful links/comments in this issue:

#548: All Admin functions broken on TN.org

ed — Tue, 14 May 2013 07:50:15 GMT

Admins, editors, social reporters cannot create content on TN.org. Choosing to create content leads to homepage. Can't do anything on the admin menu.

Emergency.

#779: Annesley locked out of puffin?

chris — Wed, 27 Aug 2014 14:28:12 GMT

Looks like Annesley's IP has been blocked on wiki:PuffinServer.

#630: Archiving Transition Town Totnes site

ed — Mon, 25 Nov 2013 11:54:35 GMT

Please estimate to archive TTT site as per conversation with Ed:

convert to html
host on Penguin (incl. any likely issues for Penguin doing this)
any ongoing maintenance

Then Ed will discuss with Frances at TTT as per agreement with Chris

#702: Attachments not being deleted from Trustees page

ed — Fri, 21 Mar 2014 17:11:14 GMT

I can't remove the attachments from the Trustees page: https://www.transitionnetwork.org/about/people/trustees

please investigate and sort if you can. We need to remove all the attachments apart from those in 2013.

#798: BOA-2.3.5

chris — Thu, 16 Oct 2014 12:40:58 GMT

The changelog:

### Stable BOA-2.3.5 Release - Full Edition
### Date: Wed Oct 15 16:28:25 PDT 2014
### Includes Aegir 2.1 with improvements
### Latest hotfix added on: Wed Oct 15 20:09:52 PDT 2014
# Release Notes:
  This new BOA release includes important updates and bug fixes.
  * All new Drupal 7 platforms received Drupal core security upgrade.
    For details please read: https://www.drupal.org/SA-CORE-2014-005
  * All existing Drupal 7 built-in platforms will receive a hot-fix for
    this known vulnerability: https://www.drupal.org/SA-CORE-2014-005
    once you will run 'barracuda up-stable' command on your server.
    This procedure is automated on hosted and managed Aegir at Omega8.cc
  * Your custom D7 platforms created in the ~/static directory tree
    will be checked in the next 12 hours after the upgrade, and if you
    have not applied this patch yet, it will be applied automatically
    for you - but only if there is at least one active site present
    in the given custom D7 platform. Note that while this procedure is
    automated on hosted and managed Aegir at Omega8.cc, on self-hosted
    BOA systems it will work only if you will set _PERMISSIONS_FIX=YES
    in /root/.barracuda.cnf (default is NO)
  We recommend that you upgrade your D7 sites using safe workflow:
    https://omega8.cc/your-drupal-site-upgrade-safe-workflow-298
# Updated Octopus platforms:
  aGov 1.5 --------------------- https://drupal.org/project/agov
  Commerce 1.31 ---------------- https://drupal.org/project/commerce_kickstart
  Commerce 2.19 ---------------- https://drupal.org/project/commerce_kickstart
  Guardr 1.14 ------------------ https://drupal.org/project/guardr
  Open Atrium 2.22 ------------- https://drupal.org/project/openatrium
  Open Outreach 1.12 ----------- https://drupal.org/project/openoutreach
  OpenPublic 1.2 --------------- https://drupal.org/project/openpublic
  Panopoly 1.12 ---------------- https://drupal.org/project/panopoly
# New features and enhancements in this release:
  * Explain that Solr self-provisioning works only if _MODULES_FIX=YES is set.
  * Reverify all sites daily if /root/.force.sites.verify.cnf ctrl file exists
    and _PERMISSIONS_FIX=YES is set in /root/.barracuda.cnf (default is NO)
# Changes in this release:
  * Security: Remove support for SSLv3 due to POODLE vulnerability.
  * Disable Redis in Hostmaster until we will fix the Views based pages/blocks.
  * Disable site_readonly for non-dev sites by default.
  * Drush: Upgrade command line version 6 to mini-6-04-10-2014
  * Enable AllowUserFXP in Pure-FTPd config by default.
  * Remove support for already deprecated non-LTS Ubuntu versions.
  * Run manage_ip_auth_access only once per minute.
  * The INI variable redis_flush_forced_mode is enabled by default (again).
  * Use sysklogd instead of rsyslog on Ubuntu.
# System upgrades in this release:
  * MariaDB 5.5.40
  * Nginx 1.7.6
  * OpenSSH 6.7p1 (if installed from sources)
  * OpenSSL 1.0.1j (if installed from sources) - security upgrade.
  * PHPRedis: master-03-10-2014
# Fixes in this release:
  * Add auto-detection of Legacy Ruby patch level update on old systems.
  * Add cleanup for ghost/broken sites dirs leftovers.
  * Add missing cleanup for backup_migrate leftovers.
  * Always cleanup pid files on exit/abort.
  * Apply patch for SA-CORE-2014-005 in all shared D7 cores/built-in platforms.
  * Compass Tools: Install 1.9.3 ffi expected by older themes.
  * Fix db_port entry in all vhosts hourly.
  * Fix for broken erpal-7.x-2.0-7.31.1
  * Fix for broken site level drushrc.php file.
  * Fix for false alarm caused by ghost sites leftovers.
  * Fix for incorrect hash filtering on systems with OpenSSL built from sources.
  * Fix locales: Numerous fixes and improvements -- thanks ar-jan!
  * Fix typo in REVISIONS.
  * Force site Verify via frontend if drushrc.php has been fixed.
  * Issue #435 - SQL: Remove deprecated table_cache +update table_open_cache
  * Issue #440 - Improve innodb_buffer_pool_size calculation and add 10%
  * Issue #441 - New Relic is not disabled after removing newrelic.info file.
  * Issue #442 - Skip locked/fpmcheck if /root/.high_traffic.cnf exists.
  * Issue #444 - PHP: Remove useless sed replacement in pool.d/www{*}.conf
  * Issue #445 - Remote Import: update 6.x-2.x branch for Aegir 2.x and Drush 6
  * Issue #447 - Export LANG, LANGUAGE and all LC_ environment variables.
  * Issue #447 - Improve locales consistency.
  * Issue #447 - Set default LC_CTYPE and LC_COLLATE environment variables.
  * Issue #447 - Simplify locales configuration on Ubuntu.
  * Issue #448 - Enforce locale settings by configuring defaults.
  * Issue #452 - PHP build is broken with latest MariaDB 5.5.40
  * Make sure that db_port is never empty and defaults to 3306.
  * Make sure that firewall monitoring scripts never run simultaneously.
  * Make sure that standard caching is enabled in hostmaster.
  * Pause hostmaster tasks when RVM install for any user is running.
  * PHP: Do not run rebuilds if not needed.
  * PHP: Fix for broken upgrade logic on libcurl or libssl packages upgrade.
  * Remove acquia_connector from latest Commons to avoid broken installs.
  * Remove all legacy gems and re-install RVM/Ruby for root from scratch.
  * Remove legacy replacement to avoid converting symlinked includes into files.
  * SQL: Use correct defaults if MySQLTuner test failed.
  * Workaround for Drupal flood using 127.0.0.1 for all requests behind proxy.
### Stable BOA-2.3.4 Release - Full Edition
### Date: Wed Oct 15 09:51:08 PDT 2014
### Includes Aegir 2.1 with improvements
  Release Notes and changelog for BOA-2.3.4 has been merged into BOA-2.3.5
  above after security upgrades related to OpenSSL and SSLv3 have been added
  shortly after 2.3.4 release.

I'm going to run this update tonight.

#589: Blocking spammers at a firewall level

chris — Fri, 06 Sep 2013 09:48:59 GMT

At the meeting on 5th September ticket:585 one thing we discussed was that for August 2013:

More data is transferred for /user/register than the front page, 5.1GB compared to 3.6GB.

Most of this will be spam bots trying to register to post spam. Jim suggested that we could look at blocking some of these spam bots at a firewall level to save on resources. This ticket is to follow up on this suggestion.

#565: Blogs breadcrumbs incorrect on listings views

ed — Tue, 25 Jun 2013 13:21:56 GMT

Blogs breadcrumbs are wrong at main all blogs view and one author's full list view: https://www.transitionnetwork.org/blog https://www.transitionnetwork.org/blogs/ed-mitchell

Jim can you sort this in under 15 minutes (which is what you have left)

#544: CSF / LDF false positive blocks on Puffin

chris — Sat, 04 May 2013 11:02:53 GMT

Ticket to keep track of CSF /LDF issues on Puffin, see wiki:PuffinServer#CSFLDF

#628: Change space notifications email from IJK.co.uk to TN.org

ed — Thu, 21 Nov 2013 16:50:37 GMT

The space notifications are coming from "space.transitionnetwork.org" <jim@…>

can you make them from "space.transitionnetwork.org" and a suitable TN address?

Do I need to set up a suitable TN address? Perhaps

space@…?

Or is there a standard drupal system one in place already?

#621: Check and speed up updates to homepage sections: TC and slideshow

ed — Mon, 18 Nov 2013 09:22:59 GMT

Two bits of the homepage are taking ages to update once Rob has made the changes and it's driving him spare. He's waiting up to 30 mins for them to update.

Please speed up the times that it takes the system to update these two parts of the homepage to *instant* if possible:

Slideshow on homepage (AKA: https://www.transitionnetwork.org/admin/build/views/edit/slideshows?destination=newhome#views-tab-panel_pane_1).

Latest Transition Culture Blog pane on Homepage (AKA https://www.transitionnetwork.org/admin/build/views/edit/tc_latest_blog?destination=newhome#views-tab-block_1)

#658: Check caching on Social Reporters views

ed — Mon, 16 Dec 2013 14:59:38 GMT

The SRs are reporting very slow site updates - is this to do with not switching them over to the new views content caching? please check:

https://www.transitionnetwork.org/admin/build/views/edit/blogs?destination=stories#views-tab-panel_pane_2

https://www.transitionnetwork.org/admin/build/block/configure/views/blogs-block_1?destination=newhome

And elsewhere there may be SR latest views?

#896: Chive access to TN Drupal DB

chris — Mon, 18 Jan 2016 17:56:44 GMT

Ade would like to give the developers of the new Transition Network WordPress site access to the live database via Chive.

#624: Comment handling on pages: particularly Austerity one

ed — Tue, 19 Nov 2013 11:16:02 GMT

Rob is doing an austerity special over 8 days, with a different clip from an interview with NEF every day. I've set up a page here: /austerity-basics

Question:

I know we can handle comments on pages, and I know that I don't get notifications of them. Can we arrange comment notifications for a page - asap - so that commenters get updates?

If not, no problem. I heard about this plan *today* so am not expecting any massive tech leaps.

#777: Comments to blog post only showing up when logged in

ed — Mon, 25 Aug 2014 09:18:39 GMT

Most of the comments to this blog post are only showing up when you are logged in: https://www.transitionnetwork.org/blogs/rob-hopkins/2014-07/fiona-ward-learning-celebrate-10000-failure#comment-17492

Logged in: 5 comments Not logged in: 1 comment

Handing this to Sam but happy for it to escalate. Presumably this issue won't be on this one post only - and it is important.

#683: Create Aegir account for Paul

sam — Wed, 22 Jan 2014 12:42:48 GMT

Hi Jim

It looks like i@… will be joining us to pick up some of your work.

Could you create an Aegir account for him please?

I was also wondering about the Transition Network Github repo, do we need to do anything to hand that over?

Thanks

Sam

#822: Create TRAC id for Ade

ed — Wed, 07 Jan 2015 09:54:13 GMT

name: ade email: adestuart@…

#682: Create Trac & Wiki account for Paul

sam — Wed, 22 Jan 2014 12:39:18 GMT

Hi it looks like i@… will be joining us to pick up some of Jim's role as he moves on.

Chris could you create a trac & Wiki account for him please?

His email is; i@…

Thanks

Sam

#705: Create a contents page on TransitionCulture.org Wordpress site

ed — Wed, 26 Mar 2014 15:33:43 GMT

Create a contents page on TC.org to see a listing of all the blog posts. Mike suggests: "use category post list widget to pull in the titles and then use widgetise pages to add widget to a standard page.:

Sam to follow up. MAX time: 1 hour.

#829: Creation of web space request

ade — Mon, 02 Feb 2015 10:11:03 GMT

Hi Chris, As discussed, can you please set up some webspace on Penguin? If you could also set up a sub-domain of 'projects' and confirm the FTP access details?

Many thanks Ade

#208: Dblog Issues

chris — Fri, 17 Dec 2010 14:53:29 GMT

"The dblog module monitors your website, capturing system events in a log to be reviewed by an authorized individual at a later time. The dblog log is simply a list of recorded events containing usage data, performance data, errors, warnings and operational information. It is vital to check the dblog report on a regular basis as it is often the only way to tell what is going on."

https://www.transitionnetwork.org/admin/reports/dblog

This is a ticket to be used to flag up issues that are not going to take up enough time that they justify their own ticket -- if an issue is raised in a comment on this ticket that does look like it's going to take some significant time then best start a new ticket for it.

#663: De-commission the PSE

ed — Wed, 18 Dec 2013 17:44:43 GMT

We are wrapping up the PSE to simplify our web traffic, codebase and support requirements before we move to TNv3.

Ed has informed all the PSE alpha triallists twice and asked them to remove their widgets. About half have. Others say they will. So we can remove the service any time from now on.

Ed has UNpublished the following pages:

/pse/create
/pse/about
/pse/faq

Jim - time to de-commission the service in a suitable way. Wrap this puppy up and turn it off. Please outline what you are going to do on this ticket and then do it.

Ed suggests this is work for January 2014.

Sam, Chris, fyi and any other changes needed?

#218: Debian upgrades and updates

chris — Thu, 06 Jan 2011 13:34:16 GMT

This is a ticket to track debian upgrades to the wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer the time they take.

See:

These updates are generally done using the wiki:AptitudeUpdateScript and this records all the changes in the /root/Changelog and then the contents of the Changelog are pasted into the ticket to document the upgrade.

This ticket was was originally used for the ~~wiki:DevelopmentServer~~ and the ~~wiki:NewLiveServer~~.

#597: Default owner for tickets

chris — Tue, 17 Sep 2013 08:04:58 GMT

Ben reported that the default owner for tickets is laura and that this should be changed.

#572: Design changes for homepage and TC section

ed — Wed, 17 Jul 2013 14:17:25 GMT

Design changes for TN homepage and TC section done by Ben to be part of maintenance budget.

list here: https://docs.google.com/spreadsheet/ccc?key=0An7ZaZdq6UfJdDhxS0JxbXZLYnhLRkN4X3h5aVV3R1E#gid=0

#667: Development handover process

ed — Wed, 08 Jan 2014 16:40:47 GMT

Work by the Ttech team to share Jim's knowledge and tasks around the team before he leaves in early February 2014. Please use this ticket to log your time spent on this.

#696: Disk space error on parrot for TTT site

chris — Mon, 03 Mar 2014 10:51:46 GMT

Email from Laura:

Message appearing at top of ttt website when I just took a look-

Warning: session_start():
open(/home/ttt/tmp/sess_mnme76d2k5s6vopk5u1it126p5, O_RDWR) failed: No
space left on device (28) in
/home/ttt/sites/default/wp-content/plugins/tt-resource-database/participants-database.php
on line 2534

and something in the sidebar -

Warning: call_user_func_array() expects parameter 1 to be a valid
callback, array must have exactly two members in
/home/ttt/sites/default/wp-includes/plugin.php on line 199

#911: Disk space for /home on Parrot is running out

chris — Mon, 30 May 2016 20:58:53 GMT

Getting this alert from ParrotServer every 5 mins:

transitionnetwork.org :: parrot.transitionnetwork.org :: Disk usage in percent
        WARNINGs: /home is 96.06 (outside range [:96]).
        OKs: /run/shm is 0.00, /run is 0.09, /dev is 0.00, / is 95.94, / is 95.94, /run/lock is 0.00.

#531: Disk usage on puffin

chris — Wed, 10 Apr 2013 13:12:24 GMT

The disk usage on puffing is currently at 85% and it's been going up at around 5% a week, see:

https://penguin.transitionnetwork.org/munin/transitionnetwork.org/puffin.transitionnetwork.org/df.html

This will become a critical issue in a couple of weeks, it would be good to find and address the cause before then.

#648: Edit the contact form reply in January

ed — Thu, 12 Dec 2013 10:49:39 GMT

Ed has edited the contact form replies for webproject@… on the contact form for TN.org which will now reply to users saying this:

"Thank you for getting in touch. Please note that the website support is part time; and between mid-December 2013 and mid-January 2014 we are handing over the website support work as Ed goes on Paternity leave and Sam comes onboard, so please be patient - your replies are likely to take more time than usual. "

https://www.transitionnetwork.org/admin/build/contact

SAM - when you are ready - probably mid-Jan - you will want to edit this back to something more suitable like:

Thank you for getting in touch. Please note that the website support is part time, so while we will get back to you as soon as we can, that may be a few days

#494: Email account for TRAC

ed — Thu, 21 Feb 2013 10:16:37 GMT

Set up: 'trac@…' Password: going to Chris separately Secure SSL/TLS Settings Username: trac@… Password: Use the email account’s password. Incoming Server: mail.xssl.net IMAP: Port 993 POP3: Port 995 Outgoing Server: mail.xssl.net SMTP: Port 465 Authentication is required for IMAP, POP3, and SMTP.

#751: Email alert changes

ed — Tue, 01 Jul 2014 11:14:42 GMT

Change the email alert template for news items to include the term 'news item' so it is:

"New news item: [title]"

When users click on the subs links at the bottom of their email alerts, and they are not logged in they get the ‘access denied’ screen. This is not good. Please investigate

(a) can this be changed (with small time investment) (b) can we change the access denied blurb to include something human encouraging the user to login to continue the journey:

"We are sorry for the inconvenience, but if you are seeing this screen having followed a link, you will probably need to login to continue with your request" (NB if they are coming from an email link with their id in it, how do we keep that journey so they get to the destinateion they wanted?)

When user clicks on the general subs link at the bottom of an email alert (and is not logged in), they get a 403 forbidden page. Not good - pls investigage

#641: Enable dynamic Munin graphs

chris — Mon, 02 Dec 2013 15:25:45 GMT

If we only generate munin graphs on the fly we will also get the zoom function working, this example config looks good: http://uname.pingveno.net/blog/index.php/post/2013/08/25/Configure-Munin-graphs-with-Nginx-and-Debian-7

#659: Featured story on homepage not updating

ed — Mon, 16 Dec 2013 17:03:41 GMT

Rob cleared the nodequeue for the featured story on the homepage about three hours ago, removed all but one story. No change has been observed. Please investigate:

Nodequeue: https://www.transitionnetwork.org/admin/content/nodequeue/6/view/5

This view: https://www.transitionnetwork.org/admin/build/views/edit/featured_content?destination=newhome#views-tab-panel_pane_1

This is using content cache

#695: File upload problem with TTT WordPress site

chris — Sun, 02 Mar 2014 19:46:50 GMT

Laura has reported:

Had a report this evening that the TTT website isn't letting any uploads happen (adding of a new plugin by another admin, and also media/image uploads not being able to uploaded - no real error message as such just doesn't upload).

I just logged in quickly to see if I could upload a pic to test and wouldn't upload. Just wanted to check if anything had changed server side re permissions.

#679: Filter Initiative by Country not working

sam — Fri, 17 Jan 2014 17:15:58 GMT

Filtering the initiatives by country is not working

https://www.transitionnetwork.org/initiatives?themes=All&community_type=All&status_value=All&country=at&field_title_search=

I had a play with the view on stg2.transitionnetwork.org but I couldn't get it working.

It should display only initiatives from the country selected in the filter. It is displaying initiatives from all countries & not respecting the filter.

This view is used a lot by international initiatives.

#571: Force HTTP for anonymous, HTTPS for logged in users

jim — Tue, 16 Jul 2013 11:59:54 GMT

To further reduce load and leverage the caching I've changed the Session 443 settings to force anon users to HTTP and logged in to HTTPS. The benefit of allowing a handful of users to choose is tiny compared the downsides of outages, 503s and higher load.

The "User state" setting on the config page is now " Redirect authenticated users to HTTPS and redirect anonymous users to HTTP (with the exception of login/registration pages).", was "Redirect authenticated users to HTTPS and redirect anonymous users on login/registration pages to HTTPS. Anonymous users visiting other pages may use HTTP or HTTPS."

I've also set user and site-wide contact forms, plus the mailchimp subs page force secure-only per the "Additional pages to make secure" setting.

We can see if this makes a difference, and this ticket is to track comments and see if it results in any improvement in performance/stability.

#786: GitHub Transition: Annesley needs permission to create repositories

annesley — Mon, 15 Sep 2014 07:17:03 GMT

is Paul the owner of Transition GitHub??

#895: HTTPS wildcard *.transitionnnetwork.org expires on 22nd January 2016

chris — Mon, 11 Jan 2016 09:56:17 GMT

Unless I hear otherwise I'll renew the *.transitionnnetwork.org cert which is used by PuffinServer, PenguinServer and ParrotServer at a cost of £130.50 on or before the 22nd January 2016 when the current one expires.

An alternative would be to use Free HTTPS certificates from Let's Encrypt but this would take some time to set up as Let's Encrypt don't provide wild card certs.

#921: HTTP_PROXY env var vulnerability

chris — Tue, 19 Jul 2016 12:34:30 GMT

See https://httpoxy.org/

#617: Help adding text to account creation email

ed — Mon, 11 Nov 2013 17:16:37 GMT

I want to add a link to the email a user receives following their creation of an account.

this one: Subject: Account details for [user] at Transition Network

Can I do this myself? I've looked in subs, notifications, logintoboggan etc. and can't find the place

is it do-able?

#650: Helping TN strategy consultation with online publishing

ed — Thu, 12 Dec 2013 11:00:08 GMT

Sarah will be working on the TN strategy and this is about the content and comms tactics therein. The guiding principle is to use TN.org as the most suitable place for this material and conversations, and social media and direct mailshots for marketing and communicating it (because Sarah/TN cannot manage multiple conversations in multiple locations atm).

This is work for Sam to do from January onwards

set up a landing page ".../TN-strategy-consultation" with its own RHS block with manual links to different documents and interviews

SAM this can be a normal page with anchor links etc.

Use of blogs
Rob's for outreach - it's got the momentum - for updates/alerts/subscriptions
Sarah's for continuity (and looking back at it) - using tag "fn-strategy-consultation"

other places for comms/engagement
Forums not good; too open to trolls and spam; better in blog comments
webinar? Possibly if suitable
FB, twitter, other marketing channels - for marketing only
online meeting with national hubs - quite possibly

Direct Mail shot to PPOCs
Sarah Let Sam know if this is happening; Sam you'll need to do an export of PPOCs (https://www.transitionnetwork.org/admin/reports/initiatives/primary-contacts), tidy and dump into mail chimp using the standard template

#657: Homepage slideshow: can't order the images

ed — Mon, 16 Dec 2013 14:30:49 GMT

Big picture slideshow on TN homepage: Rob can't get it to go in the order he wants - please investigate:

It is this nodequeue: https://www.transitionnetwork.org/admin/content/nodequeue/9/view/8

Made up with these CTs: https://www.transitionnetwork.org/admin/content/node-type/slide

#906: I borked it

sam — Tue, 01 Mar 2016 22:27:10 GMT

Hi Chris

I recklessly tried to enable a module on the site that enabled sending articles to friends by email, this seems to have been one of my less-good ideas.

It tried to enable a print-friendly page and this seems to have brought the whole crumbling edifice down

Sorry about that. Can you fix it?

#837: Iframe in a panel page

sam — Thu, 12 Mar 2015 11:55:21 GMT

Hi Ben

I'm trying to embed a Eventbrite form into the 'tickets' block on this page: https://www.transitionnetwork.org/conference-2015

It looks like it's going to appear in the preview here: https://www.transitionnetwork.org/node/39195/panel_content

But when I view the actual page it's just a big white space.

Could you estimate how long it would take to get it working?

Thanks

Sam

#703: Image not scaling on project

ed — Wed, 26 Mar 2014 13:06:15 GMT

The REconomy logo is not scaling and being re-presented well on the project page: https://www.transitionnetwork.org/projects/reconomy

Is this a theme/design issue or a problem with image re-sizing?

What can we do about it?

#704: Image not scaling on project

ed — Wed, 26 Mar 2014 13:51:48 GMT

The REconomy logo is not scaling and being re-presented well on the project page: https://www.transitionnetwork.org/projects/reconomy

Is this a theme/design issue or a problem with image re-sizing?

What can we do about it?

#710: Incorrect email address for Sam on Transition Culture

chris — Tue, 01 Apr 2014 12:01:47 GMT

I'm seeing quite a few emails like this:

From: Mail Delivery System <Mailer-Daemon@parrot.webarch.net>
Date: Tue, 01 Apr 2014 08:04:28 +0100
To: tc@parrot.webarch.net
Subject: Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
  samrossiter@transitionentwork.org
    Unrouteable address
------ This is a copy of the message, including all the headers. ------
Return-path: <tc@parrot.webarch.net>
Received: from tc (uid=1011)
        by parrot.webarch.net with local (Exim 4.80)
        (envelope-from <tc@parrot.webarch.net>)
        id 1WUskG-0005Rv-Sa
        for samrossiter@transitionentwork.org; Tue, 01 Apr 2014 08:04:28 +0100
To: samrossiter@transitionentwork.org
Subject: [Wordfence Alert] Problems found on Transition Culture
X-PHP-Originating-Script: 1011:class-phpmailer.php
Date: Tue, 1 Apr 2014 07:04:28 +0000
From: WordPress <wordpress@transitionculture.org>
Message-ID: <11e64e1b3cdb24f69d0069ecdc224524@transitionculture.org>
X-Priority: 3
X-Mailer: PHPMailer 5.2.4 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
Wordfence found the following new issues on "Transition Culture".
NOTE: Upgrading to the paid version of Wordfence gives you two factor authentication (sign-in via cellphone)
and country blocking which are both effective methods to block attacks.
You can also schedule when your scans occur with Wordfence Premium.
Click here to sign-up for the Premium version of Wordfence now.
https://www.wordfence.com/wordfence-signup/
Alert generated at Tuesday 1st of April 2014 at 08:04:28 AM
Critical Problems:
* The Plugin "Spam Destroyer" needs an upgrade.

#560: Install drupal-based project management system onto our servers

ed — Tue, 11 Jun 2013 17:00:28 GMT

Please can you install a suitable project management drupal-based tool onto the suitable server? I am thinking of Open Atrium. It's for staff and partners to use for management stuff (ie not a ticketing system or mediawiki).

Open Atrium?

Can you let me know how long it would take to install to a point where I can manage it and get a pilot project up and running?

#673: Install mosh - the mobile shell

chris — Mon, 13 Jan 2014 11:27:40 GMT

The mobile shell enables terminal connections to stay up when using really bad connections, for example on a train, see:

http://mosh.mit.edu/

#553: Invalid response from server ERROR message

ed — Tue, 28 May 2013 15:13:43 GMT

Trying to add a user. Get error message: "Received an Invalid response from the server" then served a blank screen. Same with project profile:

https://www.transitionnetwork.org/admin/user/user/create https://www.transitionnetwork.org/node/add/project-profile

This has also happened for a user trying to add a project.

Ed can add an event and blog post, ingredient, panel page.

#891: Issue with TTT and REconomy websites after upgrade to WP 4.4

chris — Thu, 17 Dec 2015 11:18:38 GMT

Email from Laura:

Just to let you know there's a bit of an oddity going on with both the TTT and Reconomy websites.

I upgraded to WP 4.4 after running full tests on my local copies here, and for some odd reason images aren't showing on the site. If you try to open an image in the browser eg https://www.reconomy.org/wp-content/uploads/2015/10/hubs-logos-landscape.jpg takes you to the - "Server error! The server encountered an internal error and was unable to complete your request Either the server is overloaded or there was an error in a CGI script. Please return to the front page of the site."

I've updated over 20 sites over the past few days (!) and these are the only two this has happened on. There are a few discussions here, (and have tried the temp fix of various functions.php tweaks in the theme files to see if that helps, but it doesn't)... https://wordpress.org/support/topic/after-upgrade-to-44-media-files-are-not-showing and even though sites are not appearing to use SSL wondering if related somehow to that or other? Has this happened to any other WP 4.4 sites on your servers?

I'll let TTT and REconomy know their site has been updated, but there is a glitch at present.

I've also added Wordfence to the sites too as there are swathes of brute force attacks happening on lots of WP sites everywhere currently and this plugin seems to help somewhat currently. I don't think it's the Wordfence plugin, as disabled it to test the missing images issue.

#846: Load Spikes on BOA PuffinServer

chris — Thu, 16 Apr 2015 11:16:00 GMT

Creating this as a ticket to record load spikes and related site outages.

See wiki:PuffinServer#LoadSpikes for links to historic issues of this nature.

#555: Load spikes causing the TN site to be stopped for 15 min at a time

chris — Wed, 29 May 2013 09:53:52 GMT

The BOA /var/xdrago/second.sh script is run every minute via the root crontab and if it detects a certain load level it changes the nginx config to a "high load" config which results in bots being served 503 errors when they spider the site, see ticket:563. When the load goes higher and hits another threshold the second.sh script kills the webserver applications, nginx and php-fpm, and waits till the load has dropped before starting them up again. This was happening once or twice a day following the increase in traffic around the launch of The Power of Just Doing Stuff. This has been addressed by multiplying the thresholds by 5 in second.sh.

Original Description

This morning at 10:19:24 I received the following alert from puffin:

Subject: lfd on puffin.webarch.net: High 5 minute load average alert - 6.59
Time:                    Wed May 29 10:17:02 2013 +0100
1 Min Load Avg:          23.39
5 Min Load Avg:          6.59
15 Min Load Avg:         2.57
Running/Total Processes: 44/326

At 10:21:57 I got an alert regarding ssh:

Service: SSH
Host: puffin
Address: puffin.webarch.net
State: CRITICAL
Date/Time: Wed May 29 10:21:57 BST 2013
Additional Info:
CRITICAL - Socket timeout after 10 seconds

Then at 10:26:47 ssh appeared to have recovered:

Service: SSH
Host: puffin
Address: puffin.webarch.net
State: OK
Date/Time: Wed May 29 10:26:47 BST 2013
Additional Info:
SSH OK - OpenSSH_5.5p1 Debian-6+squeeze3 (protocol 2.0)

But then pingdom reported at 10:29:07:

www.transitionnetwork.org is down since 29/05/2013  10:24:57.

There was then a report regarding Nginx at 10:32:07:

Notification Type: PROBLEM
Service: HTTP
Host: puffin
Address: puffin.webarch.net
State: CRITICAL
Date/Time: Wed May 29 10:32:07 BST 2013
Additional Info:
Connection refused

So at 10:33:47 I ssh'd in and found that php53-fpm and nginx were not running and it took several attempts to get them running again.

The up email from pingdom reported:

www.transitionnetwork.org is UP again at 29/05/2013  10:36:57, after 12m of downtime.

I can't find anything in the logs to indicate what caused the load spike and php-fpm and nginx to stopp running.

#769: Locked myself out of puffin again

annesley — Mon, 04 Aug 2014 08:40:53 GMT

really sorry. locked my IP out of puffin again. please could you clear it?

#207: Logwatch Issues

chris — Fri, 17 Dec 2010 14:19:50 GMT

This is a ticket to track items that show up in the logwatch emails to root and often just take a few mins of reading time and response.

Any issues that look like they might take longer than a few mins should have their own tickets opened.

#592: Many panes on homepage are in italics

ed — Wed, 11 Sep 2013 07:29:50 GMT

they shouldn't be, but they are: ingredient of the day latest tc post featured training why do transition featured resrouce featured project social reporters all automated listings at bottom

please resolve - ben are you around to do this or is it more suitable to ask jim atm?

#708: Map not showing Indian initiative

sam — Thu, 27 Mar 2014 13:44:29 GMT

https://www.transitionnetwork.org/initiatives/heal-soil-csa-community-supported-agriculture Address is correct, but doesn’t appear. The person who put it there doesn’t appear on the people map either, so wondering what’s afoot.

#622: Maps not working on TN.org

ed — Mon, 18 Nov 2013 17:06:59 GMT

https://www.transitionnetwork.org/initiatives/map https://www.transitionnetwork.org/initiatives/exeter-nh-transition-town

please attend

#573: MariaDB 5.5.32 is available for Puffin

chris — Thu, 18 Jul 2013 19:11:24 GMT

I could either update this via aptitude and it would be quick and have little down time or I could update it via BOA and it'll take 3 or 4 times as long and involved extra downtime.

Jim -- which way would you like it done?

The MariaDB project is pleased to announce the immediate availability of MariaDB 5.5.32.

This is a bug-fix release. See the Release Notes and Changelog for details.

MariaDB 5.5.32 Stable (GA)

Release Notes: https://kb.askmonty.org/en/mariadb-5532-release-notes
Changelog: https://kb.askmonty.org/en/mariadb-5532-changelog
http://lists.askmonty.org/pipermail/announce/2013-July/000048.html

#382: Measurement and tracking requirements for TN and PSE

ed — Tue, 13 Dec 2011 04:57:12 GMT

to list the measurement and tracking requirements for TN and PSE so that we can assess piwik vs google and decide which way to go.

#686: MediaWiki 1.19.11 Update

chris — Wed, 29 Jan 2014 09:53:13 GMT

On the MediaWiki-announce list:

I would like to announce the release of MediaWiki 1.22.2, 1.21.5 and 1.19.11.

Your MediaWiki installation is affected by a remote code execution vulnerability if you have enabled file upload support for DjVu (natively supported by MediaWiki) or PDF files (in combination with the PdfHandlerxtension). Neither file type is enabled by default in MediaWiki installations. If you are affected, we strongly urge you to update immediately.

Affected supported versions: All

Security fixes

Netanel Rubin from Check Point discovered a remote code execution vulnerability in MediaWiki's thumbnail generation for DjVu files. Internal review also discovered similar logic in the PdfHandler extension, which could be exploited in a similar way. (CVE-2014-1610) https://bugzilla.wikimedia.org/show_bug.cgi?id=60339
Bug Fixes in 1.22.2

(bug 58253) Check for very old PCRE versions in installer and updater
(bug 60054) Make WikiPage::$mPreparedEdit public
Full release notes for 1.19.9:

https://www.mediawiki.org/wiki/Release_notes/1.19

#813: MediaWiki 1.23.7

chris — Thu, 27 Nov 2014 14:38:47 GMT

The announcement email:

I would like to announce the release of MediaWiki 1.23.7, 1.22.14 and 1.19.22. This is a regular security and maintenance release. Download links are given at the end of this email.

Security fixes

(bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code into API clients that used format=php to process pages that underwent flash policy mangling. This was fixed along with improving how the mangling was done for format=json, and allowing sites to disable the mangling using $wgMangleFlashPolicy. https://phabricator.wikimedia.org/T68776 https://phabricator.wikimedia.org/T73478
(bug 70901) SECURITY: User Jackmcbarn reported that the ability to update the content model for a page could allow an unprivileged attacker to edit another user's common.js under certain circumstances. The user right "editcontentmodel" was added, and is needed to change a revision's content model. https://phabricator.wikimedia.org/T72901
(bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw HTML, it is not safe to preview wikitext coming from an untrusted source such as a cross-site request. Thus add an edit token to the form, and when raw HTML is allowed, ensure the token is provided before showing the preview. This check is not performed on wikis that both allow raw HTML and anonymous editing, since there are easier ways to exploit that scenario. https://phabricator.wikimedia.org/T73111
(bug 72222) SECURITY: Do not show log action when the entry is revdeleted with DELETED_ACTION. NOTICE: this may be reverted in a future release pending a public RFC about the desired functionality. This issue was reported by user Bawolff. https://phabricator.wikimedia.org/T74222
Bugfixes

(bug 71621) Make allowing site-wide styles on restricted special pages a config option. https://phabricator.wikimedia.org/T73621
(bug 42723) Added updated version history from 1.19.2 to 1.22.13 https://phabricator.wikimedia.org/T44723
$wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that might be a flash policy directive configurable.
Full release notes for 1.23.7: https://www.mediawiki.org/wiki/Release_notes/1.23

#816: MediaWiki 1.23.8

chris — Thu, 18 Dec 2014 11:20:43 GMT

The announcement email:

I would like to announce the release of MediaWiki 1.24.1, 1.23.8, 1.22.15 and 1.19.23. This is a regular security and maintenance release. Download links are given at the end of this email. Please note this release marks the end of lifetime for MediaWiki 1.22 branch.

Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23

(bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
(bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.
Bugfixes

(bug T74222) The original patch for T74222 was reverted as unnecessary.
Fixed a couple of entries in RELEASE-NOTES-1.24.
(bug T76168) OutputPage: Add accessors for some protected properties.
(bug T74834) Make 1.24 branch directly installable under PostgreSQL.
Add missing $ in front of variable in OutputPage.php
Security fixes in extensions

(bug T77624) [SECURITY] Extension:Listings: missing validation in the 'name' and 'url' parameters.
(bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input as wikitext and shows a preview, yet it fails to add an edit token to the form and check it. This can be exploited as an XSS when $wgRawHtml = true. Note this only affects the 1.19/1.22 branches.
(bug T76195) [SECURITY] Extension:TemplateSandbox: Special:TemplateSandbox needs edit token when raw HTML is allowed
(bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts.
(bug T73167) [SECURITY] Extension:Scribunto allows cross-origin leakage of data from a wiki through timing
(bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 library for CVE-2014-2053.
Full release notes for 1.23.8: https://www.mediawiki.org/wiki/Release_notes/1.23

#793: MediaWiki Security and Maintenance Release 1.23.5

chris — Thu, 02 Oct 2014 08:57:49 GMT

Announcement email:

I would like to announce the release of MediaWiki 1.19.20, 1.22.12 and 1.23.5. This is a security release. Download links are given at the end of this email.

Security

(bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance.
Full release notes for 1.23.5: <https://www.mediawiki.org/wiki/Release_notes/1.23>

#781: MediaWiki Security and Maintenance Releases: 1.22.10 and 1.23.3

chris — Thu, 28 Aug 2014 06:42:16 GMT

Announcement email:

https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-August/000159.html

Bugfixes only, not a security update so no urgent update required.

#766: MediaWiki Security and Maintenance Update 1.23.2

chris — Wed, 30 Jul 2014 20:56:46 GMT

From the MediaWiki-announce list:

I would like to announce the release of MediaWiki 1.23.2, 1.22.9 and 1.19.18. This is a regular security and maintenance release. Download links are given at the end of this email.

Security

(bug 68187) SECURITY: Prepend jsonp callback with comment.
(bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used for loading a new page in Javascript,instead of relying on the URL in the link that has been clicked.
(bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
Bugfixes in 1.23.2

(bug 68313) Preferences: Turn stubthreshold back into a combo box.
(bug 65214) Fix initSiteStats.php maintenance script.
(bug 67594) Special:ActiveUsers: Fix to work with PostgreSQL.
Full release notes for 1.23.2: https://www.mediawiki.org/wiki/Release_notes/1.23

Public keys: <https://www.mediawiki.org/keys/keys.html>

1.23.2

Download: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.2.tar.gz

Patch to previous version (1.23.1): https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.2.patch.gz

GPG signatures: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.2.patch.gz.sig

Note: There is no i18n patch as there are no changes in translation.

#799: MediaWiki Visual Editor broken from Parsoid update

chris — Tue, 21 Oct 2014 10:21:54 GMT

After updating Parasoid on ticket:692#comment:102 the MediaWiki visual editor now generates this error:

Error loading data from server: parsoidserver-http-bad-status: 500. Would you like to retry?

#694: Mediawiki 1.19.12 upgrade

chris — Fri, 28 Feb 2014 09:03:20 GMT

On the MediaWiki-announce list:

I would like to announce the release of MediaWiki 1.22.3, 1.21.6 and 1.19.12. These releases fix a number of security related bugs that could affect users of MediaWiki. In addition, MediaWiki 1.22.3 is a maintenance release. It fixes several bugs. You can consult the RELEASE-NOTES-1.22 file for the full list of changes in this version. Download links are given at the end of this email.

Security fixes

(bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. User will get an error including the namespace name if they use a non- whitelisted namespace.
(bug 61346) SECURITY: Make token comparison use constant time. It seems like our token comparison would be vulnerable to timing attacks. This will take constant time.
(bug 61362) SECURITY: API: Don't find links in the middle of api.php links.

#700: Mediawiki 1.19.13

chris — Wed, 12 Mar 2014 11:06:44 GMT

From the MediaWiki-announce list:

I would like to announce the release of MediaWiki 1.22.4, 1.21.7 and 1.19.13. Other than the security fix included in 1.19.13, these releases simply fix the bundled version of the tarball. Download links are given at the end of this email.

Security fix backported to 1.19

(bug 61362) SECURITY: API: Don't find links in the middle of api.php links.
Fixes made in all tarballs

The correct branch of each extensions git repository (e.g. REL1_19 for 1.19.13) was used.

#551: Mediawiki 1.19.7 upgrade

chris — Tue, 21 May 2013 08:25:51 GMT

From MediaWiki-announce:

This is a notice that on Tuesday, May 21st between 20:00-21:00 UTC (1-2pm PDT) Wikimedia Foundation will release security updates for current and supported branches of the MediaWiki software. Downloads and patches will be available at that time, with the git repositories updated later that afternoon. Although MediaWiki does not have the vulnerable feature enabled by default, most wiki using common advanced features will want to patch for this issue.

#723: Mediawiki 1.22.6 Upgrade

chris — Mon, 28 Apr 2014 10:10:48 GMT

Announced a few days ago:

I would like to announce the release of MediaWiki 1.22.6 and 1.21.9. This is a regular security and maintenance release. Download links are given at the end of this email. Please note there is no new release of the 1.19 branch, as it is not affected by the security issue.

Security

(bug 63251) SECURITY: escape sortKey in pageInfo.
Bugfixes in 1.21.9

(bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.
Full release notes for 1.22.6: https://www.mediawiki.org/wiki/Release_notes/1.22

#733: Mediawiki 1.22.7 security update

chris — Sun, 01 Jun 2014 09:20:53 GMT

See https://www.mediawiki.org/wiki/Release_notes/1.22#MediaWiki_1.22.6

#841: Mediawiki 1.23.9

chris — Wed, 01 Apr 2015 20:26:50 GMT

Email on the announcements list:

I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and 1.19.24. These releases fix 10 security issues, in addition to other bug fixes. Download links are given at the end of this email.

Security fixes

iSEC Partners discovered a way to circumvent the SVG MIME blacklist for embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed JavaScript in the SVG. The issue was additionally identified by Mario Heiderich / Cure53. MIME types are now whitelisted. https://phabricator.wikimedia.org/T85850
MediaWiki user Bawolff pointed out that the SVG filter to prevent injecting JavaScript using animate elements was incorrect. https://phabricator.wikimedia.org/T86711
MediaWiki user Bawolff reported a stored XSS vulnerability due to the way attributes were expanded in MediaWiki's Html class, in combination with LanguageConverter substitutions. https://phabricator.wikimedia.org/T73394
Internal review discovered that MediaWiki's SVG filtering could be bypassed with entity encoding under the Zend interpreter. This could be used to inject JavaScript. This issue was also discovered by Mario Gomes from Beyond Security. https://phabricator.wikimedia.org/T88310
iSEC Partners discovered a XSS vulnerability in the way api errors were reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8). MediaWiki now detects and mitigates this issue on older versions of HHVM. https://phabricator.wikimedia.org/T85851
Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that MediaWiki versions using PBKDF2 for password hashing (the default since 1.24) are vulnerable to DoS attacks using extremely long passwords. https://phabricator.wikimedia.org/T64685
iSEC Partners discovered that MediaWiki's SVG and XMP parsing, running under HHVM, was susceptible to "Billion Laughs" DoS attacks (iSEC-WMF1214-13). https://phabricator.wikimedia.org/T85848
Internal review found that MediaWiki is vulnerable to "Quadratic Blowup" DoS attacks, under both HHVM and Zend PHP. https://phabricator.wikimedia.org/T71210
iSEC Partners discovered a way to bypass the style filtering for SVG files (iSEC-WMF1214-3). This could violate the anonymity of users viewing the SVG. https://phabricator.wikimedia.org/T85349
iSEC Partners reported that the MediaWiki feature allowing a user to preview another user's custom JavaScript could be abused for privilege escalation (iSEC-WMF1214-10). This feature has been removed. https://phabricator.wikimedia.org/T85855
Additionally, the following extensions have been updated to fix security issues:

Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function names were not sanitized in Lua error backtraces, which could lead to XSS. https://phabricator.wikimedia.org/T85113
Extension:!CheckUser - iSEC Partners discovered that the CheckUser extension did not prevent CSRF attacks on the form allowing checkusers to look up sensitive information about other users (iSEC-WMF1214-6). Since the use of CheckUser is logged, the CSRF could be abused to defame a trusted user or flood the logs with noise. https://phabricator.wikimedia.org/T85858
Bug fixes

1.24

Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false.
(bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix.
1.23 & 1.24

(bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.

Full release notes:

https://www.mediawiki.org/wiki/Release_notes/1.24
https://www.mediawiki.org/wiki/Release_notes/1.23
https://www.mediawiki.org/wiki/Release_notes/1.19
Download:

http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz
Patch to previous version:

http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz
GPG signatures:

http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz.sig
Extensions:

http://www.mediawiki.org/wiki/Extension:Scribunto
http://www.mediawiki.org/wiki/Extension:CheckUser
Public keys:

https://www.mediawiki.org/keys/keys.html

#669: Mediawiki upgrade to 1.19.10

chris — Sat, 11 Jan 2014 09:00:24 GMT

Email from Mediawiki:

This is a notice that on Tuesday, January 14th between 00:00-01:00 UTC (*Monday* January 13th, 4-5pm PST) Wikimedia Foundation will release security updates for current and supported branches of the MediaWiki software, as well as several extensions. Downloads and patches will be available at that time.

#618: Migrate Penguin and Parrot to the ZFS fileserver

chris — Fri, 15 Nov 2013 09:37:36 GMT

Since wiki:PuffinServer has been running from the ZFS fileserver, see ticket:593, it has been performing better -- we should also migrate wiki:PenguinServer and wiki:ParrotServer to the ZFS server prior to upgrading them to Debian Wheezy on ticket:535.

#593: Migrating Puffin to a ZFS file server

chris — Wed, 11 Sep 2013 15:52:47 GMT

This ticket is for the migration of PuffinServer to a ZFS file server, this will involve some downtime but should result in better IO and easier backups.

#693: Module security updates: February 2014

sam — Thu, 27 Feb 2014 16:18:04 GMT

Hi Paul

You'll see from this ticket; https://trac.transitionnetwork.org/trac/ticket/582

That the 6.29 > 6.30 core update patches bugs that don't affect us.

However some recent security updates for modules have been released recently; https://www.transitionnetwork.org/admin/reports/updates

Affected modules are;

ctools; https://drupal.org/node/2194547

filefield https://drupal.org/node/2194103

image resizer https://drupal.org/node/2194063

mimemail https://drupal.org/node/2205939

webform https://drupal.org/node/2194181

The ctools & webform ones look like ones we should get on top of soonish, the mimemail one looks like it could be a pain.

Are you up for testing the updates on your local box? We can then figure out how to roll them out to the live site.

Thanks

Sam

#591: Move MySQL temporary directory to tmpfs

jim — Mon, 09 Sep 2013 12:47:41 GMT

Chris, please read: http://2bits.com/articles/reduce-your-servers-resource-usage-moving-mysql-temporary-directory-ram-disk.html

I think we could easily drop a little MySQL memory to give it some in-memory disk space to do the temporary table munching Drupal is causing it. I see there are already some mounted tmpfs partitions.

Related to #590 (proposal L: Review slow query log, explain queries, tweak as necessary/flag poorly behaving modules)

What do you think? Worth doing?

#631: Move Transition Culture onto PARROT

ed — Mon, 25 Nov 2013 11:57:44 GMT

We are about to move TC onto PARROT. List of likely actions here:

Ed speak to Simon (move the host, keep the developer if poss)
Chris speak to Simon about TC issues - traffic, size etc.
analyse TC traffic and DB size
prepare PARROT
move TC

Chris thinks we'll need to up PARROT to VPS2 + 2 GB RAM

#615: Move to GMap 6.x-2.x-dev as and get clusterer to work

jim — Sun, 10 Nov 2013 18:14:51 GMT

This is largely done, but the only tasks left are:

Make a patch and add to our makefile so our custom markers appear ok.
Get the clusterer to work per the comments & issues in comment:1 below.

Per an email I got from Google:

As you may be aware, JavaScript? Maps API v2 was scheduled for shutdown on May 19, 2013. After listening to feedback from developers we decided to extend the deprecation timeline by six months, to November 19, 2013 to allow more time for migration to v3 of the API.

On November 19, 2013 we will deploy a JavaScript? wrapper that attempts to automagically turn remaining v2 maps into v3 maps. Though we expect this wrapper to work for most simple maps, we cannot guarantee that your maps will continue to function. We therefore highly recommend that you migrate to v3 before November 19. The good news is that Google Maps JavaScript? API v3 is more robust and feature rich than v2, and we’ve written a guide to assist the migration.

So this ticket is to do the update to the GMap module, testing and tweaking.

Critical as we only have until 19 November for this...

#760: New BOA-2.2.7 Stable Edition

chris — Thu, 17 Jul 2014 08:34:22 GMT

Email from wiki:PuffinServer:

There is new BOA-2.2.7 Stable Edition available.

Please review the changelog and upgrade as soon as possible to receive all security updates and new features.

Changelog: http://bit.ly/newboa

The Changelog:

### Stable BOA-2.2.5 Release - Full Edition
### Date: Thu May  8 11:59:23 PDT 2014
### Includes Aegir 2.x-boa-custom version.
### Latest hotfix added on: Sat May 10 09:05:19 PDT 2014
# Release Notes:
  This release includes no new features, but does include bug fixes plus latest
  Drupal 7.28.1 and Pressflow 6.31.2 core in all built-in Octopus platforms.
  There are also three updated distributions included, as listed below.
  We also list here all hot-fixes applied to previous stable after its release.
# Important - Read This First! (for self-hosted BOA only)
  If you haven't run full barracuda+octopus upgrade to latest BOA Stable
  Edition yet, don't use any partial upgrade modes explained in docs/UPGRADE.txt
  Once new BOA Stable is released, you must run *full* upgrades with commands:
  $ barracuda up-stable
  $ octopus up-stable all both
  For silent, logged mode with e-mail message sent once the upgrade is
  complete, but no progress is displayed in the terminal window, you can run
  alternatively, starting with screen session to avoid incomplete upgrade
  if your SSH session will be closed for any reason before the upgrade
  will complete:
  $ screen
  $ barracuda up-stable log
  $ octopus up-stable all both log
  Note that the silent, non-interactive mode will automatically say Y/Yes
  to all prompts and is thus useful to run auto-upgrades scheduled in cron.
  If you have skipped some recent BOA releases, and you have new default config
  option: _PERMISSIONS_FIX=NO in your /root/.barracuda.cnf configuration file,
  plus, you are not sure if you follow best practices for managing permissions
  as recommended in our docs: https://omega8.cc/node/116 then we recommend
  that you change it to _PERMISSIONS_FIX=YES temporarily, or even permanently
  if your VPS is fast enough, and then run this powerful script as root:
  $ bash /var/xdrago/daily.sh
  Note that BOA 'legacy' mode is still at version 2.1.3
# Updated Octopus platforms:
  Commons 3.12 ----------------- https://drupal.org/project/commons
  Open Atrium 2.18 ------------- https://drupal.org/project/openatrium
  Open Outreach 1.6 ------------ https://drupal.org/project/openoutreach
# Changes in this release:
  * Add rsyslog/sysklogd to auto-healing procedures.
  * Make the aggressive scan_nginx mode optional and use old mode by default.
  * Nginx: Add HiScan to blocked crawlers list.
  * Nginx: Add Riddler to blocked crawlers list.
  * PHP: Use pm.process_idle_timeout = 10s for speed and RAM optimization.
# System upgrades in this release:
  * MySecureShell 1.33
  * PHP 5.4.28
  * PHP 5.5.12
# Fixes in this release:
  * Always define _PHP_CN variable properly.
  * Firewall: Sync CONNLIMIT for web ports with updated limit_conn in Nginx.
  * Fix for _NGINX_DOS_LIMIT logical error in the scan_nginx template.
  * Force Pure-FTPd server re-install if key files are missing for any reason.
  * Issue #2237167 - Improve authorized IPs detection in all protected vhosts.
  * Issue #2262935 - Modules dir must be group writable in custom platforms.
  * Nginx: Do not overwrite custom symlinks to the Under Construction template.
  * Nginx: Update limit_conn in all instances and vhosts on Barracuda upgrade.
  * PHP: Delete pear in legacy paths, if still exists.
  * PHP: Fix for CVE-2014-0185 privilege escalation in FPM (doesn't affect BOA)
  * Postfix: Force re-install if broken permisions detected on upgrade.
  * Pressflow 6: Fix #GH 84 by using drupal_page_is_cacheable().
  * Pressflow 6: Merge pull request #GH 85 from pressflow/SA-CORE-2014-002-fix.
  * Pressflow 6: Remove duplicate openid_update_6001().
  * Revert "Force MariaDB 5.5 re-install".
  * Set the TERM env variable if missing to avoid errors.
  * Skip packages set on hold when running apticron.
  * The ~/static/control must be writeable by lshell user to manage ctrl files.
  * Add extra cron semaphore to prevent concurrent cron invocations via
    multiple running runner.sh instances.

I can't see any issues that have an immediate impact on us, I'll do the upgrade late one evening.

#765: New BOA-2.2.8 Stable Edition

chris — Sun, 27 Jul 2014 08:08:55 GMT

Email from wiki:PuffinServer:

There is new BOA-2.2.8 Stable Edition available.

Please review the changelog and upgrade as soon as possible to receive all security updates and new features.

Changelog: http://bit.ly/newboa

The Changelog contains:

### Stable BOA-2.2.5 Release - Full Edition
### Date: Thu May  8 11:59:23 PDT 2014
### Includes Aegir 2.x-boa-custom version.
### Latest hotfix added on: Sat May 10 09:05:19 PDT 2014
# Release Notes:
  This release includes no new features, but does include bug fixes plus latest
  Drupal 7.28.1 and Pressflow 6.31.2 core in all built-in Octopus platforms.
  There are also three updated distributions included, as listed below.
  We also list here all hot-fixes applied to previous stable after its release.
# Important - Read This First! (for self-hosted BOA only)
  If you haven't run full barracuda+octopus upgrade to latest BOA Stable
  Edition yet, don't use any partial upgrade modes explained in docs/UPGRADE.txt
  Once new BOA Stable is released, you must run *full* upgrades with commands:
  $ barracuda up-stable
  $ octopus up-stable all both
  For silent, logged mode with e-mail message sent once the upgrade is
  complete, but no progress is displayed in the terminal window, you can run
  alternatively, starting with screen session to avoid incomplete upgrade
  if your SSH session will be closed for any reason before the upgrade
  will complete:
  $ screen
  $ barracuda up-stable log
  $ octopus up-stable all both log
  Note that the silent, non-interactive mode will automatically say Y/Yes
  to all prompts and is thus useful to run auto-upgrades scheduled in cron.
  If you have skipped some recent BOA releases, and you have new default config
  option: _PERMISSIONS_FIX=NO in your /root/.barracuda.cnf configuration file,
  plus, you are not sure if you follow best practices for managing permissions
  as recommended in our docs: https://omega8.cc/node/116 then we recommend
  that you change it to _PERMISSIONS_FIX=YES temporarily, or even permanently
  if your VPS is fast enough, and then run this powerful script as root:
  $ bash /var/xdrago/daily.sh
  Note that BOA 'legacy' mode is still at version 2.1.3
# Updated Octopus platforms:
  Commons 3.12 ----------------- https://drupal.org/project/commons
  Open Atrium 2.18 ------------- https://drupal.org/project/openatrium
  Open Outreach 1.6 ------------ https://drupal.org/project/openoutreach
# Changes in this release:
  * Add rsyslog/sysklogd to auto-healing procedures.
  * Make the aggressive scan_nginx mode optional and use old mode by default.
  * Nginx: Add HiScan to blocked crawlers list.
  * Nginx: Add Riddler to blocked crawlers list.
  * PHP: Use pm.process_idle_timeout = 10s for speed and RAM optimization.
# System upgrades in this release:
  * MySecureShell 1.33
  * PHP 5.4.28
  * PHP 5.5.12
# Fixes in this release:
  * Always define _PHP_CN variable properly.
  * Firewall: Sync CONNLIMIT for web ports with updated limit_conn in Nginx.
  * Fix for _NGINX_DOS_LIMIT logical error in the scan_nginx template.
  * Force Pure-FTPd server re-install if key files are missing for any reason.
  * Issue #2237167 - Improve authorized IPs detection in all protected vhosts.
  * Issue #2262935 - Modules dir must be group writable in custom platforms.
  * Nginx: Do not overwrite custom symlinks to the Under Construction template.
  * Nginx: Update limit_conn in all instances and vhosts on Barracuda upgrade.
  * PHP: Delete pear in legacy paths, if still exists.
  * PHP: Fix for CVE-2014-0185 privilege escalation in FPM (doesn't affect BOA)
  * Postfix: Force re-install if broken permisions detected on upgrade.
  * Pressflow 6: Fix #GH 84 by using drupal_page_is_cacheable().
  * Pressflow 6: Merge pull request #GH 85 from pressflow/SA-CORE-2014-002-fix.
  * Pressflow 6: Remove duplicate openid_update_6001().
  * Revert "Force MariaDB 5.5 re-install".
  * Set the TERM env variable if missing to avoid errors.
  * Skip packages set on hold when running apticron.
  * The ~/static/control must be writeable by lshell user to manage ctrl files.
  * Add extra cron semaphore to prevent concurrent cron invocations via
    multiple running runner.sh instances.

I'll do this update tonight, following wiki:PuffinServer#UpgradingBOA

#775: New BOA-2.2.9 Stable Edition available

chris — Thu, 07 Aug 2014 08:39:18 GMT

Email from wiki:PuffinServer:

There is new BOA-2.2.9 Stable Edition available.

Please review the changelog and upgrade as soon as possible to receive all security updates and new features.

Changelog: http://bit.ly/boa-changes

The Changelog:

### Stable BOA-2.2.9 Release - Full Edition
### Date: Wed Aug  6 17:08:10 PDT 2014
### Includes Aegir 2.x-boa-custom version.
# Release Notes:
  This release includes updated versions of all supported Drupal platforms to
  provide latest Drupal 7 and Pressflow 6 core, plus some changes, improvements,
  bug fixes, and five (5) updated Octopus platforms.
  NOTE: Since the first Edition in the BOA-2.3.x series is not ready for release
  yet, and new Drupal core has been released to fix security issues, followed
  by yet another release to fix serious regressions, followed by yet another
  security release, we have decided to make it available to everyone and release
  yet another stable BOA-2.2.x Edition.
  IMPORTANT! This is the last Edition in the 2.2.x series, which marks the end
  of Drupal 5, PHP 5.2 and Drush 4 support. Next Edition will open 2.3.x series,
  which will allow us to provide newer Aegir version with built-in Drush 6
  support, sites in subdirectories, and many Aegir User Interface improvements.
  If you still host any Drupal 5 sites or you are using PHP 5.2 for D6 sites,
  you will not be able to upgrade to the next 2.3.x Edition and you will have to
  stay on the 'legacy' BOA 2.2.x version, which will receive only system
  security upgrades, but no further feature nor bugfix releases.
  This also means that from now on the 'legacy' 2.2.x version will no longer
  receive Drupal core upgrades, even if there will be security core releases.
  It is time to upgrade away from Drupal 5 and away from PHP 5.2, if still used.
# Updated Octopus platforms:
  aGov 1.2 --------------------- https://drupal.org/project/agov
  Guardr 1.10 ------------------ https://drupal.org/project/guardr
  Open Outreach 1.9 ------------ https://drupal.org/project/openoutreach
  OpenPublic 1.0-rc4 ----------- https://drupal.org/project/openpublic
  Panopoly 1.10 ---------------- https://drupal.org/project/panopoly
# New features and enhancements in this release:
  * RVM: Add exceptions for gems which can't be installed in Limited Shell.
  * Shell: Compass Tools: Allow to access guard.
  * Shell: Improve config to better support advanced Drush commands over SSH.
  * Shell: Improve Drush over SSH experience
# Changes in this release:
  * Drush: Upgrade command line version 6 to mini-6-06-08-2014
# System upgrades in this release:
  * MariaDB 5.5.39
  * Nginx 1.7.4
  * OpenSSL 1.0.1i (if installed from sources)
# Fixes in this release:
  * Add cleanup for .tmp in sub-accounts.
  * Add cleanup for drush-backups leftovers.
  * Add cleanup for various /var/backups/* leftovers.
  * Add daily auto-cleanup for ghost vhosts, platforms and drush aliases.
  * Add exception for symlinked /data/all
  * Add hint for HTTPS-only mode forced in local.settings.php
  * Fix -mtime expected values.
  * Fix cleanup for .restore vhost leftovers.
  * Fix Nginx monitor to respect all whitelisted POST requests in both modes.
  * Fix permissions on sites/all/{modules,libraries,themes} globally.
  * Improve RVM cleanup.
  * Make sure that local IPs are never blocked by mistake.
  * Never touch websh wrapper to avoid high load because of redirect loop.
  * Nginx: Fix limreq also for some really old vhosts.
  * Nginx: Modify only vhosts known as included in the protected mode.
  * Remove debugging mode in old codebases cleanup.
  * Restore default websh wrapper symlink as fast as possible.
  * Run manage_ltd_users every 3 minutes instead of every minute.
  * Update regex for exceptions in Nginx monitoring.

I'll do this update after the meeting tonight.

#784: New BOA-2.3.0

chris — Tue, 09 Sep 2014 08:52:22 GMT

These are the updates from the Changelog:

### Stable BOA-2.3.0 Release - Full Edition
### Date: Mon Sep  8 08:42:01 PDT 2014
### Includes Aegir 2.1 with improvements
# Release Notes:
  This new BOA Edition introduces latest Aegir 2.1 stable version with newest
  Drush 6 in the backend and with support for Drupal sites in subdirectories
  enabled by default, among many other improvements included in this version,
  like tasks list per site, ability to search in the sites list per domain name
  and/or profile, to schedule tasks in batches, to select any existing domain
  alias as a redirect target, but without the need to rename the site, etc.
  While Barracuda 2.3.0 can continue to run and even upgrade if needed also
  the very old PHP 5.2 version, only Octopus instances running at least PHP 5.3
  or newer in both FPM and CLI mode can be upgraded to Octopus 2.3.0 Edition.
  If you are still using PHP 5.2 in your Octopus instance, you will not
  receive Aegir nor Drupal Platforms upgrade, but the Barracuda part of your
  system will receive upgrade to 2.3.0 anyway, so it will be ready to support
  your outdated Octopus instance upgrade as soon as you will switch it to
  modern and secure PHP version -- which is easy!
  Let's quote the original how-to for reference:
#-### Support for PHP FPM/CLI version safe switch per Octopus instance
  This allows to easily switch PHP version by the instance owner w/o system
  admin (root) help. All you need to do is to create ~/static/control/fpm.info
  and ~/static/control/cli.info file with a single line telling the system
  which available PHP version should be used (if installed): 5.5 or 5.4 or 5.3
  Only one of them can be set, but you can use separate versions for web access
  (fpm.info) and the Aegir backend (cli.info). The system will switch versions
  defined via these control files in 5 minutes or less. We use external control
  files and not any option in the Aegir interface to make sure you will never
  lock yourself by switching to version which may cause unexpected problems.
#-### Legacy mode moves to 2.2.x branch
  From now on, the 'legacy' install and upgrade mode available in all meta-
  installers will utilize branch 2.2.x instead of deprecated 2.1.x series.
# Updated Octopus platforms:
  aGov 1.4 --------------------- https://drupal.org/project/agov
  Guardr 1.12 ------------------ https://drupal.org/project/guardr
  Open Academy 1.1 ------------- https://drupal.org/project/openacademy
  Restaurant 1.0-b9 ------------ https://drupal.org/project/restaurant
# New features and enhancements in this release:
  * It is now possible to add stable Octopus instances w/o forcing Barracuda
    upgrade, plus optionally with no platforms added by default -- usage:
    $ boa {in-octopus} {email} {o2} {mini|max|none}
  * Add default aggressive php-fpm monitoring + /root/.no.fpm.cpu.limit.cnf
  * Allow to define always disabled modules via _MODULES_FORCE variable.
  * Better wait limits on connection testing for slow network / long distance.
  * Issue #362 - Add imageapi_optimize binaries via IMG in _XTRAS_LIST
  * Make firewall management faster with randomized schedule.
  * Procs monitor runs every 3 seconds.
  * Run mysql_proc_control every 5 seconds for better results.
# Changes in this release:
  * Delete default profiles in the hostmaster platform.
  * Disable _DEBUG_MODE if not enabled on the fly.
  * Drush: Upgrade command line version 6 to mini-6-06-09-2014
  * Nginx: Remove deprecated code - _HTTP_WILDCARD is already used by default.
  * Nginx: Use limit_conn protection only for known dynamic requests.
  * Remove dependency on Update Manager globally.
  * Set hosting_default_profile to 'minimal' to improve Ubercart 3 visibility.
  * Use Provision CiviCRM boa-2.3.0-dev
# System upgrades in this release:
  * Git 2.1.0 (if installed from sources)
  * PHP 5.3.29 EOL! Please read: http://php.net/archive/2014.php#id2014-08-14-1
  * PHP 5.4.32
  * PHP 5.5.16
  * Redis 2.8.14
# Fixes in this release:
  * Add cleanup for _GIT_FORCE_REINSTALL if added in .barracuda.cnf
  * Add missing drush cache-clear drush to improve upgrade path.
  * Allow to clear drush cache without directory restrictions.
  * Always set correct TMP path for supported users.
  * Cleanup for cron pid files in user specific .tmp dirs.
  * Count properly also symlinked files directories (improved).
  * D6 colorbox module requires old 1.3.18 library.
  * Delete drush_make leftovers.
  * Delete duplicate menu items on upgrade.
  * Do not allow to install SSH from sources on Trusty to avoid problems.
  * Do not skip daily.sh during barracuda system only update.
  * Eldir theme: Use max width for buttons, if possible.
  * Fix cleanup for drush aliases in sub-accounts.
  * Fix daily cleanup for user specific .tmp directories.
  * Fix docs/HINTS.txt
  * Fix for broken mariadb.list
  * Fix for ghost dirs cleanup.
  * Fix for ghost vhosts cleanup.
  * Fix for missing symlinks to existing platforms.
  * Fix for not working protection from blocking local IPs on multi-IP systems.
  * Fix for subdirs_support universal check.
  * Fix for unreliable _IS_OLD check on Octopus instances upgrade.
  * Fix for warning "Could not create directory ." on Hostmaster site Verify.
  * Fix the fields order in the site edit form.
  * Fix the regex to not whitelist unexpected IP ranges inadvertently.
  * Force cURL rebuild if installed with outdated OpenSSL version.
  * Guard against destructive or insecure tasks run on the hostmaster site.
  * Improve cleanup for empty platforms directories.
  * Improve monitoring to protect against convert trying to overload the system.
  * Issue #2330781 - Use Drush dt() wrapper instead of not always available t()
  * Issue #357 - Fix the logic for Git (re)install from sources.
  * Issue #360 - Exclude special --CDN vhosts from daily cleanup.
  * Issue #361 - Update and improve docs/FAQ.txt
  * Issue #369 - Automatically download and fix /bin/websh if missing.
  * Issue #369 - Restore classic /bin/sh symlink automatically if needed.
  * Issue #373 - Set correct TMP, TEMP, TMPDIR env variables in limited shell.
  * Issue #373 - Too restrictive lshell forbidden list breaks drush sql-sync.
  * Issue #380 - Nameserver / pdnsd problem -- Fixes also Issue #2007990.
  * Issue #381 - Zend OPcache forced adds useless noise in the log.
  * Make it clear that subdomain and subdirectory name must be identical.
  * Make sure that keys subdirectory exists to avoid active platforms cleanup.
  * Nginx: Add config symlinks only on legacy instances.
  * Nginx: Add cron access support for subdir sites.
  * Nginx: Disable monitoring for POST requests related to cart/checkout URI.
  * Nginx: Remove deprecated code and config templates.
  * Nginx: Sanitize aliases in vhost_disabled.tpl.php to avoid warnings.
  * Nginx: Update config includes to match optional BOA features improvements.
  * Nginx: Update unified configuration templates in Provision to unfork BOA.
  * Nginx: Update vhosts templates to match BOA improvements.
  * PHP: Avoid unintended duplicate rebuilds.
  * Protect sites/all/drush
  * Provision: Backport provision_hosting_feature_enabled()
  * Provision: Remove legacy subdir code and update checks.
  * Redis config should sync with PHP-CLI, not PHP-FPM.
  * Remove legacy procs monitoring code.
  * Remove no longer needed limreq global fixes.
  * Remove no longer needed/used contrib updates.
  * Remove redundant file_exists() if is_readable() is also used.
  * Restart pdnsd before running barracuda upgrade.
  * Restore BOA formatting for tasks log to improve readability.
  * Restore BOA naming convention and docs in Hostmaster.
  * Restore BOA naming convention for Installation profiles in Hostmaster.
  * Restore BOA strict _hosting_valid_fqdn* testing procedures in Hostmaster.
  * Restore BOA weight defaults in the form in Hostmaster.
  * Restore punycode in Hostmaster.
  * Restore tasks sort to always show tasks scheduled and running at the top.
  * Sanitize cli.info and fpm.info
  * Set _PLATFORMS_LIST properly.
  * Simplify colorbox-1.3.18 download.
  * Simplify colorbox-1.5.13 download.
  * Switch branch on the fly and add support for Aegir vanilla mode.
  * Sync /tmp access restrictions.
  * Update for the Hostmaster welcome page.
  * Update FPM monitoring settings.
  * Use as short labels on the site node as possible.
  * Use correct paths to platform level drushrc.php file.
  * Use Drush6 with @hostmaster.
  * Use is_dir() instead of file_exists() when checking directory existence.
  * Use is_file() and is_link() instead of file_exists() before trying unlink()
  * Use is_readable() and file_exists() instead of file_exists() for backup.
  * Use is_readable() check instead of insufficient file_exists() for includes.
  * Use is_readable() instead of file_exists() when checking alias existence.
  * Install latest Git even if not specified via _XTRAS_LIST but previous
    version built from sources is detected.
  * Issue #2278847 - Derivatives can't be created on install with Drush and
    Aegir or when no vhost is available yet (Drupal Commons)

I can't see any issues that directly impact on us apart from the new version of PHP, we are running PHP Version 5.3.28, the release notes for PHP 5.3.29:

14 Aug 2014

The PHP development team announces the immediate availability of PHP 5.3.29. This release marks the end of life of the PHP 5.3 series. Future releases of this series are not planned. All PHP 5.3 users are encouraged to upgrade to the current stable version of PHP 5.5 or previous stable version of PHP 5.4, which are supported till at least 2016 and 2015 respectively.

PHP 5.3.29 contains about 25 potentially security related fixes backported from PHP 5.4 and 5.5.

More information in the Changelog.

I'll apply this update one evening soon.

#788: New BOA-2.3.3 Stable Edition available

chris — Mon, 15 Sep 2014 09:21:34 GMT

Changelog: http://bit.ly/boa-changes

### Stable BOA-2.3.1 Release - Full Edition
### Date: Sun Sep 14 15:53:25 SGT 2014
### Includes Aegir 2.1 with improvements
### Latest hotfix added on: Mon Sep 15 05:30:37 SGT 2014
# Release Notes:
  This major BOA Edition introduces many new features, changes and fixes.
  You should carefully read about some caveats further below **before** running
  this major upgrade on your system. Please secure a fresh system backup first.
  If you haven't run full barracuda+octopus upgrade to latest BOA Stable
  Edition yet, don't use any partial/system upgrade modes.
  Once new BOA Stable is released, you must run *full* upgrades with commands:
  $ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt
  $ barracuda up-stable
  $ octopus up-stable all both
  @=> Key new features:
  * BOA-2.3.1 comes with shiny Aegir 2.1 stable version, finally!
  * Support for Drupal sites in subdirectories is enabled by default
  * Solr 4 cores can be added/updated/deleted via site level INI settings
  * Super-easy to use New Relic support with per Octopus license key
  * Ability to add new Octopus instances with new, simple command syntax
  @=> Aegir control panel new features:
  * The list of sites is searchable by name or installation profile
  * You can schedule tasks against filtered sites in batches
  * Scheduling tasks in batches is available also on the platform view
  * Scheduling tasks in batches is available also on the profile view
  * Each site has its own tasks list available from the site view tab
  * You can schedule tasks also against platforms in batches
  * You can safely apply db updates via 'Run db updates' task on any site
  * It is now possible to choose any existing alias or the main site name
    as a redirect target, but without the need to rename the site --
    it will just re-verify the site and create new vhost automatically
  @=> Other important changes:
  * Support for PHP 5.2 has been officially deprecated
  * The www53 PHP-FPM pool has been switched from port to default socket mode
  * All existing vhosts must use wildcard in the Nginx 'listen' directive
  * Legacy mode for Install and Upgrade moves to 2.2.x branch
  * DB credentials are no longer in settings.php, only in drushrc.php
  * Latest Drush 6 version is used in the Aegir backend by default
  But what if you are not ready for this major upgrade and you would like
  to have more time for testing, but still be able to run system upgrades,
  thus effectively still using previous version 2.2.9 ?
#-### Legacy mode for Install and Upgrade moves to 2.2.x branch
  From now on, the 'legacy' install and upgrade mode available in all meta-
  installers will utilize branch 2.2.x instead of deprecated 2.1.x series.
  This means that starting with meta installers updated to use BOA-2.3.1
  version you can use commands like shown below to update Barracuda, Octopus
  and also to install more Octopus instances, while still using version 2.2.9:
  $ boa in-legacy public server.mydomain.org my@email o1
  $ barracuda up-legacy system
  $ octopus up-legacy o1
  $ boa in-legacy public server.mydomain.org my@email o2 mini
  etc.
  Remember to update your meta-installers first!
  $ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt
  Note also that if you will upgrade to current 'stable', it is not possible
  to downgrade back to the 'old stable' with 'legacy' mode, so please proceed
  with care!
  Remember also that current legacy version will not receive any further
  updates, even for security issues (besides those provided as packages by
  your OS vendor - Debian or Ubuntu, which will still work), because it is
  already different enough from current 2.3.1 stable, so we can't reliably
  maintain both with working upgrade path.
#-### Caveats: This upgrade will force wildcard in the Nginx 'listen' directive
  If you have old enough BOA system which still uses legacy IP mode and not
  a wildcard in the Nginx 'listen' directive, which is both Aegir and BOA
  standard for a long time already, this upgrade will fix the problem and
  update directives only in vhosts known and controlled by BOA.
  If you have any other vhosts, located in standard or non-standard Nginx/BOA
  directories for vhosts, you have to update them manually after upgrade to
  BOA-2.3.0 or newer, or they will take over all other vhosts on the system
  and cause redirects to /install.php which results with Nginx error 403 or 404,
  depending on the prior configuration.
  It will happen because IP based 'listen' directive in Nginx has higher
  priority, and will mess things horribly if there are vhosts using wildcard
  and some using the main system IP address.
  What and how to replace? Here are commands you need to run as root:
    $ sed -i "s/.*listen.*:80;/  listen  \*:80;/g" /path/to/vhost.file
    $ sed -i "s/.*listen.*:443/  listen  \*:443/g" /path/to/vhost.file
    $ service nginx reload
  Note: this **doesn't** affect special vhosts for SSL enabled sites, if used,
  because they are designed to use IP based 'listen' directives to provide
  separation between SSL enabled IPs and their associated certificates,
  while their associated 'upstream' block may even point to either local or
  remote IP address, so there is no wildcard to use in this case, and it will
  not conflict with all other vhosts managed by Aegir, because all SSL enabled
  vhosts listen on other IP addresses than the main system IP, which is
  by default used by all vhosts with wildcard in the 'listen' directive.
  The problem may happen only when you have vhosts using wildcard and also
  some vhosts using **main** system IP address in the 'listen' directive,
  which may happen also unintentionally during upgrade to BOA-2.3.0 or never,
  if there are either vhosts BOA doesn't control, or there are ghost vhosts
  not yet purged if you didn't upgrade to BOA-2.2.9 before, or there are
  some disabled sites, so their vhosts will not be re-created by Aegir
  during this major upgrade (because only active sites can be re-verified).
  While BOA will fix also any such ghost vhosts anyway, it will not be able
  to detect and fix vhosts outside of the standard directories managed by Aegir.
#-### Ability to add new Octopus instances with new, simple command syntax
  It is now possible to add stable Octopus instances w/o forcing Barracuda
  upgrade, plus optionally with no platforms added by default -- usage:
    $ boa {in-octopus} {email} {o2} {mini|max|none}
#-### The www53 PHP-FPM pool has been switched from port to default socket mode.
  Note that we are breaking backward compatibility here, so it will cause
  downtime on upgrade from any too old BOA version, until you will upgrade also
  Octopus instance(s) and update any other non-standard vhosts or includes
  still using legacy port mode for 'fastcgi_pass' Nginx directive.
  If you have 'fastcgi_pass 127.0.0.1:9090;' in any custom vhost or Nginx
  include file on the Octopus instance, you should replace it with:
    fastcgi_pass unix:/var/run/o1.fpm.socket;
  where 'o1' is your corresponding Octopus system username.
  Note that if you have custom vhosts or includes in the Aegir Master Instance,
  you should instead replace 'fastcgi_pass 127.0.0.1:9090;' with:
    fastcgi_pass unix:/var/run/www53.fpm.socket;
  where '53' is related to PHP version defined via _PHP_FPM_VERSION in your
  /root/.barracuda.cnf file. Note that while variable has a dot, the socket
  name doesn't.
#-### Support for PHP 5.2 has been officially deprecated
  While Barracuda 2.3.1 can continue to run and even upgrade if needed also
  the very old PHP 5.2 version, only Octopus instances running at least PHP 5.3
  or newer in both FPM and CLI mode can be upgraded to Octopus 2.3.1 Edition.
  If you are still using PHP 5.2 in your Octopus instance, you will not
  receive Aegir nor Drupal Platforms upgrade, but the Barracuda part of your
  system will receive upgrade to 2.3.1 anyway, so it will be ready to support
  your outdated Octopus instance upgrade as soon as you will switch it to
  modern and secure PHP version -- which is easy!
  Let's quote the original how-to for reference:
#-### Support for PHP FPM/CLI version safe switch per Octopus instance
  This allows to easily switch PHP version by the instance owner w/o system
  admin (root) help. All you need to do is to create ~/static/control/fpm.info
  and ~/static/control/cli.info file with a single line telling the system
  which available PHP version should be used (if installed): 5.5 or 5.4 or 5.3
  Only one of them can be set, but you can use separate versions for web access
  (fpm.info) and the Aegir backend (cli.info). The system will switch versions
  defined via these control files in 5 minutes or less. We use external control
  files and not any option in the Aegir interface to make sure you will never
  lock yourself by switching to version which may cause unexpected problems.
#-### Support for New Relic monitoring with per Octopus instance license key
  This new feature will disable global New Relic monitoring by deactivating
  server-level license key, so it can safely auto-enable or auto-disable it
  every 5 minutes, but per Octopus instance -- for all sites hosted on
  the given instance -- when a valid license key is present in the special
  new ~/static/control/newrelic.info control file.
  Please note that valid license key is a 40-character hexadecimal string
  that New Relic provides when you sign up for an account.
  To disable New Relic monitoring for the Octopus instance, simply delete
  its ~/static/control/newrelic.info control file and wait a few minutes.
  Please note that on a self-hosted BOA you still need to add your valid
  license key as _NEWRELIC_KEY in the /root/.barracuda.cnf file and run
  system upgrade with at least 'barracuda up-stable' first. This step is
  not required on Omega8.cc hosted service, where New Relic agent is already
  pre-installed for you.
#-### Solr 4 cores can be added/updated/deleted via site level INI settings
;;
;;  This option allows to activate Solr 4 core configuration for the site.
;;
;;  Only Solr 4 powered by Jetty server is available. Supported integration
;;  modules are limited to latest versions of either search_api_solr (D7 only)
;;  or apachesolr (will use Drupal core specific version automatically).
;;
;;  Currently used versions are listed below:
;;
;;    http://ftp.drupal.org/files/projects/search_api_solr-7.x-1.6.tar.gz
;;    http://ftp.drupal.org/files/projects/apachesolr-7.x-1.7.tar.gz
;;    http://ftp.drupal.org/files/projects/apachesolr-6.x-3.0-rc2.tar.gz
;;
;;  Note that you still need to add preferred integration module along with
;;  any its dependencies in your codebase since this feature doesn't modify
;;  your platform or site - it only creates Solr core with configuration
;;  files provided by integration module: schema.xml and solrconfig.xml
;;
;;  This setting affects only the running daily maintenance system behaviour,
;;  so you need to wait until next morning to be able to use new Solr 4 core.
;;
;;  Once the Solr core is ready to use, you will find a special file in your
;;  site directory: sites/foo.com/solr.php with details on how to access
;;  your new Solr core with correct credentials.
;;
;;  The site with enabled Solr core can be safely migrated between platforms,
;;  integration module can be moved within your codebase and even upgraded,
;;  as long as it is using compatible schema.xml and solrconfig.xml files.
;;
;;  Supported values for the solr_integration_module variable:
;;
;;    apachesolr
;;    search_api_solr
;;
;;  To delete existing Solr core simply comment out this line.
;;  The system will cleanly delete existing Solr core next morning.
;;
;solr_integration_module = NO
;;
;;  This option allows to auto-update your Solr 4 core configuration files:
;;
;;    schema.xml
;;    solrconfig.xml
;;
;;  If there is new release for either apachesolr or search_api_solr, your
;;  Solr core will not be automatically upgraded to use newer schema.xml and
;;  solrconfig.xml, unless allowed by switching solr_update_config to YES.
;;
;;  This option will be ignored if you will set solr_custom_config to YES.
;;
;solr_update_config = NO
;;
;;  This option allows to protect custom Solr 4 core configuration files:
;;
;;    schema.xml
;;    solrconfig.xml
;;
;;  To use customized version of either schema.xml or solrconfig.xml, you need
;;  to switch solr_custom_config to YES below and if you are using hosted
;;  Aegir service, submit a support ticket to get these files updated with
;;  your custom versions. On self-hosted BOA simply update these files directly.
;;
;;  Please remember to use Solr 4 compatible config files.
;;
;solr_custom_config = NO
# Updated Octopus platforms:
  aGov 1.4 --------------------- https://drupal.org/project/agov
  Guardr 1.12 ------------------ https://drupal.org/project/guardr
  Open Academy 1.1 ------------- https://drupal.org/project/openacademy
  Restaurant 1.0-b9 ------------ https://drupal.org/project/restaurant
  Ubercart 3.7 ----------------- https://drupal.org/project/ubercart
# New features and enhancements in this release:
  * Ability to add new Octopus instances with new, simple command syntax
  * Add default aggressive php-fpm monitoring + /root/.no.fpm.cpu.limit.cnf
  * Allow to define always disabled modules via _MODULES_FORCE variable.
  * Better wait limits on connection testing for slow network / long distance.
  * Issue #1927522 - Add support for easy Solr cores self-management.
  * Issue #362 - Add imageapi_optimize binaries via IMG in _XTRAS_LIST
  * Issue #376 - Add New Relic support with per Octopus instance license key.
  * Make firewall management faster with randomized schedule.
  * Procs monitor runs every 3 seconds.
  * Run mysql_proc_control every 5 seconds for better results.
  * You can safely apply db updates via 'Run db updates' task on any site.
# Changes in this release:
  * DB credentials are no longer visible in settings.php, only in drushrc.php
  * Delete default profiles in the hostmaster platform.
  * Disable _DEBUG_MODE if not enabled on the fly.
  * Disable newrelic-sysmond unless /root/.enable.newrelic.sysmond.cnf exists.
  * Drush: Upgrade command line version 6 to mini-6-14-09-2014
  * Nginx: Remove deprecated code - _HTTP_WILDCARD is already used by default.
  * Nginx: Use limit_conn protection only for known dynamic requests.
  * Redis Integration Module (cache_backport): Update to version 6.x-1.0-rc2
  * Redis Integration Module: Update to version mod-12-09-2014
  * Remove _ALLOW_UNSUPPORTED legacy and no longer working properly feature.
  * Remove dependency on Update Manager globally.
  * Remove deprecated multi-instance labels in the New Relic configuration.
  * Replace old hosting_civicrm_cron with newer hosting_civicrm module.
  * Set hosting_default_profile to 'minimal' to improve Ubercart 3 visibility.
  * The www53 PHP-FPM pool has been switched from port to default socket mode.
  * Use Provision CiviCRM boa-2.3.1-dev
# System upgrades in this release:
  * cURL 7.38.0 (if installed from sources)
  * Git 2.1.0 (if installed from sources)
  * Jetty 7.6.16.v20140903
  * Jetty 8.1.16.v20140903
  * Jetty 9.2.3.v20140905
  * PHP 5.3.29 EOL! Please read: http://php.net/archive/2014.php#id2014-08-14-1
  * PHP 5.4.32
  * PHP 5.5.16
  * Redis 2.8.14
# Fixes in this release:
  * Add cleanup for _GIT_FORCE_REINSTALL if added in .barracuda.cnf
  * Add missing drush cache-clear drush to improve upgrade path.
  * Add new features in the README.txt
  * Add wheezy to the exceptions list where required.
  * Allow to clear drush cache without directory restrictions.
  * Always set correct TMP path for supported users.
  * Cleanup for cron pid files in user specific .tmp dirs.
  * Count properly also symlinked files directories (improved).
  * D6 colorbox module requires old 1.3.18 library.
  * Delete drush_make leftovers.
  * Delete duplicate menu items on upgrade.
  * Do not allow to install SSH from sources on Trusty to avoid problems.
  * Do not skip daily.sh during barracuda system only update.
  * Eldir theme: Use max width for buttons, if possible.
  * Explain why installing RVM may take longer than expected.
  * Fix cleanup for drush aliases in sub-accounts.
  * Fix daily cleanup for user specific .tmp directories.
  * Fix docs/HINTS.txt
  * Fix for broken mariadb.list
  * Fix for broken, way too aggressive PHP-FPM monitoring.
  * Fix for ghost dirs cleanup.
  * Fix for ghost vhosts cleanup.
  * Fix for missing symlinks to existing platforms.
  * Fix for not working protection from blocking local IPs on multi-IP systems.
  * Fix for subdirs_support universal check.
  * Fix for unreliable _IS_OLD check on Octopus instances upgrade.
  * Fix for warning "Could not create directory ." on Hostmaster site Verify.
  * Fix the fields order in the site edit form.
  * Fix the regex to not whitelist unexpected IP ranges inadvertently.
  * Force cURL rebuild if installed with outdated OpenSSL version.
  * Guard against destructive or insecure tasks run on the hostmaster site.
  * Improve cleanup for empty platforms directories.
  * Improve monitoring to protect against convert trying to overload the system.
  * Issue #2330781 - Use Drush dt() wrapper instead of not always available t()
  * Issue #357 - Fix the logic for Git (re)install from sources.
  * Issue #360 - Exclude special --CDN vhosts from daily cleanup.
  * Issue #361 - Update and improve docs/FAQ.txt
  * Issue #369 - Automatically download and fix /bin/websh if missing.
  * Issue #369 - Restore classic /bin/sh symlink automatically if needed.
  * Issue #373 - Set correct TMP, TEMP, TMPDIR env variables in limited shell.
  * Issue #373 - Too restrictive lshell forbidden list breaks drush sql-sync.
  * Issue #380 - Nameserver / pdnsd problem -- Fixes also Issue #2007990.
  * Issue #381 - Zend OPcache forced adds useless noise in the log.
  * Issue #388 - Version 6.x-2.x of provision_civicrm requires hosting_civicrm
  * Issue #389 - hosting_civicrm breaks site install form with confusing error.
  * Issue #390 - Duplicate platforms nodes are created after upgrade to 2.3.0
  * Issue #395 - Validate username isn't reserved before running install script.
  * Issue #396 - Locale isn't getting set properly.
  * Issue #397 - Not actually prompted for platforms during installation.
  * Issue #398 - Make locales setup/fix for Debian always OS compatible.
  * Issue #399 - The hitimes gem needs to be pre-installed to support Omega4.
  * Issue #400 - CiviCRM is not installed on 2.3.0
  * Issue #401 - Create sites/all/* subdirs in Hostmaster early enough.
  * Issue #402 - Fix for ghost or disabled vhosts which still listen on IP.
  * Issue #405 - Installer hangs due to yes/no dialog - "Untrusted packages"
  * Issue #406 - Force keyring reinstall also upon 'GPG error'.
  * Issue #407 - Fix for 'username is already taken' error on a local VM install
  * Issue #408 - Fix for multiple funny typos. Thanks ar-jan!
  * Make it clear that subdomain and subdirectory name must be identical.
  * Make sure that keys subdirectory exists to avoid active platforms cleanup.
  * Make the PHP-FPM processes monitor less aggressive by default.
  * Nginx: Add config symlinks only on legacy instances.
  * Nginx: Add cron access support for subdir sites.
  * Nginx: Convert all vhosts to wildcard mode on Barracuda upgrade.
  * Nginx: Disable monitoring for POST requests related to cart/checkout URI.
  * Nginx: Do not touch nginx_wild_ssl.conf during this upgrade.
  * Nginx: Improve wildcard conversion procedure on some really old instances.
  * Nginx: Remove deprecated code and config templates.
  * Nginx: Sanitize aliases in vhost_disabled.tpl.php to avoid warnings.
  * Nginx: Update config includes to match optional BOA features improvements.
  * Nginx: Update unified configuration templates in Provision to unfork BOA.
  * Nginx: Update vhosts templates to match BOA improvements.
  * PHP: Avoid unintended duplicate rebuilds.
  * PHP: Sync disable_functions list.
  * Protect sites/all/drush
  * Provision: Backport provision_hosting_feature_enabled()
  * Provision: Remove legacy subdir code and update checks.
  * Redis config should sync with PHP-CLI, not PHP-FPM.
  * Remove legacy procs monitoring code.
  * Remove no longer needed limreq global fixes.
  * Remove no longer needed/used contrib updates.
  * Remove redundant file_exists() if is_readable() is also used.
  * Replace old hosting_civicrm_cron with newer hosting_civicrm module.
  * Restart pdnsd before running barracuda upgrade.
  * Restore BOA formatting for tasks log to improve readability.
  * Restore BOA naming convention and docs in Hostmaster.
  * Restore BOA naming convention for Installation profiles in Hostmaster.
  * Restore BOA strict _hosting_valid_fqdn* testing procedures in Hostmaster.
  * Restore BOA weight defaults in the form in Hostmaster.
  * Restore punycode in Hostmaster.
  * Restore tasks sort to always show tasks scheduled and running at the top.
  * Sanitize cli.info and fpm.info
  * Set _PLATFORMS_LIST properly.
  * Silence early sed replacements to avoid confusion.
  * Simplify colorbox-1.3.18 download.
  * Simplify colorbox-1.5.13 download.
  * Switch branch on the fly and add support for Aegir vanilla mode.
  * Sync /tmp access restrictions.
  * The hosting_civicrm_cron is now a submodule and should be also auto-enabled.
  * The wildcard transition **doesn't** affect vhosts for SSL enabled sites.
  * There is no need to force backend clone from GitHub on initial upgrade.
  * Update for the Hostmaster welcome page.
  * Update FPM monitoring settings.
  * Use as short labels on the site node as possible.
  * Use control files properly to not run redundant Jetty/Solr upgrade.
  * Use correct paths to platform level drushrc.php file.
  * Use correct Provision version on initial upgrade to 2.3.0
  * Use Drush6 with @hostmaster.
  * Use is_dir() instead of file_exists() when checking directory existence.
  * Use is_file() and is_link() instead of file_exists() before trying unlink()
  * Use is_readable() and file_exists() instead of file_exists() for backup.
  * Use is_readable() check instead of insufficient file_exists() for includes.
  * Use is_readable() instead of file_exists() when checking alias existence.
  * Install latest Git even if not specified via _XTRAS_LIST but previous
    version built from sources is detected.
  * Issue #2278847 - Derivatives can't be created on install with Drush and
    Aegir or when no vhost is available yet (Drupal Commons)

Having read through the above it is good to see the switch to use sockets rather than TCP/IP for php-fpm, not sure if there are any other changes that would effect us. I'll do the upgrade one evening this week.

#529: New Barracuda BOA-2.0.7 Edition available

chris — Fri, 05 Apr 2013 08:57:09 GMT

There is new BOA-2.0.7 Edition of Barracuda and Octopus available.

Please review the changelog and upgrade as soon as possible to receive all security updates and new features.

Changelog: http://bit.ly/newboa

#530: New Barracuda BOA-2.0.8 Edition available

chris — Mon, 08 Apr 2013 07:44:51 GMT

If I had known this was about to come out I would have waited before doing the BOA-2.0.7 upgrade last night on ticket:529

There is new BOA-2.0.8 Edition of Barracuda and Octopus available.

Please review the changelog and upgrade as soon as possible to receive all security updates and new features.

Changelog: http://bit.ly/newboa

Is mostly to fix a problem for people using Percona, https://drupal.org/node/1962690 and as we are using MariaDB this isn't an issue for us.

Other updates in this version:

Allow to use [a-z0-9] subdomains and not only [www] for IDN domain names.
Change the interval between platforms builds from 5 to 3 seconds.
Forced 1s Speed Booster TTL for vhosts behind local proxy is deprecated.
Move old firewall logs to backups to avoid crazy load after upgrade.
Nginx: Better exceptions handling in the Abuse Guard for js/shs modules.
PHP: CLI is at 5.3 since BOA-2.0.4, so symlink old 5.2 binary path to 5.3
Update _LENNY_TO_SQUEEZE major upgrade procedure.
Update contrib with login_security-7.x-1.2
Use static downloads for all distros in stable edition.

I'll do this update tonight unless there are any objections, hopefully it should be quite quick.