Transition Technology: Ticket Query

#921: HTTP_PROXY env var vulnerability

chris — Tue, 19 Jul 2016 12:34:30 GMT

#920: SSL weirdness?

sam — Thu, 14 Jul 2016 20:20:19 GMT

Hi Chris

So Paul put the site into maintenance mode, took a database dump and then tried to re-enable live mode using the drush command.

It seems it came out of maintenance mode OK, but we're now getting this certificate error.

I have changed the Zone file on Gandi in the meantime, but this doesn't seem to be propagating.

Any ideas?

Thanks

Sam

#911: Disk space for /home on Parrot is running out

chris — Mon, 30 May 2016 20:58:53 GMT

Getting this alert from ParrotServer every 5 mins:

transitionnetwork.org :: parrot.transitionnetwork.org :: Disk usage in percent
        WARNINGs: /home is 96.06 (outside range [:96]).
        OKs: /run/shm is 0.00, /run is 0.09, /dev is 0.00, / is 95.94, / is 95.94, /run/lock is 0.00.

#910: Piwik 2.16.1

chris — Tue, 12 Apr 2016 10:29:09 GMT

The changelog:

Security release

This release is rated critical.

#908: Please enable Google Analytics

sam — Thu, 10 Mar 2016 15:43:56 GMT

Hi all

The web project board has decided to move from Piwik to Google Analytics.

I realise this has significant privacy implications, these were discussed, but it was decided that the move would go ahead.

I have discussed with Ainslie adding an opt out in the form of a link to EFF's Privacy badger: https://www.eff.org/privacybadger This will be added to the cookie pop up bar in the new website.

Could we enable the Google Analytics module on the existing site so I can add in the tracking code.

Thanks

Sam

#906: I borked it

sam — Tue, 01 Mar 2016 22:27:10 GMT

Hi Chris

I recklessly tried to enable a module on the site that enabled sending articles to friends by email, this seems to have been one of my less-good ideas.

It tried to enable a print-friendly page and this seems to have brought the whole crumbling edifice down

Sorry about that. Can you fix it?

#902: Piwik 2.16.0

chris — Sun, 07 Feb 2016 10:41:47 GMT

From the changelog:

What’s new?

Piwik 2.16.0 is a release which includes more than 250 closed issues. To learn about the most important and visible changes, read our blog post: What’s new in Piwik 2.16.0?

This release is our Long Term Support release.

263 tickets have been closed by more than 30 contributors!

#900: Unusal High Load on Puffin

chris — Sun, 31 Jan 2016 12:24:40 GMT

For the first time since the BOA cron jobs were commented out we have had some very high loads on PuffinServer, this is shown in the Munin graphs, I'll post some specific ones in comments to this ticket.

#896: Chive access to TN Drupal DB

chris — Mon, 18 Jan 2016 17:56:44 GMT

Ade would like to give the developers of the new Transition Network WordPress site access to the live database via Chive.

#895: HTTPS wildcard *.transitionnnetwork.org expires on 22nd January 2016

chris — Mon, 11 Jan 2016 09:56:17 GMT

Unless I hear otherwise I'll renew the *.transitionnnetwork.org cert which is used by PuffinServer, PenguinServer and ParrotServer at a cost of £130.50 on or before the 22nd January 2016 when the current one expires.

An alternative would be to use Free HTTPS certificates from Let's Encrypt but this would take some time to set up as Let's Encrypt don't provide wild card certs.

#891: Issue with TTT and REconomy websites after upgrade to WP 4.4

chris — Thu, 17 Dec 2015 11:18:38 GMT

Email from Laura:

Just to let you know there's a bit of an oddity going on with both the TTT and Reconomy websites.

I upgraded to WP 4.4 after running full tests on my local copies here, and for some odd reason images aren't showing on the site. If you try to open an image in the browser eg https://www.reconomy.org/wp-content/uploads/2015/10/hubs-logos-landscape.jpg takes you to the - "Server error! The server encountered an internal error and was unable to complete your request Either the server is overloaded or there was an error in a CGI script. Please return to the front page of the site."

I've updated over 20 sites over the past few days (!) and these are the only two this has happened on. There are a few discussions here, (and have tried the temp fix of various functions.php tweaks in the theme files to see if that helps, but it doesn't)... https://wordpress.org/support/topic/after-upgrade-to-44-media-files-are-not-showing and even though sites are not appearing to use SSL wondering if related somehow to that or other? Has this happened to any other WP 4.4 sites on your servers?

I'll let TTT and REconomy know their site has been updated, but there is a glitch at present.

I've also added Wordfence to the sites too as there are swathes of brute force attacks happening on lots of WP sites everywhere currently and this plugin seems to help somewhat currently. I don't think it's the Wordfence plugin, as disabled it to test the missing images issue.

#888: Adverts on Transition Network Front Page loaded via flickrit.com embedded content

chris — Sun, 06 Dec 2015 12:25:49 GMT

It it intentional or accidental that adverts from https://secureads.bitbillions.com/ are being loaded on the front page of https://www.transitionnetwork.org/ via the embedded content from flickrit.com?

#880: Piwik 2.15.0

chris — Fri, 16 Oct 2015 09:04:00 GMT

The Piwik 2.15.0 changelog:

We are proud to announce Piwik 2.15.0 Release Candidate: a new major release of Piwik!

What’s new?

Piwik 2.15.0 is our Long Term Support release for Piwik 2.X. This release aims to be outstanding from a performance, security, and reliability point of view. It also includes a beautiful new design which lets you focus on your data, and a new awesome search bar to lets you easily navigate to any menu, website or segment in your Piwik dashboards. For administrators and power user, this release includes new diagnostic tools, logging messages, a new Log viewer plugin, and better overall performance and scalability. There are dozens other improvements, see the full list below. Piwik 2.15.0 is built to last.

Security release

This release is rated critical.

We are grateful for Security researchers who disclosed security issues privately to the Piwik Security Response team: Elamaran Venkatraman, Egidio Romano and Dmitriy Shcherbatov. The following vulnerabilities were fixed: XSS, CSRF, possible file inclusion in older PHP versions (low impact), possible Object Injection Vulnerability (low impact).

Database upgrade

This release does not contain any major database upgrade.

Platform Changes

Piwik is an open analytics platform. In an effort to help Piwik developers learn about improvements and changes in the core APIs, we document the changes since the last release.

In this 2.15.0 release there are API deprecations, New features, New APIs, New commmands, Internal API changes.

Read more in Platform Changelog for Developers to see all changes to the platform and APIs (you can also find it in the CHANGELOG.md in the root of your Piwik)

#878: Reconomy.org add subdomains

ade — Thu, 15 Oct 2015 11:35:03 GMT

Hi Chris,
I thought I had added this as a ticket, but does not seem to have come
through.
I have had a request to add the following to the reconomy.org website.
I notice that i do not have permission to do this myself via gandi.net so
could you please add for me.
many thanks
Ade
We're going to need to point the REfund API to a particular subdomain
of the reconomy.org domain in the next few weeks. This will also apply
to the frontend. Is there anyone I can email about this?
Here are the proposed subdomains:
funds.reconomy.org
api.funds.reconomy.org
Both subdomains should point to this IP: 178.62.93.215
--
Ade Stuart
Web Manager - Transition network
07595 331877
The Transition Network is a registered charity
address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
website: www.transitionnetwork.org
TN company no: 6135675 TN charity no: 1128675

#869: Piwik 2.14.3

chris — Mon, 24 Aug 2015 12:00:58 GMT

The Piwik Changelog 2.14.3 contains:

Piwik 2.14.3 is a new minor release of Piwik.

What’s new?

This release addresses a regression introduced in 2.14.2 that prevents users from installing Piwik in some cases.

11 tickets have been closed by 5 contributors!

#867: Piwik 2.14.2

chris — Mon, 27 Jul 2015 11:18:26 GMT

The Changelog:

What’s new in Piwik 2.14.2?

In this release we have focused on fixing a few regressions reported in the last major release Piwik 2.14.0, as well as 15 other small improvements. As always we – the Piwik team – are very interested to hear your feedback!

15 tickets have been closed by 6 contributors.

#866: Piwik 2.14.1

chris — Fri, 17 Jul 2015 08:41:34 GMT

The changelog:

What’s new in Piwik 2.14.1?

In this release we have focused on fixing a few regressions reported in the last major release Piwik 2.14.0, as well as 27 other small improvements. As always we – the Piwik team – are very interested to hear your feedback!

27 tickets have been closed by 6 contributors.

#862: Puffin locked

chris — Sat, 27 Jun 2015 15:31:27 GMT

PuffinServer is not responding, I got a Munin email alert, on the Xen console:

[2008077.910371] BUG: soft lockup - CPU#1 stuck for 61s! [munin-node [::f:25444]
[2008077.910371] Modules linked in: joydev sg st sd_mod crc_t10dif sr_mod scsi_mod ide_gd_mod ide_cd_mod ide_core cdrom xt_recent xt_tcpudp xt_connlimit nf_nat_ftp ipt_REDIRECT xt_conntrack iptable_mangle nf_conntrack_ftp ipt_REJECT ipt_LOG xt_limit xt_multiport iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 iptable_filter ip_tables x_tables snd_pcm snd_timer snd soundcore snd_page_alloc evdev pcspkr ext4 crc16 jbd2 mbcache dm_mod xen_netfront xen_blkfront
[2008077.910371] CPU 1:
[2008077.910371] Modules linked in: joydev sg st sd_mod crc_t10dif sr_mod scsi_mod ide_gd_mod ide_cd_mod ide_core cdrom xt_recent xt_tcpudp xt_connlimit nf_nat_ftp ipt_REDIRECT xt_conntrack iptable_mangle nf_conntrack_ftp ipt_REJECT ipt_LOG xt_limit xt_multiport iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 iptable_filter ip_tables x_tables snd_pcm snd_timer snd soundcore snd_page_alloc evdev pcspkr ext4 crc16 jbd2 mbcache dm_mod xen_netfront xen_blkfront
[2008077.910371] Pid: 25444, comm: munin-node [::f Not tainted 2.6.32-5-xen-amd64 #1
[2008077.910371] RIP: e030:[<ffffffff8100922a>]  [<ffffffff8100922a>] hypercall_page+0x22a/0x1001
[2008077.910371] RSP: e02b:ffff8800988f7ba8  EFLAGS: 00000246
[2008077.910371] RAX: 0000000000040000 RBX: ffffea0006c2eb88 RCX: ffffffff8100922a
[2008077.910371] RDX: 00000000ffffff00 RSI: 0000000000000000 RDI: 0000000000000000
[2008077.910371] RBP: 0000000000000002 R08: 0000000000000002 R09: ffff8801ffc1dd00
[2008077.910371] R10: 0000000000000002 R11: 0000000000000246 R12: ffff88000000ad00
[2008077.910371] R13: ffff880000008000 R14: 0000000000000200 R15: 000000000000000e
[2008077.910371] FS:  00007fefd0bde700(0000) GS:ffff88000bb20000(0000) knlGS:0000000000000000
[2008077.910371] CS:  e033 DS: 0000 ES: 0000 CR0: 000000008005003b
[2008077.910371] CR2: 00007fefce124380 CR3: 0000000001001000 CR4: 0000000000000660
[2008077.910371] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[2008077.910371] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[2008077.910371] Call Trace:
[2008077.910371]  [<ffffffff810baa62>] ? free_hot_cold_page+0x1a2/0x1af
[2008077.910371]  [<ffffffff8100e635>] ? xen_force_evtchn_callback+0x9/0xa
[2008077.910371]  [<ffffffff8100ecf2>] ? check_events+0x12/0x20
[2008077.910371]  [<ffffffff8100ecdf>] ? xen_restore_fl_direct_end+0x0/0x1
[2008077.910371]  [<ffffffff8130f142>] ? _spin_unlock_irqrestore+0xd/0xe
[2008077.910371]  [<ffffffff810bd9ca>] ? release_pages+0x16a/0x18d
[2008077.910371]  [<ffffffff8100c1a7>] ? xen_mc_flush+0x159/0x185
[2008077.910371]  [<ffffffff810da555>] ? free_pages_and_swap_cache+0x57/0x73
[2008077.910371]  [<ffffffff810cd5bf>] ? unmap_vmas+0x6cb/0x959
[2008077.910371]  [<ffffffff8100922a>] ? hypercall_page+0x22a/0x1001
[2008077.910371]  [<ffffffff8100922a>] ? hypercall_page+0x22a/0x1001
[2008077.910371]  [<ffffffff810d1bca>] ? exit_mmap+0xc4/0x148
[2008077.910371]  [<ffffffff8104cd95>] ? mmput+0x3c/0xdf
[2008077.910371]  [<ffffffff81050a2e>] ? exit_mm+0x102/0x10d
[2008077.910371]  [<ffffffff81052453>] ? do_exit+0x1f8/0x6c9
[2008077.910371]  [<ffffffff8105299a>] ? do_group_exit+0x76/0x9d
[2008077.910371]  [<ffffffff810529d3>] ? sys_exit_group+0x12/0x16
[2008077.910371]  [<ffffffff81011b42>] ? system_call_fastpath+0x16/0x1b
[2008381.335662] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:19:68:02:00:12:1e:13:6c:db:08:00 SRC=122.172.30.208 DST=81.95.52.103 LEN=60 TOS=0x08 PREC=0x20 TTL=55 ID=30880 DF PROTO=TCP SPT=60400 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
[2008384.465057] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:19:68:02:00:12:1e:13:6c:db:08:00 SRC=122.172.30.208 DST=81.95.52.103 LEN=60 TOS=0x08 PREC=0x20 TTL=55 ID=30881 DF PROTO=TCP SPT=60400 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
[2008390.255448] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:19:68:02:00:12:1e:13:6c:db:08:00 SRC=122.172.30.208 DST=81.95.52.103 LEN=60 TOS=0x08 PREC=0x20 TTL=55 ID=30882 DF PROTO=TCP SPT=60400 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0

#861: Piwik 2.14.0

chris — Wed, 24 Jun 2015 09:04:46 GMT

From the Changelog:

We are proud to announce Piwik 2.14.0: a new major release of Piwik!

What’s new?

[…]

More than 120 tickets have been closed by 13 contributors!

Security release

This release is rated critical.

Three security issues have been fixed. We are grateful for security researchers who responsibly disclosed these security issues to us: Abdullah Hussam Gazi (CSRF issue) and Dmitriy Shcherbatov (two XSS issues).

Database upgrade

This release does not contain any major database upgrade.

Platform Changes

Piwik is an open analytics platform. In an effort to help Piwik developers learn about improvements and changes in the core APIs, we document the changes since the last release.

In this 2.14.0 release there are breaking changes, New features, Library updates, New commmands.

#850: Piwik 2.13.1

chris — Fri, 08 May 2015 10:25:43 GMT

The changelog:

Piwik 2.13.1, a new minor release of Piwik, has been released!

What’s new?

We are releasing 2.13.1 shortly after 2.13.0 to address a few small bugs that were reported by the community. This release also includes a Tracking API performance improvements as well as other minor improvements listed below.

#848: Piwik 2.13.0

chris — Mon, 27 Apr 2015 09:56:54 GMT

From the Changelog:

We are proud to announce Piwik 2.13.0: a new major release of Piwik!

What’s new?

In this release we have focused on improving performance and making Piwik much faster at loading and archiving reports. The dashboard and All websites dashboard will load faster than ever before! This is especially visible if you measure many websites (hundreds of thousands) within your Piwik, the improved Websites Manager will now let you search for websites and page through the list, and the ‘All Websites’ dashboard will now load correctly.

Performance was not our only focus and we also improved the usability and design of some parts of Piwik (such as the Updater and maintenance mode, with more design updates coming in the next releases). Log Analytics, a very popular tool within the Piwik community, has received several improvements. Many other small bugs were closed, and a XSS security bug was reported and fixed in this release.

96 tickets have been closed by 8 contributors!

#846: Load Spikes on BOA PuffinServer

chris — Thu, 16 Apr 2015 11:16:00 GMT

Creating this as a ticket to record load spikes and related site outages.

See wiki:PuffinServer#LoadSpikes for links to historic issues of this nature.

#845: Unneeded FTP server on PuffinServer

chris — Mon, 13 Apr 2015 11:03:12 GMT

The BOA stack installs and runs a FTP server, which we don't need as we use SSH/SFTP and it therefore causes a unneeded load, see ticket:692#comment:177 for an example.

#844: Stable BOA 2.4.2 Release

chris — Fri, 10 Apr 2015 10:34:56 GMT

Looks like all the tickets for BOA 2.4.2 have been closed and it is due to be released today:

https://github.com/omega8cc/boa/milestones

The Changelog has not yet been updated:

https://github.com/omega8cc/boa/blob/master/CHANGELOG.txt

For some unknown reason BOA no longer sends emails when a new version is out so the Changelog will need checking manually.

#843: 8.8.8.8 (US/United States/google-public-dns-a.google.com) blocked for port scanning

chris — Tue, 07 Apr 2015 23:05:33 GMT

Never seen this before:

Date: Tue,  7 Apr 2015 23:46:09 +0100 (BST)
From: root@puffin.webarch.net
To: chris@webarchitects.co.uk
Subject: lfd on puffin.webarch.net: 8.8.8.8 (US/United States/google-public-dns-a.google.com) blocked for port scanning
Time:    Tue Apr  7 23:46:09 2015 +0000
IP:      8.8.8.8 (US/United States/google-public-dns-a.google.com)
Hits:    20
Blocked: Temporary Block
Sample of block hits:
Apr  7 23:45:36 puffin kernel: [19823338.636822] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:19:68:02:00:12:1e:13:6c:db:08:00 SRC=8.8.8.8 DST=81.95.52.103 LEN=162 TOS=0x00 PREC=0x00 TTL=45 ID=65064 PROTO=UDP SPT=53 DPT=48825 LEN=142

I thought set the Google DNS servers for the machine via /etc/resolv.conf but that contains:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1

There is /etc/resolvconf/resolv.conf.d/original containing:

nameserver 8.8.8.8
nameserver 8.8.4.4

But I don't know what DNS resolver BOA has installed and the server is using.

#842: Trac fetchmail

chris — Thu, 02 Apr 2015 12:54:11 GMT

There is a new SSL/TLS certificate at mail.webarch.net so these steps need following: wiki:TransitionTrac#Fetchmail

#841: Mediawiki 1.23.9

chris — Wed, 01 Apr 2015 20:26:50 GMT

Email on the announcements list:

I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and 1.19.24. These releases fix 10 security issues, in addition to other bug fixes. Download links are given at the end of this email.

Security fixes

iSEC Partners discovered a way to circumvent the SVG MIME blacklist for embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed JavaScript in the SVG. The issue was additionally identified by Mario Heiderich / Cure53. MIME types are now whitelisted. https://phabricator.wikimedia.org/T85850
MediaWiki user Bawolff pointed out that the SVG filter to prevent injecting JavaScript using animate elements was incorrect. https://phabricator.wikimedia.org/T86711
MediaWiki user Bawolff reported a stored XSS vulnerability due to the way attributes were expanded in MediaWiki's Html class, in combination with LanguageConverter substitutions. https://phabricator.wikimedia.org/T73394
Internal review discovered that MediaWiki's SVG filtering could be bypassed with entity encoding under the Zend interpreter. This could be used to inject JavaScript. This issue was also discovered by Mario Gomes from Beyond Security. https://phabricator.wikimedia.org/T88310
iSEC Partners discovered a XSS vulnerability in the way api errors were reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8). MediaWiki now detects and mitigates this issue on older versions of HHVM. https://phabricator.wikimedia.org/T85851
Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that MediaWiki versions using PBKDF2 for password hashing (the default since 1.24) are vulnerable to DoS attacks using extremely long passwords. https://phabricator.wikimedia.org/T64685
iSEC Partners discovered that MediaWiki's SVG and XMP parsing, running under HHVM, was susceptible to "Billion Laughs" DoS attacks (iSEC-WMF1214-13). https://phabricator.wikimedia.org/T85848
Internal review found that MediaWiki is vulnerable to "Quadratic Blowup" DoS attacks, under both HHVM and Zend PHP. https://phabricator.wikimedia.org/T71210
iSEC Partners discovered a way to bypass the style filtering for SVG files (iSEC-WMF1214-3). This could violate the anonymity of users viewing the SVG. https://phabricator.wikimedia.org/T85349
iSEC Partners reported that the MediaWiki feature allowing a user to preview another user's custom JavaScript could be abused for privilege escalation (iSEC-WMF1214-10). This feature has been removed. https://phabricator.wikimedia.org/T85855
Additionally, the following extensions have been updated to fix security issues:

Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function names were not sanitized in Lua error backtraces, which could lead to XSS. https://phabricator.wikimedia.org/T85113
Extension:!CheckUser - iSEC Partners discovered that the CheckUser extension did not prevent CSRF attacks on the form allowing checkusers to look up sensitive information about other users (iSEC-WMF1214-6). Since the use of CheckUser is logged, the CSRF could be abused to defame a trusted user or flood the logs with noise. https://phabricator.wikimedia.org/T85858
Bug fixes

1.24

Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false.
(bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix.
1.23 & 1.24

(bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.

Full release notes:

https://www.mediawiki.org/wiki/Release_notes/1.24
https://www.mediawiki.org/wiki/Release_notes/1.23
https://www.mediawiki.org/wiki/Release_notes/1.19
Download:

http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz
Patch to previous version:

http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz
GPG signatures:

http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz.sig
Extensions:

http://www.mediawiki.org/wiki/Extension:Scribunto
http://www.mediawiki.org/wiki/Extension:CheckUser
Public keys:

https://www.mediawiki.org/keys/keys.html

#840: Piwik 2.12.1

chris — Tue, 31 Mar 2015 16:31:12 GMT

From the changelog:

Piwik 2.12.1 is a new minor release of Piwik, a follow up to 2.12.0 major release.

In this release we have focused on fixing a regression in the Visitor Log as well as other smaller fixes.

11 tickets have been closed by 5 contributors!

#839: Stable BOA-2.4.1 Release

chris — Tue, 24 Mar 2015 10:44:41 GMT

BOA appears to have stopped sending email to notify that new versions are available, I just manually checked the Changelog and discovered that BOA-2.4.1 came out on 8th March 2015:

### Stable BOA-2.4.1 Release - Full Edition
### Date: Sun Mar  8 14:56:51 PDT 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.1
### Latest hotfix added on: Wed Mar 11 11:58:52 PDT 2015
  @=> Includes Aegir Hostmaster 2.x-head with improvements
  @=> Includes Aegir Provision 3.x-head with improvements
  @=> Includes Drush 7.0.0-alpha9 customized for BOA
# Release Notes:
  This new BOA release includes one new and 12 updated Aegir platforms,
  8 new features and enhancements, 15 new software versions, 10 other changes,
  plus over 38 bug fixes, with most notable features and changes listed below:
  @=> Add duobackboa with /root/.duobackboa.cnf file to run duplicate backups
  @=> Add SSL with TLS/SNI on server with one IP, multiple certificates support
  @=> Add support for Octopus batch migration - see docs/MIGRATE.txt for details
  @=> Allow to use _PHP_GEOS=YES with all PHP versions
# New Octopus platforms:
  OpenAid 2.0 ------------------ https://drupal.org/project/openaid
# Updated Octopus platforms:
  Commerce 1.33 ---------------- https://drupal.org/project/commerce_kickstart
  Commerce 2.21 ---------------- https://drupal.org/project/commerce_kickstart
  Commons 2.22 ----------------- https://drupal.org/project/commons
  Commons 3.22 ----------------- https://drupal.org/project/commons
  Drupal 8.0.0-b7 -------------- https://drupal.org/drupal-8.0
  Guardr 2.8 ------------------- https://drupal.org/project/guardr
  OpenAtrium 2.32 -------------- https://drupal.org/project/openatrium
  OpenChurch 2.1-b5 ------------ https://drupal.org/project/openchurch
  OpenOutreach 1.16 ------------ https://drupal.org/project/openoutreach
  OpenScholar 3.20.0 ----------- http://theopenscholar.org
  Panopoly 1.18 ---------------- https://drupal.org/project/panopoly
  Recruiter 1.5 ---------------- https://drupal.org/project/recruiter
# New features and enhancements:
  * Add compatibility with latest VS beng kernel
  * Add duobackboa with /root/.duobackboa.cnf file to run duplicate backups
  * Add support for multivalued fields in SOLR 4 - pull request #626
  * Add support for mysqladmin proc logging
  * Add support for Octopus batch migration - see docs/MIGRATE.txt for details
  * Add support for scout/mysql monitoring
  * CSF: Add popular ports 222 and 2222 to TCP_OUT by default
  * SSL with TLS/SNI on server with one IP, multiple certificates - fixes #465
# Changes:
  * Allow to run automated SQL conversion only weekly
  * Allow to use _PHP_GEOS=YES with all PHP versions
  * Do not send extra nocache cookie on GET requests
  * Drush mini-7-07-03-2015
  * Make barracuda wrapper available on initial install to avoid confusion
  * Nginx: Update for crawlers exceptions list
  * Redis Integration Module: Update to version mod-05-03-2015
  * Remove dependency on legacy Drush 4
  * Use latest Apache Solr Search 6.x-3.x config
  * Use latest Apache Solr Search 7.x-1.x config
# System upgrades:
  * Apache Solr 4.9.1
  * cURL 7.41.0 (if installed from sources)
  * Git 2.3.0 (if installed from sources)
  * Jetty 9.2.7.v20150116
  * MariaDB 10.0.17
  * MariaDB 5.5.42
  * MariaDB Galera Cluster 10.0.17
  * Nginx 1.7.10
  * OpenSSL 1.0.2 (if installed from sources)
  * PHP 5.4.38
  * PHP 5.5.22
  * PHP 5.6.6
  * PHP: ionCube loader 4.7.4
  * Pure-FTPd 1.0.37
  * Ruby 2.2.1
  * Use duplicity 0.7.01 and boto 2.36.0 - fixes #630
  * Vnstat 1.13
# Fixes:
  * [provision] False "load on system too heavy" messages - fixes #619
  * [provision] Issue #2350695 - Profile is registered twice, also as a module
  * [provision] Nginx: Remove webform keyword from regex locations - fixes #599
  * Add also manage_ltd_users to the list - fixes #616
  * Avoid installing New Relic with no valid license key provided - fixes #608
  * Do not add no longer used symlink
  * Do not create conflicting plain HTTP proxy for single IP mode - fixes #465
  * Do not delete backboa while duplicity is running
  * Do not replace any contrib in latest OA - fixes #2420131
  * Do not run D7 core hotfix on already fixed instances
  * Fix for legacy systems autoupdate logic
  * Fix for missing chattr -i on web user update
  * Fix for missing datestamp
  * Fix for too dangerous pdnsd auto-config logic
  * Fix pdnsd restarts procedures - fixes #610
  * Fix permissions for pdnsd if needed
  * Fix variable in autoupboa - pull request #629
  * Force php.ini update
  * Hotfix for cluster instances
  * Hotfix for OpenSSL/cURL versions out of sync
  * How to enable permanent redirect to HTTPS with single IP - #465
  * Issue #2425963 - Broken slider in Commerce Kickstart 2.21
  * Make sure that @hostmaster alias works after migration
  * Provide a patch for older civicrm versions to make them Drush 7 compatible
  * Randomize backups schedule to avoid issues with AWS limits
  * Reload nginx service automatically - #465
  * Remove conflicting pdnsd restarts to avoid race conditions - fixes #610
  * Remove deprecated sysctl options
  * Remove post-install leftovers if needed
  * Single PHP-version installation fails - fixes #598
  * Typo - fixes #539
  * Unable to connect to SOLR on latest head - fixes #623
  * Update installers as expected, also with _SKYNET_MODE=OFF - fixes #644
  * Update meta-installers for new stable
  * Update the upgrade procedure how-to - fixes ##616
  * Use civicrm-4.5.6 compatible with Drush 7
  * Use correct AWS Endpoint when us-east-1 Region is specified
  * Use correct open_basedir for lshell user - fixes #603
  * Use separate loops for symlinks and ghost cleanup
  * Workaround for EntityMalformedException in Open Outreach - fixes #229
  * Workaround for missing interface/lo.pdnsd on legacy systems
  * Workaround for SA-CONTRIB-2015-063 - Webform - Cross Site Scripting

I'll run the upgrade one evening this week.

#838: Piwik 2.12.0

chris — Mon, 23 Mar 2015 10:14:04 GMT

From the Piwik 2.12.0 announcement:

Piwik 2.12.0 is a new major release of Piwik! In this release we have focused on security, performance, and data quality improvements.

What’s new?

Loading reports in the UI will be faster overall, as well as custom date range reports and archiving. There were improvements made in both memory and CPU usage.

When you create a new website in Piwik, it will now show instructions and display the Javascript Tracking code instead of the dashboard, as long as no data has been tracked.

There is a new data quality tool: a console command to geo-locate any past visits which don’t have geo-location data.

There are also important security improvements such as the one-click update which will now be done over secure connection HTTPS, or the fact that the token_auth will be removed from all of the log outputs.

If you use the “Make it flat” feature, you may have noticed it was slow on large datasets: from Piwik 2.12.0 the Flattened reports will now render quickly even on the largest datasets (“Make it flat” is available via the bottom right icon in most reports).

There are also several other bug fixes and improvements: 49 tickets have been closed by 7 contributors! (see the list of issues below)

#837: Iframe in a panel page

sam — Thu, 12 Mar 2015 11:55:21 GMT

Hi Ben

I'm trying to embed a Eventbrite form into the 'tickets' block on this page: https://www.transitionnetwork.org/conference-2015

It looks like it's going to appear in the preview here: https://www.transitionnetwork.org/node/39195/panel_content

But when I view the actual page it's just a big white space.

Could you estimate how long it would take to get it working?

Thanks

Sam

#835: Piwik 2.11.2

chris — Wed, 04 Mar 2015 09:59:13 GMT

From the changelog:

Piwik 2.11.2 is a new minor release of Piwik. In this release we have fixed a few issues that were reported in Piwik 2.11.0 and 2.11.1. 16 tickets have been closed by 8 contributors!

#833: Piwik 2.11.1

chris — Mon, 23 Feb 2015 11:23:59 GMT

Out today, from the changelog:

Piwik 2.11.1 is a new minor release of Piwik. It is a follow up to last week’s major 2.11.0 release. It includes a few bug fixes, in particular a performance regression introduced in 2.11.0. 16 tickets have been closed by 5 contributors!

#832: Piwik 2.11.0

chris — Wed, 18 Feb 2015 13:11:58 GMT

The Changelog for 2.11.0, which came out on February 16, 2015 contains:

Piwik 2.11.0 is a new major release of Piwik!

In this release we have focused on overall reliability, improved Performance, improved Accessibility for visually impaired users, and also we have re-organised the User and Admin Menus for hopefully a better experience. There are even some very interesting new features such as a new icon available in most reports (check it out and let us know what you think!).

128 tickets have been closed by more than 17 contributors, our record number of contributors in one release. Thank you to everyone who participated in this release by reporting or fixing a bug or a new feature.

#831: Rob is having Image upload issues

ade — Tue, 17 Feb 2015 11:37:09 GMT

Hi Paul, Rob in Totnes is creating a blog post and is getting an error whilst trying to upload an image. Initially I thought it could have been a harddrive full issue, but we can see that we have drive room. Sam and I have had a quick look to see if anything obvious, but we are now stumbling a bit. We can replicate the issue by trying to upload an image to a blog post, but cannot see where to find an event log to see if any logs are being generated that may aid in a diagnosis. Could you have a look and let us know your thoughts please? Rob is currently waiting to post a blog so is quite urgent.

Many thanks Ade

#829: Creation of web space request

ade — Mon, 02 Feb 2015 10:11:03 GMT

Hi Chris, As discussed, can you please set up some webspace on Penguin? If you could also set up a sub-domain of 'projects' and confirm the FTP access details?

Many thanks Ade

#828: Site down due to massive load spike 2015-01-29

chris — Thu, 29 Jan 2015 17:09:07 GMT

Seems to be recovering now, this ticket is to try to find the cause.

#827: Stable BOA-2.4.0 Release

chris — Mon, 19 Jan 2015 20:11:09 GMT

No release date yet, but lots of detail in the Changelog:

https://github.com/omega8cc/boa/blob/master/CHANGELOG.txt

2.4.0 issues:

https://github.com/omega8cc/boa/milestones/2.4.0

#826: Switching MX records from United to Google

ed — Thu, 15 Jan 2015 17:15:41 GMT

TN are switching the MX records from United to Google on Friday 23/1/15.

Will this affect the website/Web Architects in any way that we need to plan for in advance? Scripts, web forms etc? Anything you can think of?

#823: Pwiki 2014 annual report

chris — Wed, 07 Jan 2015 12:19:55 GMT

Ed would like a some PDF reports of Transition Network site usage for 2014 from Piwik.

#822: Create TRAC id for Ade

ed — Wed, 07 Jan 2015 09:54:13 GMT

name: ade email: adestuart@…

#820: *.transitionnetwork.org 2015 security certificate

chris — Fri, 26 Dec 2014 09:47:49 GMT

The current wild-card *.transitionnetwork.org cert will run out on 24th Jan, this is a ticket to track the time spent renewing it.

See also ticket:795, SHA1 Deprecation: Regenerate all certs using SHA256.

#817: Piwik 2.10.0

chris — Thu, 18 Dec 2014 11:40:50 GMT

From the changelog:

Note: Piwik 2.10.0 is not released yet – we expect a release around December 25th.

Piwik 2.10.0 is a new major release of Piwik! In this release we have focused on improving performance, adding several features to the Log Analytics tool and fixed dozens of bugs to improve your Piwik experience. Almost 100 issues were closed by 11 contributors!

#816: MediaWiki 1.23.8

chris — Thu, 18 Dec 2014 11:20:43 GMT

The announcement email:

I would like to announce the release of MediaWiki 1.24.1, 1.23.8, 1.22.15 and 1.19.23. This is a regular security and maintenance release. Download links are given at the end of this email. Please note this release marks the end of lifetime for MediaWiki 1.22 branch.

Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23

(bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
(bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.
Bugfixes

(bug T74222) The original patch for T74222 was reverted as unnecessary.
Fixed a couple of entries in RELEASE-NOTES-1.24.
(bug T76168) OutputPage: Add accessors for some protected properties.
(bug T74834) Make 1.24 branch directly installable under PostgreSQL.
Add missing $ in front of variable in OutputPage.php
Security fixes in extensions

(bug T77624) [SECURITY] Extension:Listings: missing validation in the 'name' and 'url' parameters.
(bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input as wikitext and shows a preview, yet it fails to add an edit token to the form and check it. This can be exploited as an XSS when $wgRawHtml = true. Note this only affects the 1.19/1.22 branches.
(bug T76195) [SECURITY] Extension:TemplateSandbox: Special:TemplateSandbox needs edit token when raw HTML is allowed
(bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts.
(bug T73167) [SECURITY] Extension:Scribunto allows cross-origin leakage of data from a wiki through timing
(bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 library for CVE-2014-2053.
Full release notes for 1.23.8: https://www.mediawiki.org/wiki/Release_notes/1.23

#815: Security updates need to be applied for a couple of contributed modules:

paul — Tue, 16 Dec 2014 13:45:16 GMT

DBTNG Hierarchical Select

#813: MediaWiki 1.23.7

chris — Thu, 27 Nov 2014 14:38:47 GMT

The announcement email:

I would like to announce the release of MediaWiki 1.23.7, 1.22.14 and 1.19.22. This is a regular security and maintenance release. Download links are given at the end of this email.

Security fixes

(bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code into API clients that used format=php to process pages that underwent flash policy mangling. This was fixed along with improving how the mangling was done for format=json, and allowing sites to disable the mangling using $wgMangleFlashPolicy. https://phabricator.wikimedia.org/T68776 https://phabricator.wikimedia.org/T73478
(bug 70901) SECURITY: User Jackmcbarn reported that the ability to update the content model for a page could allow an unprivileged attacker to edit another user's common.js under certain circumstances. The user right "editcontentmodel" was added, and is needed to change a revision's content model. https://phabricator.wikimedia.org/T72901
(bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw HTML, it is not safe to preview wikitext coming from an untrusted source such as a cross-site request. Thus add an edit token to the form, and when raw HTML is allowed, ensure the token is provided before showing the preview. This check is not performed on wikis that both allow raw HTML and anonymous editing, since there are easier ways to exploit that scenario. https://phabricator.wikimedia.org/T73111
(bug 72222) SECURITY: Do not show log action when the entry is revdeleted with DELETED_ACTION. NOTICE: this may be reverted in a future release pending a public RFC about the desired functionality. This issue was reported by user Bawolff. https://phabricator.wikimedia.org/T74222
Bugfixes

(bug 71621) Make allowing site-wide styles on restricted special pages a config option. https://phabricator.wikimedia.org/T73621
(bug 42723) Added updated version history from 1.19.2 to 1.22.13 https://phabricator.wikimedia.org/T44723
$wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that might be a flash policy directive configurable.
Full release notes for 1.23.7: https://www.mediawiki.org/wiki/Release_notes/1.23

#811: WordPress critical security release

chris — Thu, 20 Nov 2014 20:25:07 GMT

From the blog:

WordPress 4.0.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Sites that support automatic background updates will be updated to WordPress 4.0.1 within the next few hours. If you are still on WordPress 3.9.2, 3.8.4, or 3.7.4, you will be updated to 3.9.3, 3.8.5, or 3.7.5 to keep everything secure. (We don’t support older versions, so please update to 4.0.1 for the latest and greatest.)

WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.

#810: Piwik 2.9.1

chris — Thu, 20 Nov 2014 14:58:20 GMT

From the changelog:

Piwik 2.9.1 is a new minor release of Piwik. In this release we have fixed a few minor issues reported in 2.9.0.

#807: Piwik 2.9.0

chris — Fri, 14 Nov 2014 10:56:27 GMT

New version of Piwik:

Piwik 2.9.0 is a new major release of Piwik! In this release we have focused on reliability and stability. 58 tickets have been closed by more than 8 contributors!

http://piwik.org/changelog/piwik-2-9-0/

#801: Piwik 2.8.3

chris — Thu, 23 Oct 2014 10:05:14 GMT

New version of Piwik today:

Piwik 2.8.3 is a new minor release of Piwik, fixing an issue discovered in Piwik 2.8.3. 2 tickets have been closed by 2 contributors!

http://piwik.org/changelog/piwik-2-8-3/

And yesterday:

Piwik 2.8.2 is a new minor release of Piwik, fixing an issue affecting some users of Nginx. 6 tickets have been closed by 5 contributors!

http://piwik.org/changelog/piwik-2-8-2/

#800: Piwik 2.8.1

chris — Wed, 22 Oct 2014 09:28:26 GMT

Piwik 2.8.1 is a new minor release of Piwik! In this release we have focused on reliability and bug fixing. 28 tickets have been closed by 7 contributors!

Security fixes

The Piwik team warmly thank security researcher Dingjie Yang for responsibly disclosing a XSS vulnerability occurring in older Internet Explorer browsers.

http://piwik.org/changelog/piwik-2-8-1/

#799: MediaWiki Visual Editor broken from Parsoid update

chris — Tue, 21 Oct 2014 10:21:54 GMT

After updating Parasoid on ticket:692#comment:102 the MediaWiki visual editor now generates this error:

Error loading data from server: parsoidserver-http-bad-status: 500. Would you like to retry?

#798: BOA-2.3.5

chris — Thu, 16 Oct 2014 12:40:58 GMT

The changelog:

### Stable BOA-2.3.5 Release - Full Edition
### Date: Wed Oct 15 16:28:25 PDT 2014
### Includes Aegir 2.1 with improvements
### Latest hotfix added on: Wed Oct 15 20:09:52 PDT 2014
# Release Notes:
  This new BOA release includes important updates and bug fixes.
  * All new Drupal 7 platforms received Drupal core security upgrade.
    For details please read: https://www.drupal.org/SA-CORE-2014-005
  * All existing Drupal 7 built-in platforms will receive a hot-fix for
    this known vulnerability: https://www.drupal.org/SA-CORE-2014-005
    once you will run 'barracuda up-stable' command on your server.
    This procedure is automated on hosted and managed Aegir at Omega8.cc
  * Your custom D7 platforms created in the ~/static directory tree
    will be checked in the next 12 hours after the upgrade, and if you
    have not applied this patch yet, it will be applied automatically
    for you - but only if there is at least one active site present
    in the given custom D7 platform. Note that while this procedure is
    automated on hosted and managed Aegir at Omega8.cc, on self-hosted
    BOA systems it will work only if you will set _PERMISSIONS_FIX=YES
    in /root/.barracuda.cnf (default is NO)
  We recommend that you upgrade your D7 sites using safe workflow:
    https://omega8.cc/your-drupal-site-upgrade-safe-workflow-298
# Updated Octopus platforms:
  aGov 1.5 --------------------- https://drupal.org/project/agov
  Commerce 1.31 ---------------- https://drupal.org/project/commerce_kickstart
  Commerce 2.19 ---------------- https://drupal.org/project/commerce_kickstart
  Guardr 1.14 ------------------ https://drupal.org/project/guardr
  Open Atrium 2.22 ------------- https://drupal.org/project/openatrium
  Open Outreach 1.12 ----------- https://drupal.org/project/openoutreach
  OpenPublic 1.2 --------------- https://drupal.org/project/openpublic
  Panopoly 1.12 ---------------- https://drupal.org/project/panopoly
# New features and enhancements in this release:
  * Explain that Solr self-provisioning works only if _MODULES_FIX=YES is set.
  * Reverify all sites daily if /root/.force.sites.verify.cnf ctrl file exists
    and _PERMISSIONS_FIX=YES is set in /root/.barracuda.cnf (default is NO)
# Changes in this release:
  * Security: Remove support for SSLv3 due to POODLE vulnerability.
  * Disable Redis in Hostmaster until we will fix the Views based pages/blocks.
  * Disable site_readonly for non-dev sites by default.
  * Drush: Upgrade command line version 6 to mini-6-04-10-2014
  * Enable AllowUserFXP in Pure-FTPd config by default.
  * Remove support for already deprecated non-LTS Ubuntu versions.
  * Run manage_ip_auth_access only once per minute.
  * The INI variable redis_flush_forced_mode is enabled by default (again).
  * Use sysklogd instead of rsyslog on Ubuntu.
# System upgrades in this release:
  * MariaDB 5.5.40
  * Nginx 1.7.6
  * OpenSSH 6.7p1 (if installed from sources)
  * OpenSSL 1.0.1j (if installed from sources) - security upgrade.
  * PHPRedis: master-03-10-2014
# Fixes in this release:
  * Add auto-detection of Legacy Ruby patch level update on old systems.
  * Add cleanup for ghost/broken sites dirs leftovers.
  * Add missing cleanup for backup_migrate leftovers.
  * Always cleanup pid files on exit/abort.
  * Apply patch for SA-CORE-2014-005 in all shared D7 cores/built-in platforms.
  * Compass Tools: Install 1.9.3 ffi expected by older themes.
  * Fix db_port entry in all vhosts hourly.
  * Fix for broken erpal-7.x-2.0-7.31.1
  * Fix for broken site level drushrc.php file.
  * Fix for false alarm caused by ghost sites leftovers.
  * Fix for incorrect hash filtering on systems with OpenSSL built from sources.
  * Fix locales: Numerous fixes and improvements -- thanks ar-jan!
  * Fix typo in REVISIONS.
  * Force site Verify via frontend if drushrc.php has been fixed.
  * Issue #435 - SQL: Remove deprecated table_cache +update table_open_cache
  * Issue #440 - Improve innodb_buffer_pool_size calculation and add 10%
  * Issue #441 - New Relic is not disabled after removing newrelic.info file.
  * Issue #442 - Skip locked/fpmcheck if /root/.high_traffic.cnf exists.
  * Issue #444 - PHP: Remove useless sed replacement in pool.d/www{*}.conf
  * Issue #445 - Remote Import: update 6.x-2.x branch for Aegir 2.x and Drush 6
  * Issue #447 - Export LANG, LANGUAGE and all LC_ environment variables.
  * Issue #447 - Improve locales consistency.
  * Issue #447 - Set default LC_CTYPE and LC_COLLATE environment variables.
  * Issue #447 - Simplify locales configuration on Ubuntu.
  * Issue #448 - Enforce locale settings by configuring defaults.
  * Issue #452 - PHP build is broken with latest MariaDB 5.5.40
  * Make sure that db_port is never empty and defaults to 3306.
  * Make sure that firewall monitoring scripts never run simultaneously.
  * Make sure that standard caching is enabled in hostmaster.
  * Pause hostmaster tasks when RVM install for any user is running.
  * PHP: Do not run rebuilds if not needed.
  * PHP: Fix for broken upgrade logic on libcurl or libssl packages upgrade.
  * Remove acquia_connector from latest Commons to avoid broken installs.
  * Remove all legacy gems and re-install RVM/Ruby for root from scratch.
  * Remove legacy replacement to avoid converting symlinked includes into files.
  * SQL: Use correct defaults if MySQLTuner test failed.
  * Workaround for Drupal flood using 127.0.0.1 for all requests behind proxy.
### Stable BOA-2.3.4 Release - Full Edition
### Date: Wed Oct 15 09:51:08 PDT 2014
### Includes Aegir 2.1 with improvements
  Release Notes and changelog for BOA-2.3.4 has been merged into BOA-2.3.5
  above after security upgrades related to OpenSSL and SSLv3 have been added
  shortly after 2.3.4 release.

I'm going to run this update tonight.

#797: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

chris — Wed, 15 Oct 2014 12:49:39 GMT

Check which serives are available with SSLv3.0, see:

and disable SSLv3.0 where it is being offered.

#796: Piwik 2.8.0

chris — Tue, 14 Oct 2014 09:20:54 GMT

Piwik 2.8.0 is a new major release of Piwik. In this release we have focused on reliability, usability and security. 57 tickets have been closed by 12 contributors!

This release is rated critical.

http://piwik.org/changelog/piwik-2-8-0/

#795: SHA1 Deprecation: Regenerate all certs using SHA256

chris — Fri, 10 Oct 2014 20:37:49 GMT

SHA1 SSL certs and chains are now flagged at SSLLabs, see SHA1 Deprecation: What You Need to Know, however Gandi doesn't yet support SHA256, see SHAAAAAAAAAAAAA which links to this tweet, when they do support SHA256 all the keys, certs and chains will need updating.

#793: MediaWiki Security and Maintenance Release 1.23.5

chris — Thu, 02 Oct 2014 08:57:49 GMT

Announcement email:

I would like to announce the release of MediaWiki 1.19.20, 1.22.12 and 1.23.5. This is a security release. Download links are given at the end of this email.

Security

(bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance.
Full release notes for 1.23.5: <https://www.mediawiki.org/wiki/Release_notes/1.23>

#791: Piwik 2.7.0

chris — Thu, 25 Sep 2014 17:29:12 GMT

The changelog for 2.7.0 contains:

Piwik 2.7.0 is a new major release of Piwik!

What’s new in 2.7.0?

In this release we have packed several major new features and many small improvements. The new features in this release are: User ID, New Pivot Table feature for Events reports, new plugin to count users visiting several of your websites, new Content Tracking plugin, new Browser language Report listing the user language codes, and more (see below the list of all issues that were closed in this release).

63 tickets have been closed by 15 contributors!

Database upgrade

Note: This release contains major database upgrades and upgrading your database will take a long time if you have a lot of data in your database.
Exceptionally when you upgrade your Piwik to 2.7.0 you will run through the Upgrade screen twice (instead of only once as usual). If you use the command line you will have to execute the command ‘./console core:update’ twice. This is expected and normal behavior for this release.
-> Check out this CHANGELOG.md file (in the root of Piwik) to see all changes to the platform and APIs.

https://github.com/piwik/piwik/blob/master/CHANGELOG.md#piwik-platform-changelog

#788: New BOA-2.3.3 Stable Edition available

chris — Mon, 15 Sep 2014 09:21:34 GMT

Changelog: http://bit.ly/boa-changes

### Stable BOA-2.3.1 Release - Full Edition
### Date: Sun Sep 14 15:53:25 SGT 2014
### Includes Aegir 2.1 with improvements
### Latest hotfix added on: Mon Sep 15 05:30:37 SGT 2014
# Release Notes:
  This major BOA Edition introduces many new features, changes and fixes.
  You should carefully read about some caveats further below **before** running
  this major upgrade on your system. Please secure a fresh system backup first.
  If you haven't run full barracuda+octopus upgrade to latest BOA Stable
  Edition yet, don't use any partial/system upgrade modes.
  Once new BOA Stable is released, you must run *full* upgrades with commands:
  $ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt
  $ barracuda up-stable
  $ octopus up-stable all both
  @=> Key new features:
  * BOA-2.3.1 comes with shiny Aegir 2.1 stable version, finally!
  * Support for Drupal sites in subdirectories is enabled by default
  * Solr 4 cores can be added/updated/deleted via site level INI settings
  * Super-easy to use New Relic support with per Octopus license key
  * Ability to add new Octopus instances with new, simple command syntax
  @=> Aegir control panel new features:
  * The list of sites is searchable by name or installation profile
  * You can schedule tasks against filtered sites in batches
  * Scheduling tasks in batches is available also on the platform view
  * Scheduling tasks in batches is available also on the profile view
  * Each site has its own tasks list available from the site view tab
  * You can schedule tasks also against platforms in batches
  * You can safely apply db updates via 'Run db updates' task on any site
  * It is now possible to choose any existing alias or the main site name
    as a redirect target, but without the need to rename the site --
    it will just re-verify the site and create new vhost automatically
  @=> Other important changes:
  * Support for PHP 5.2 has been officially deprecated
  * The www53 PHP-FPM pool has been switched from port to default socket mode
  * All existing vhosts must use wildcard in the Nginx 'listen' directive
  * Legacy mode for Install and Upgrade moves to 2.2.x branch
  * DB credentials are no longer in settings.php, only in drushrc.php
  * Latest Drush 6 version is used in the Aegir backend by default
  But what if you are not ready for this major upgrade and you would like
  to have more time for testing, but still be able to run system upgrades,
  thus effectively still using previous version 2.2.9 ?
#-### Legacy mode for Install and Upgrade moves to 2.2.x branch
  From now on, the 'legacy' install and upgrade mode available in all meta-
  installers will utilize branch 2.2.x instead of deprecated 2.1.x series.
  This means that starting with meta installers updated to use BOA-2.3.1
  version you can use commands like shown below to update Barracuda, Octopus
  and also to install more Octopus instances, while still using version 2.2.9:
  $ boa in-legacy public server.mydomain.org my@email o1
  $ barracuda up-legacy system
  $ octopus up-legacy o1
  $ boa in-legacy public server.mydomain.org my@email o2 mini
  etc.
  Remember to update your meta-installers first!
  $ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt
  Note also that if you will upgrade to current 'stable', it is not possible
  to downgrade back to the 'old stable' with 'legacy' mode, so please proceed
  with care!
  Remember also that current legacy version will not receive any further
  updates, even for security issues (besides those provided as packages by
  your OS vendor - Debian or Ubuntu, which will still work), because it is
  already different enough from current 2.3.1 stable, so we can't reliably
  maintain both with working upgrade path.
#-### Caveats: This upgrade will force wildcard in the Nginx 'listen' directive
  If you have old enough BOA system which still uses legacy IP mode and not
  a wildcard in the Nginx 'listen' directive, which is both Aegir and BOA
  standard for a long time already, this upgrade will fix the problem and
  update directives only in vhosts known and controlled by BOA.
  If you have any other vhosts, located in standard or non-standard Nginx/BOA
  directories for vhosts, you have to update them manually after upgrade to
  BOA-2.3.0 or newer, or they will take over all other vhosts on the system
  and cause redirects to /install.php which results with Nginx error 403 or 404,
  depending on the prior configuration.
  It will happen because IP based 'listen' directive in Nginx has higher
  priority, and will mess things horribly if there are vhosts using wildcard
  and some using the main system IP address.
  What and how to replace? Here are commands you need to run as root:
    $ sed -i "s/.*listen.*:80;/  listen  \*:80;/g" /path/to/vhost.file
    $ sed -i "s/.*listen.*:443/  listen  \*:443/g" /path/to/vhost.file
    $ service nginx reload
  Note: this **doesn't** affect special vhosts for SSL enabled sites, if used,
  because they are designed to use IP based 'listen' directives to provide
  separation between SSL enabled IPs and their associated certificates,
  while their associated 'upstream' block may even point to either local or
  remote IP address, so there is no wildcard to use in this case, and it will
  not conflict with all other vhosts managed by Aegir, because all SSL enabled
  vhosts listen on other IP addresses than the main system IP, which is
  by default used by all vhosts with wildcard in the 'listen' directive.
  The problem may happen only when you have vhosts using wildcard and also
  some vhosts using **main** system IP address in the 'listen' directive,
  which may happen also unintentionally during upgrade to BOA-2.3.0 or never,
  if there are either vhosts BOA doesn't control, or there are ghost vhosts
  not yet purged if you didn't upgrade to BOA-2.2.9 before, or there are
  some disabled sites, so their vhosts will not be re-created by Aegir
  during this major upgrade (because only active sites can be re-verified).
  While BOA will fix also any such ghost vhosts anyway, it will not be able
  to detect and fix vhosts outside of the standard directories managed by Aegir.
#-### Ability to add new Octopus instances with new, simple command syntax
  It is now possible to add stable Octopus instances w/o forcing Barracuda
  upgrade, plus optionally with no platforms added by default -- usage:
    $ boa {in-octopus} {email} {o2} {mini|max|none}
#-### The www53 PHP-FPM pool has been switched from port to default socket mode.
  Note that we are breaking backward compatibility here, so it will cause
  downtime on upgrade from any too old BOA version, until you will upgrade also
  Octopus instance(s) and update any other non-standard vhosts or includes
  still using legacy port mode for 'fastcgi_pass' Nginx directive.
  If you have 'fastcgi_pass 127.0.0.1:9090;' in any custom vhost or Nginx
  include file on the Octopus instance, you should replace it with:
    fastcgi_pass unix:/var/run/o1.fpm.socket;
  where 'o1' is your corresponding Octopus system username.
  Note that if you have custom vhosts or includes in the Aegir Master Instance,
  you should instead replace 'fastcgi_pass 127.0.0.1:9090;' with:
    fastcgi_pass unix:/var/run/www53.fpm.socket;
  where '53' is related to PHP version defined via _PHP_FPM_VERSION in your
  /root/.barracuda.cnf file. Note that while variable has a dot, the socket
  name doesn't.
#-### Support for PHP 5.2 has been officially deprecated
  While Barracuda 2.3.1 can continue to run and even upgrade if needed also
  the very old PHP 5.2 version, only Octopus instances running at least PHP 5.3
  or newer in both FPM and CLI mode can be upgraded to Octopus 2.3.1 Edition.
  If you are still using PHP 5.2 in your Octopus instance, you will not
  receive Aegir nor Drupal Platforms upgrade, but the Barracuda part of your
  system will receive upgrade to 2.3.1 anyway, so it will be ready to support
  your outdated Octopus instance upgrade as soon as you will switch it to
  modern and secure PHP version -- which is easy!
  Let's quote the original how-to for reference:
#-### Support for PHP FPM/CLI version safe switch per Octopus instance
  This allows to easily switch PHP version by the instance owner w/o system
  admin (root) help. All you need to do is to create ~/static/control/fpm.info
  and ~/static/control/cli.info file with a single line telling the system
  which available PHP version should be used (if installed): 5.5 or 5.4 or 5.3
  Only one of them can be set, but you can use separate versions for web access
  (fpm.info) and the Aegir backend (cli.info). The system will switch versions
  defined via these control files in 5 minutes or less. We use external control
  files and not any option in the Aegir interface to make sure you will never
  lock yourself by switching to version which may cause unexpected problems.
#-### Support for New Relic monitoring with per Octopus instance license key
  This new feature will disable global New Relic monitoring by deactivating
  server-level license key, so it can safely auto-enable or auto-disable it
  every 5 minutes, but per Octopus instance -- for all sites hosted on
  the given instance -- when a valid license key is present in the special
  new ~/static/control/newrelic.info control file.
  Please note that valid license key is a 40-character hexadecimal string
  that New Relic provides when you sign up for an account.
  To disable New Relic monitoring for the Octopus instance, simply delete
  its ~/static/control/newrelic.info control file and wait a few minutes.
  Please note that on a self-hosted BOA you still need to add your valid
  license key as _NEWRELIC_KEY in the /root/.barracuda.cnf file and run
  system upgrade with at least 'barracuda up-stable' first. This step is
  not required on Omega8.cc hosted service, where New Relic agent is already
  pre-installed for you.
#-### Solr 4 cores can be added/updated/deleted via site level INI settings
;;
;;  This option allows to activate Solr 4 core configuration for the site.
;;
;;  Only Solr 4 powered by Jetty server is available. Supported integration
;;  modules are limited to latest versions of either search_api_solr (D7 only)
;;  or apachesolr (will use Drupal core specific version automatically).
;;
;;  Currently used versions are listed below:
;;
;;    http://ftp.drupal.org/files/projects/search_api_solr-7.x-1.6.tar.gz
;;    http://ftp.drupal.org/files/projects/apachesolr-7.x-1.7.tar.gz
;;    http://ftp.drupal.org/files/projects/apachesolr-6.x-3.0-rc2.tar.gz
;;
;;  Note that you still need to add preferred integration module along with
;;  any its dependencies in your codebase since this feature doesn't modify
;;  your platform or site - it only creates Solr core with configuration
;;  files provided by integration module: schema.xml and solrconfig.xml
;;
;;  This setting affects only the running daily maintenance system behaviour,
;;  so you need to wait until next morning to be able to use new Solr 4 core.
;;
;;  Once the Solr core is ready to use, you will find a special file in your
;;  site directory: sites/foo.com/solr.php with details on how to access
;;  your new Solr core with correct credentials.
;;
;;  The site with enabled Solr core can be safely migrated between platforms,
;;  integration module can be moved within your codebase and even upgraded,
;;  as long as it is using compatible schema.xml and solrconfig.xml files.
;;
;;  Supported values for the solr_integration_module variable:
;;
;;    apachesolr
;;    search_api_solr
;;
;;  To delete existing Solr core simply comment out this line.
;;  The system will cleanly delete existing Solr core next morning.
;;
;solr_integration_module = NO
;;
;;  This option allows to auto-update your Solr 4 core configuration files:
;;
;;    schema.xml
;;    solrconfig.xml
;;
;;  If there is new release for either apachesolr or search_api_solr, your
;;  Solr core will not be automatically upgraded to use newer schema.xml and
;;  solrconfig.xml, unless allowed by switching solr_update_config to YES.
;;
;;  This option will be ignored if you will set solr_custom_config to YES.
;;
;solr_update_config = NO
;;
;;  This option allows to protect custom Solr 4 core configuration files:
;;
;;    schema.xml
;;    solrconfig.xml
;;
;;  To use customized version of either schema.xml or solrconfig.xml, you need
;;  to switch solr_custom_config to YES below and if you are using hosted
;;  Aegir service, submit a support ticket to get these files updated with
;;  your custom versions. On self-hosted BOA simply update these files directly.
;;
;;  Please remember to use Solr 4 compatible config files.
;;
;solr_custom_config = NO
# Updated Octopus platforms:
  aGov 1.4 --------------------- https://drupal.org/project/agov
  Guardr 1.12 ------------------ https://drupal.org/project/guardr
  Open Academy 1.1 ------------- https://drupal.org/project/openacademy
  Restaurant 1.0-b9 ------------ https://drupal.org/project/restaurant
  Ubercart 3.7 ----------------- https://drupal.org/project/ubercart
# New features and enhancements in this release:
  * Ability to add new Octopus instances with new, simple command syntax
  * Add default aggressive php-fpm monitoring + /root/.no.fpm.cpu.limit.cnf
  * Allow to define always disabled modules via _MODULES_FORCE variable.
  * Better wait limits on connection testing for slow network / long distance.
  * Issue #1927522 - Add support for easy Solr cores self-management.
  * Issue #362 - Add imageapi_optimize binaries via IMG in _XTRAS_LIST
  * Issue #376 - Add New Relic support with per Octopus instance license key.
  * Make firewall management faster with randomized schedule.
  * Procs monitor runs every 3 seconds.
  * Run mysql_proc_control every 5 seconds for better results.
  * You can safely apply db updates via 'Run db updates' task on any site.
# Changes in this release:
  * DB credentials are no longer visible in settings.php, only in drushrc.php
  * Delete default profiles in the hostmaster platform.
  * Disable _DEBUG_MODE if not enabled on the fly.
  * Disable newrelic-sysmond unless /root/.enable.newrelic.sysmond.cnf exists.
  * Drush: Upgrade command line version 6 to mini-6-14-09-2014
  * Nginx: Remove deprecated code - _HTTP_WILDCARD is already used by default.
  * Nginx: Use limit_conn protection only for known dynamic requests.
  * Redis Integration Module (cache_backport): Update to version 6.x-1.0-rc2
  * Redis Integration Module: Update to version mod-12-09-2014
  * Remove _ALLOW_UNSUPPORTED legacy and no longer working properly feature.
  * Remove dependency on Update Manager globally.
  * Remove deprecated multi-instance labels in the New Relic configuration.
  * Replace old hosting_civicrm_cron with newer hosting_civicrm module.
  * Set hosting_default_profile to 'minimal' to improve Ubercart 3 visibility.
  * The www53 PHP-FPM pool has been switched from port to default socket mode.
  * Use Provision CiviCRM boa-2.3.1-dev
# System upgrades in this release:
  * cURL 7.38.0 (if installed from sources)
  * Git 2.1.0 (if installed from sources)
  * Jetty 7.6.16.v20140903
  * Jetty 8.1.16.v20140903
  * Jetty 9.2.3.v20140905
  * PHP 5.3.29 EOL! Please read: http://php.net/archive/2014.php#id2014-08-14-1
  * PHP 5.4.32
  * PHP 5.5.16
  * Redis 2.8.14
# Fixes in this release:
  * Add cleanup for _GIT_FORCE_REINSTALL if added in .barracuda.cnf
  * Add missing drush cache-clear drush to improve upgrade path.
  * Add new features in the README.txt
  * Add wheezy to the exceptions list where required.
  * Allow to clear drush cache without directory restrictions.
  * Always set correct TMP path for supported users.
  * Cleanup for cron pid files in user specific .tmp dirs.
  * Count properly also symlinked files directories (improved).
  * D6 colorbox module requires old 1.3.18 library.
  * Delete drush_make leftovers.
  * Delete duplicate menu items on upgrade.
  * Do not allow to install SSH from sources on Trusty to avoid problems.
  * Do not skip daily.sh during barracuda system only update.
  * Eldir theme: Use max width for buttons, if possible.
  * Explain why installing RVM may take longer than expected.
  * Fix cleanup for drush aliases in sub-accounts.
  * Fix daily cleanup for user specific .tmp directories.
  * Fix docs/HINTS.txt
  * Fix for broken mariadb.list
  * Fix for broken, way too aggressive PHP-FPM monitoring.
  * Fix for ghost dirs cleanup.
  * Fix for ghost vhosts cleanup.
  * Fix for missing symlinks to existing platforms.
  * Fix for not working protection from blocking local IPs on multi-IP systems.
  * Fix for subdirs_support universal check.
  * Fix for unreliable _IS_OLD check on Octopus instances upgrade.
  * Fix for warning "Could not create directory ." on Hostmaster site Verify.
  * Fix the fields order in the site edit form.
  * Fix the regex to not whitelist unexpected IP ranges inadvertently.
  * Force cURL rebuild if installed with outdated OpenSSL version.
  * Guard against destructive or insecure tasks run on the hostmaster site.
  * Improve cleanup for empty platforms directories.
  * Improve monitoring to protect against convert trying to overload the system.
  * Issue #2330781 - Use Drush dt() wrapper instead of not always available t()
  * Issue #357 - Fix the logic for Git (re)install from sources.
  * Issue #360 - Exclude special --CDN vhosts from daily cleanup.
  * Issue #361 - Update and improve docs/FAQ.txt
  * Issue #369 - Automatically download and fix /bin/websh if missing.
  * Issue #369 - Restore classic /bin/sh symlink automatically if needed.
  * Issue #373 - Set correct TMP, TEMP, TMPDIR env variables in limited shell.
  * Issue #373 - Too restrictive lshell forbidden list breaks drush sql-sync.
  * Issue #380 - Nameserver / pdnsd problem -- Fixes also Issue #2007990.
  * Issue #381 - Zend OPcache forced adds useless noise in the log.
  * Issue #388 - Version 6.x-2.x of provision_civicrm requires hosting_civicrm
  * Issue #389 - hosting_civicrm breaks site install form with confusing error.
  * Issue #390 - Duplicate platforms nodes are created after upgrade to 2.3.0
  * Issue #395 - Validate username isn't reserved before running install script.
  * Issue #396 - Locale isn't getting set properly.
  * Issue #397 - Not actually prompted for platforms during installation.
  * Issue #398 - Make locales setup/fix for Debian always OS compatible.
  * Issue #399 - The hitimes gem needs to be pre-installed to support Omega4.
  * Issue #400 - CiviCRM is not installed on 2.3.0
  * Issue #401 - Create sites/all/* subdirs in Hostmaster early enough.
  * Issue #402 - Fix for ghost or disabled vhosts which still listen on IP.
  * Issue #405 - Installer hangs due to yes/no dialog - "Untrusted packages"
  * Issue #406 - Force keyring reinstall also upon 'GPG error'.
  * Issue #407 - Fix for 'username is already taken' error on a local VM install
  * Issue #408 - Fix for multiple funny typos. Thanks ar-jan!
  * Make it clear that subdomain and subdirectory name must be identical.
  * Make sure that keys subdirectory exists to avoid active platforms cleanup.
  * Make the PHP-FPM processes monitor less aggressive by default.
  * Nginx: Add config symlinks only on legacy instances.
  * Nginx: Add cron access support for subdir sites.
  * Nginx: Convert all vhosts to wildcard mode on Barracuda upgrade.
  * Nginx: Disable monitoring for POST requests related to cart/checkout URI.
  * Nginx: Do not touch nginx_wild_ssl.conf during this upgrade.
  * Nginx: Improve wildcard conversion procedure on some really old instances.
  * Nginx: Remove deprecated code and config templates.
  * Nginx: Sanitize aliases in vhost_disabled.tpl.php to avoid warnings.
  * Nginx: Update config includes to match optional BOA features improvements.
  * Nginx: Update unified configuration templates in Provision to unfork BOA.
  * Nginx: Update vhosts templates to match BOA improvements.
  * PHP: Avoid unintended duplicate rebuilds.
  * PHP: Sync disable_functions list.
  * Protect sites/all/drush
  * Provision: Backport provision_hosting_feature_enabled()
  * Provision: Remove legacy subdir code and update checks.
  * Redis config should sync with PHP-CLI, not PHP-FPM.
  * Remove legacy procs monitoring code.
  * Remove no longer needed limreq global fixes.
  * Remove no longer needed/used contrib updates.
  * Remove redundant file_exists() if is_readable() is also used.
  * Replace old hosting_civicrm_cron with newer hosting_civicrm module.
  * Restart pdnsd before running barracuda upgrade.
  * Restore BOA formatting for tasks log to improve readability.
  * Restore BOA naming convention and docs in Hostmaster.
  * Restore BOA naming convention for Installation profiles in Hostmaster.
  * Restore BOA strict _hosting_valid_fqdn* testing procedures in Hostmaster.
  * Restore BOA weight defaults in the form in Hostmaster.
  * Restore punycode in Hostmaster.
  * Restore tasks sort to always show tasks scheduled and running at the top.
  * Sanitize cli.info and fpm.info
  * Set _PLATFORMS_LIST properly.
  * Silence early sed replacements to avoid confusion.
  * Simplify colorbox-1.3.18 download.
  * Simplify colorbox-1.5.13 download.
  * Switch branch on the fly and add support for Aegir vanilla mode.
  * Sync /tmp access restrictions.
  * The hosting_civicrm_cron is now a submodule and should be also auto-enabled.
  * The wildcard transition **doesn't** affect vhosts for SSL enabled sites.
  * There is no need to force backend clone from GitHub on initial upgrade.
  * Update for the Hostmaster welcome page.
  * Update FPM monitoring settings.
  * Use as short labels on the site node as possible.
  * Use control files properly to not run redundant Jetty/Solr upgrade.
  * Use correct paths to platform level drushrc.php file.
  * Use correct Provision version on initial upgrade to 2.3.0
  * Use Drush6 with @hostmaster.
  * Use is_dir() instead of file_exists() when checking directory existence.
  * Use is_file() and is_link() instead of file_exists() before trying unlink()
  * Use is_readable() and file_exists() instead of file_exists() for backup.
  * Use is_readable() check instead of insufficient file_exists() for includes.
  * Use is_readable() instead of file_exists() when checking alias existence.
  * Install latest Git even if not specified via _XTRAS_LIST but previous
    version built from sources is detected.
  * Issue #2278847 - Derivatives can't be created on install with Drush and
    Aegir or when no vhost is available yet (Drupal Commons)

Having read through the above it is good to see the switch to use sockets rather than TCP/IP for php-fpm, not sure if there are any other changes that would effect us. I'll do the upgrade one evening this week.

#786: GitHub Transition: Annesley needs permission to create repositories

annesley — Mon, 15 Sep 2014 07:17:03 GMT

is Paul the owner of Transition GitHub??

#785: SA-CONTRIB-2014-086 - Custom BreadCrumbs - Cross Site Scripting (XSS)

paul — Thu, 11 Sep 2014 15:54:35 GMT

@Ed Would you check my choice of component; I was looking for maintenance? Should I assign this to me as I create the ticket?

View online: https://www.drupal.org/node/2336263

Advisory ID: DRUPAL-SA-CONTRIB-2014-086
Project: Custom Breadcrumbs [1] (third-party module)
Version: 6.x, 7.x
Date: 2014-September-10
Security risk: 16/25 ( Critical)

AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]

Vulnerability: Cross Site Scripting

Custom Breadcrumbs allows administrators to set up parametrized breadcrumb trails for different content types, views, panels, taxonomy vocabularies and terms, paths, and a simple API that allows contributed modules to enable custom breadcrumbs for module pages and theme templates.

User input is not properly sanitized in all use cases, opening a Cross Site Scripting (XSS) vulnerability.

The vulnerability is only present when the custom breadcrumb is configured with the special identifier so that some of the breadcrumb items are not links. Typical example is that the last breadcrumb element is showing the current page title but is not a link. The XSS vulnerability is not triggered if all items of the breadcrumb are links and special identifier is not used.

/A CVE identifier [3] will be requested, and added upon issuance, in

accordance with Drupal Security Team processes./

Custom Breadcrumbs 6.x-1.x versions prior to 6.x-1.6
Custom Breadcrumbs 6.x-2.x versions are NOT affected
Custom Breadcrumbs 7.x-2.x versions prior to 7.x-2.0-beta1

Drupal core is not affected. If you do not use the contributed Custom Breadcrumbs [4] module, there is nothing you need to do.

Install the latest version:

If you use the Custom Breadcrumbs module version 1.x for Drupal 6.x,

upgrade to Custom Breadcrumbs 6.x-1.6 [5].

If you use the Custom Breadcrumbs module version 2.x for Drupal 7.x,

upgrade to Custom Breadcrumbs 7.x-2.0-beta1 [6].

Also see the Custom Breadcrumbs [7] project page.

Markus Sipilä [8]

Markus Sipilä [9]
Colan Schwartz [10] the module maintainer

Greg Knaddison [11] of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15].

_ Security-news mailing list Security-news@… Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

#784: New BOA-2.3.0

chris — Tue, 09 Sep 2014 08:52:22 GMT

These are the updates from the Changelog:

### Stable BOA-2.3.0 Release - Full Edition
### Date: Mon Sep  8 08:42:01 PDT 2014
### Includes Aegir 2.1 with improvements
# Release Notes:
  This new BOA Edition introduces latest Aegir 2.1 stable version with newest
  Drush 6 in the backend and with support for Drupal sites in subdirectories
  enabled by default, among many other improvements included in this version,
  like tasks list per site, ability to search in the sites list per domain name
  and/or profile, to schedule tasks in batches, to select any existing domain
  alias as a redirect target, but without the need to rename the site, etc.
  While Barracuda 2.3.0 can continue to run and even upgrade if needed also
  the very old PHP 5.2 version, only Octopus instances running at least PHP 5.3
  or newer in both FPM and CLI mode can be upgraded to Octopus 2.3.0 Edition.
  If you are still using PHP 5.2 in your Octopus instance, you will not
  receive Aegir nor Drupal Platforms upgrade, but the Barracuda part of your
  system will receive upgrade to 2.3.0 anyway, so it will be ready to support
  your outdated Octopus instance upgrade as soon as you will switch it to
  modern and secure PHP version -- which is easy!
  Let's quote the original how-to for reference:
#-### Support for PHP FPM/CLI version safe switch per Octopus instance
  This allows to easily switch PHP version by the instance owner w/o system
  admin (root) help. All you need to do is to create ~/static/control/fpm.info
  and ~/static/control/cli.info file with a single line telling the system
  which available PHP version should be used (if installed): 5.5 or 5.4 or 5.3
  Only one of them can be set, but you can use separate versions for web access
  (fpm.info) and the Aegir backend (cli.info). The system will switch versions
  defined via these control files in 5 minutes or less. We use external control
  files and not any option in the Aegir interface to make sure you will never
  lock yourself by switching to version which may cause unexpected problems.
#-### Legacy mode moves to 2.2.x branch
  From now on, the 'legacy' install and upgrade mode available in all meta-
  installers will utilize branch 2.2.x instead of deprecated 2.1.x series.
# Updated Octopus platforms:
  aGov 1.4 --------------------- https://drupal.org/project/agov
  Guardr 1.12 ------------------ https://drupal.org/project/guardr
  Open Academy 1.1 ------------- https://drupal.org/project/openacademy
  Restaurant 1.0-b9 ------------ https://drupal.org/project/restaurant
# New features and enhancements in this release:
  * It is now possible to add stable Octopus instances w/o forcing Barracuda
    upgrade, plus optionally with no platforms added by default -- usage:
    $ boa {in-octopus} {email} {o2} {mini|max|none}
  * Add default aggressive php-fpm monitoring + /root/.no.fpm.cpu.limit.cnf
  * Allow to define always disabled modules via _MODULES_FORCE variable.
  * Better wait limits on connection testing for slow network / long distance.
  * Issue #362 - Add imageapi_optimize binaries via IMG in _XTRAS_LIST
  * Make firewall management faster with randomized schedule.
  * Procs monitor runs every 3 seconds.
  * Run mysql_proc_control every 5 seconds for better results.
# Changes in this release:
  * Delete default profiles in the hostmaster platform.
  * Disable _DEBUG_MODE if not enabled on the fly.
  * Drush: Upgrade command line version 6 to mini-6-06-09-2014
  * Nginx: Remove deprecated code - _HTTP_WILDCARD is already used by default.
  * Nginx: Use limit_conn protection only for known dynamic requests.
  * Remove dependency on Update Manager globally.
  * Set hosting_default_profile to 'minimal' to improve Ubercart 3 visibility.
  * Use Provision CiviCRM boa-2.3.0-dev
# System upgrades in this release:
  * Git 2.1.0 (if installed from sources)
  * PHP 5.3.29 EOL! Please read: http://php.net/archive/2014.php#id2014-08-14-1
  * PHP 5.4.32
  * PHP 5.5.16
  * Redis 2.8.14
# Fixes in this release:
  * Add cleanup for _GIT_FORCE_REINSTALL if added in .barracuda.cnf
  * Add missing drush cache-clear drush to improve upgrade path.
  * Allow to clear drush cache without directory restrictions.
  * Always set correct TMP path for supported users.
  * Cleanup for cron pid files in user specific .tmp dirs.
  * Count properly also symlinked files directories (improved).
  * D6 colorbox module requires old 1.3.18 library.
  * Delete drush_make leftovers.
  * Delete duplicate menu items on upgrade.
  * Do not allow to install SSH from sources on Trusty to avoid problems.
  * Do not skip daily.sh during barracuda system only update.
  * Eldir theme: Use max width for buttons, if possible.
  * Fix cleanup for drush aliases in sub-accounts.
  * Fix daily cleanup for user specific .tmp directories.
  * Fix docs/HINTS.txt
  * Fix for broken mariadb.list
  * Fix for ghost dirs cleanup.
  * Fix for ghost vhosts cleanup.
  * Fix for missing symlinks to existing platforms.
  * Fix for not working protection from blocking local IPs on multi-IP systems.
  * Fix for subdirs_support universal check.
  * Fix for unreliable _IS_OLD check on Octopus instances upgrade.
  * Fix for warning "Could not create directory ." on Hostmaster site Verify.
  * Fix the fields order in the site edit form.
  * Fix the regex to not whitelist unexpected IP ranges inadvertently.
  * Force cURL rebuild if installed with outdated OpenSSL version.
  * Guard against destructive or insecure tasks run on the hostmaster site.
  * Improve cleanup for empty platforms directories.
  * Improve monitoring to protect against convert trying to overload the system.
  * Issue #2330781 - Use Drush dt() wrapper instead of not always available t()
  * Issue #357 - Fix the logic for Git (re)install from sources.
  * Issue #360 - Exclude special --CDN vhosts from daily cleanup.
  * Issue #361 - Update and improve docs/FAQ.txt
  * Issue #369 - Automatically download and fix /bin/websh if missing.
  * Issue #369 - Restore classic /bin/sh symlink automatically if needed.
  * Issue #373 - Set correct TMP, TEMP, TMPDIR env variables in limited shell.
  * Issue #373 - Too restrictive lshell forbidden list breaks drush sql-sync.
  * Issue #380 - Nameserver / pdnsd problem -- Fixes also Issue #2007990.
  * Issue #381 - Zend OPcache forced adds useless noise in the log.
  * Make it clear that subdomain and subdirectory name must be identical.
  * Make sure that keys subdirectory exists to avoid active platforms cleanup.
  * Nginx: Add config symlinks only on legacy instances.
  * Nginx: Add cron access support for subdir sites.
  * Nginx: Disable monitoring for POST requests related to cart/checkout URI.
  * Nginx: Remove deprecated code and config templates.
  * Nginx: Sanitize aliases in vhost_disabled.tpl.php to avoid warnings.
  * Nginx: Update config includes to match optional BOA features improvements.
  * Nginx: Update unified configuration templates in Provision to unfork BOA.
  * Nginx: Update vhosts templates to match BOA improvements.
  * PHP: Avoid unintended duplicate rebuilds.
  * Protect sites/all/drush
  * Provision: Backport provision_hosting_feature_enabled()
  * Provision: Remove legacy subdir code and update checks.
  * Redis config should sync with PHP-CLI, not PHP-FPM.
  * Remove legacy procs monitoring code.
  * Remove no longer needed limreq global fixes.
  * Remove no longer needed/used contrib updates.
  * Remove redundant file_exists() if is_readable() is also used.
  * Restart pdnsd before running barracuda upgrade.
  * Restore BOA formatting for tasks log to improve readability.
  * Restore BOA naming convention and docs in Hostmaster.
  * Restore BOA naming convention for Installation profiles in Hostmaster.
  * Restore BOA strict _hosting_valid_fqdn* testing procedures in Hostmaster.
  * Restore BOA weight defaults in the form in Hostmaster.
  * Restore punycode in Hostmaster.
  * Restore tasks sort to always show tasks scheduled and running at the top.
  * Sanitize cli.info and fpm.info
  * Set _PLATFORMS_LIST properly.
  * Simplify colorbox-1.3.18 download.
  * Simplify colorbox-1.5.13 download.
  * Switch branch on the fly and add support for Aegir vanilla mode.
  * Sync /tmp access restrictions.
  * Update for the Hostmaster welcome page.
  * Update FPM monitoring settings.
  * Use as short labels on the site node as possible.
  * Use correct paths to platform level drushrc.php file.
  * Use Drush6 with @hostmaster.
  * Use is_dir() instead of file_exists() when checking directory existence.
  * Use is_file() and is_link() instead of file_exists() before trying unlink()
  * Use is_readable() and file_exists() instead of file_exists() for backup.
  * Use is_readable() check instead of insufficient file_exists() for includes.
  * Use is_readable() instead of file_exists() when checking alias existence.
  * Install latest Git even if not specified via _XTRAS_LIST but previous
    version built from sources is detected.
  * Issue #2278847 - Derivatives can't be created on install with Drush and
    Aegir or when no vhost is available yet (Drupal Commons)

I can't see any issues that directly impact on us apart from the new version of PHP, we are running PHP Version 5.3.28, the release notes for PHP 5.3.29:

14 Aug 2014

The PHP development team announces the immediate availability of PHP 5.3.29. This release marks the end of life of the PHP 5.3 series. Future releases of this series are not planned. All PHP 5.3 users are encouraged to upgrade to the current stable version of PHP 5.5 or previous stable version of PHP 5.4, which are supported till at least 2016 and 2015 respectively.

PHP 5.3.29 contains about 25 potentially security related fixes backported from PHP 5.4 and 5.5.

More information in the Changelog.

I'll apply this update one evening soon.

#782: Piwik 2.6.1

chris — Fri, 05 Sep 2014 07:15:03 GMT

New Piwik, changes: http://piwik.org/changelog/piwik-2-6-1/

#781: MediaWiki Security and Maintenance Releases: 1.22.10 and 1.23.3

chris — Thu, 28 Aug 2014 06:42:16 GMT

Announcement email:

https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-August/000159.html

Bugfixes only, not a security update so no urgent update required.

#780: parrot

annesley — Wed, 27 Aug 2014 14:35:51 GMT

can't access parrot again also: it re-requests my password very quickly. what is the session timeout?

also: i cannot include my files. seems that the website is located under the /home/annesley directory. is this some sort of strange setup because the PHP cannot see that area. and i cannot cd to the root through SFTP...

#779: Annesley locked out of puffin?

chris — Wed, 27 Aug 2014 14:28:12 GMT

Looks like Annesley's IP has been blocked on wiki:PuffinServer.

#778: need access to Parrot

annesley — Wed, 27 Aug 2014 12:16:39 GMT

i need a publicly available WordPress demo install to play with. should this be on Parrot? what (sub)domain can i use?

#777: Comments to blog post only showing up when logged in

ed — Mon, 25 Aug 2014 09:18:39 GMT

Most of the comments to this blog post are only showing up when you are logged in: https://www.transitionnetwork.org/blogs/rob-hopkins/2014-07/fiona-ward-learning-celebrate-10000-failure#comment-17492

Logged in: 5 comments Not logged in: 1 comment

Handing this to Sam but happy for it to escalate. Presumably this issue won't be on this one post only - and it is important.

#776: Piwik 2.0.5

chris — Sat, 16 Aug 2014 07:55:49 GMT

New version of Piwik, not a security update so no urgent need to upgrade unless there is some new required feature:

http://piwik.org/changelog/piwik-2-5-0/

#775: New BOA-2.2.9 Stable Edition available

chris — Thu, 07 Aug 2014 08:39:18 GMT

Email from wiki:PuffinServer:

There is new BOA-2.2.9 Stable Edition available.

Please review the changelog and upgrade as soon as possible to receive all security updates and new features.

Changelog: http://bit.ly/boa-changes

The Changelog:

### Stable BOA-2.2.9 Release - Full Edition
### Date: Wed Aug  6 17:08:10 PDT 2014
### Includes Aegir 2.x-boa-custom version.
# Release Notes:
  This release includes updated versions of all supported Drupal platforms to
  provide latest Drupal 7 and Pressflow 6 core, plus some changes, improvements,
  bug fixes, and five (5) updated Octopus platforms.
  NOTE: Since the first Edition in the BOA-2.3.x series is not ready for release
  yet, and new Drupal core has been released to fix security issues, followed
  by yet another release to fix serious regressions, followed by yet another
  security release, we have decided to make it available to everyone and release
  yet another stable BOA-2.2.x Edition.
  IMPORTANT! This is the last Edition in the 2.2.x series, which marks the end
  of Drupal 5, PHP 5.2 and Drush 4 support. Next Edition will open 2.3.x series,
  which will allow us to provide newer Aegir version with built-in Drush 6
  support, sites in subdirectories, and many Aegir User Interface improvements.
  If you still host any Drupal 5 sites or you are using PHP 5.2 for D6 sites,
  you will not be able to upgrade to the next 2.3.x Edition and you will have to
  stay on the 'legacy' BOA 2.2.x version, which will receive only system
  security upgrades, but no further feature nor bugfix releases.
  This also means that from now on the 'legacy' 2.2.x version will no longer
  receive Drupal core upgrades, even if there will be security core releases.
  It is time to upgrade away from Drupal 5 and away from PHP 5.2, if still used.
# Updated Octopus platforms:
  aGov 1.2 --------------------- https://drupal.org/project/agov
  Guardr 1.10 ------------------ https://drupal.org/project/guardr
  Open Outreach 1.9 ------------ https://drupal.org/project/openoutreach
  OpenPublic 1.0-rc4 ----------- https://drupal.org/project/openpublic
  Panopoly 1.10 ---------------- https://drupal.org/project/panopoly
# New features and enhancements in this release:
  * RVM: Add exceptions for gems which can't be installed in Limited Shell.
  * Shell: Compass Tools: Allow to access guard.
  * Shell: Improve config to better support advanced Drush commands over SSH.
  * Shell: Improve Drush over SSH experience
# Changes in this release:
  * Drush: Upgrade command line version 6 to mini-6-06-08-2014
# System upgrades in this release:
  * MariaDB 5.5.39
  * Nginx 1.7.4
  * OpenSSL 1.0.1i (if installed from sources)
# Fixes in this release:
  * Add cleanup for .tmp in sub-accounts.
  * Add cleanup for drush-backups leftovers.
  * Add cleanup for various /var/backups/* leftovers.
  * Add daily auto-cleanup for ghost vhosts, platforms and drush aliases.
  * Add exception for symlinked /data/all
  * Add hint for HTTPS-only mode forced in local.settings.php
  * Fix -mtime expected values.
  * Fix cleanup for .restore vhost leftovers.
  * Fix Nginx monitor to respect all whitelisted POST requests in both modes.
  * Fix permissions on sites/all/{modules,libraries,themes} globally.
  * Improve RVM cleanup.
  * Make sure that local IPs are never blocked by mistake.
  * Never touch websh wrapper to avoid high load because of redirect loop.
  * Nginx: Fix limreq also for some really old vhosts.
  * Nginx: Modify only vhosts known as included in the protected mode.
  * Remove debugging mode in old codebases cleanup.
  * Restore default websh wrapper symlink as fast as possible.
  * Run manage_ltd_users every 3 minutes instead of every minute.
  * Update regex for exceptions in Nginx monitoring.

I'll do this update after the meeting tonight.

#774: * Advisory ID: DRUPAL-SA-CORE-2014-004

paul — Wed, 06 Aug 2014 19:52:54 GMT

View online: https://www.drupal.org/SA-CORE-2014-004

Advisory ID: DRUPAL-SA-CORE-2014-004
Project: Drupal core [1]
Version: 6.x, 7.x
Date: 2014-August-06
Security risk: 13/25 ( Moderately Critical)

AC:None/A:None/CI:None/II:None/E:Proof/TD:100 [2]

Exploitable from: Remote
Vulnerability: Denial of service

Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

All Drupal sites are vulnerable to this attack whether XML-RPC is used or not.

In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled).

This is a joint release as the XML-RPC vulnerability also affects WordPress (see the announcement [3]).

/A CVE identifier [4] will be requested, and added upon issuance, in

accordance with Drupal Security Team processes./

Drupal core 7.x versions prior to 7.31.
Drupal core 6.x versions prior to 6.33.

Install the latest version:

If you use Drupal 7.x, upgrade to Drupal core 7.31 [5].
If you use Drupal 6.x, upgrade to Drupal core 6.33 [6].

If you are unable to install the latest version of Drupal immediately, you can alternatively remove the xmlrpc.php file from the root of Drupal core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module. These steps are sufficient to mitigate the vulnerability in Drupal core if your site does not require the use of XML-RPC or OpenID functionality. However, this mitigation will not be effective if you are using a contributed module that exposes Drupal's XML-RPC API at a different URL (for example, the Services module); updating Drupal core is therefore strongly recommended.

Also see the Drupal core [7] project page.

Willis Vandevanter [8]
Nir Goldshlager [9]

Andrew Nacin [10] of the WordPress Security Team
Michael Adams [11] of the WordPress Security Team
Frédéric Marand [12]
David Rothstein [13] of the Drupal Security Team
Damien Tournoud [14] of the Drupal Security Team
Greg Knaddison [15] of the Drupal Security Team
Stéphane Corlosquet [16] of the Drupal Security Team
Dave Reid [17] of the Drupal Security Team

The Drupal Security Team [18] and the WordPress [19] Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [20].

Learn more about the Drupal Security team and their policies [21], writing secure code for Drupal [22], and securing your site [23].

[1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] https://wordpress.org/news/2014/08/wordpress-3-9-2/ [4] http://cve.mitre.org/ [5] http://drupal.org/drupal-7.31-release-notes [6] http://drupal.org/drupal-6.33-release-notes [7] http://drupal.org/project/drupal [8] https://www.drupal.org/user/1867894 [9] https://www.drupal.org/user/2891345 [10] http://profiles.wordpress.org/nacin [11] http://profiles.wordpress.org/mdawaffe [12] https://www.drupal.org/user/27985 [13] https://www.drupal.org/user/124982 [14] https://www.drupal.org/user/22211 [15] https://www.drupal.org/u/greggles [16] https://www.drupal.org/user/52142 [17] https://www.drupal.org/user/53892 [18] http://drupal.org/security-team [19] http://wordpress.org [20] http://drupal.org/contact [21] http://drupal.org/security-team [22] http://drupal.org/writing-secure-code [23] http://drupal.org/security/secure-configuration

_ Security-news mailing list Security-news@… Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

#773: download copy of current TN D6 website

annesley — Wed, 06 Aug 2014 09:58:14 GMT

hi, am trying to get a copy of the current TN.org D6 database and filesystem down to my laptop to develop against. i had pulled from GIT, backed up from Backup&Migrate and got everything working but there are things missing.

so i want to do a file copy. i started a tar operation but the tar size went over 1.3GB and i stopped it because it shouldn't be that big. as always BOA has restricted use of the "du" command so i can't really tell why the tar was so big. and i can't "df" to see if it's a problem

should i let it continue? why is it so big?

#771: cannot access puffin over sftp again

annesley — Tue, 05 Aug 2014 09:24:10 GMT

not sure what happened this time. my connection to other servers is fine. i am using:

sftp://tn.ftp@puffin.transitionnetwork.org/static/transition-network-d6-32-s002-booker/

the password was accepted first time and i successfully navigated to /static

which worked until i tried to get to the transition-network-d6-32-s002-booker directory. now ssh fails also.

when i ssh in i get plenty of warnings and potential lock outs when i try various things. like trying to access /static.

#769: Locked myself out of puffin again

annesley — Mon, 04 Aug 2014 08:40:53 GMT

really sorry. locked my IP out of puffin again. please could you clear it?

#766: MediaWiki Security and Maintenance Update 1.23.2

chris — Wed, 30 Jul 2014 20:56:46 GMT

From the MediaWiki-announce list:

I would like to announce the release of MediaWiki 1.23.2, 1.22.9 and 1.19.18. This is a regular security and maintenance release. Download links are given at the end of this email.

Security

(bug 68187) SECURITY: Prepend jsonp callback with comment.
(bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used for loading a new page in Javascript,instead of relying on the URL in the link that has been clicked.
(bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
Bugfixes in 1.23.2

(bug 68313) Preferences: Turn stubthreshold back into a combo box.
(bug 65214) Fix initSiteStats.php maintenance script.
(bug 67594) Special:ActiveUsers: Fix to work with PostgreSQL.
Full release notes for 1.23.2: https://www.mediawiki.org/wiki/Release_notes/1.23

Public keys: <https://www.mediawiki.org/keys/keys.html>

1.23.2

Download: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.2.tar.gz

Patch to previous version (1.23.1): https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.2.patch.gz

GPG signatures: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.2.patch.gz.sig

Note: There is no i18n patch as there are no changes in translation.

#765: New BOA-2.2.8 Stable Edition

chris — Sun, 27 Jul 2014 08:08:55 GMT

Email from wiki:PuffinServer:

There is new BOA-2.2.8 Stable Edition available.

Please review the changelog and upgrade as soon as possible to receive all security updates and new features.

Changelog: http://bit.ly/newboa

The Changelog contains:

### Stable BOA-2.2.5 Release - Full Edition
### Date: Thu May  8 11:59:23 PDT 2014
### Includes Aegir 2.x-boa-custom version.
### Latest hotfix added on: Sat May 10 09:05:19 PDT 2014
# Release Notes:
  This release includes no new features, but does include bug fixes plus latest
  Drupal 7.28.1 and Pressflow 6.31.2 core in all built-in Octopus platforms.
  There are also three updated distributions included, as listed below.
  We also list here all hot-fixes applied to previous stable after its release.
# Important - Read This First! (for self-hosted BOA only)
  If you haven't run full barracuda+octopus upgrade to latest BOA Stable
  Edition yet, don't use any partial upgrade modes explained in docs/UPGRADE.txt
  Once new BOA Stable is released, you must run *full* upgrades with commands:
  $ barracuda up-stable
  $ octopus up-stable all both
  For silent, logged mode with e-mail message sent once the upgrade is
  complete, but no progress is displayed in the terminal window, you can run
  alternatively, starting with screen session to avoid incomplete upgrade
  if your SSH session will be closed for any reason before the upgrade
  will complete:
  $ screen
  $ barracuda up-stable log
  $ octopus up-stable all both log
  Note that the silent, non-interactive mode will automatically say Y/Yes
  to all prompts and is thus useful to run auto-upgrades scheduled in cron.
  If you have skipped some recent BOA releases, and you have new default config
  option: _PERMISSIONS_FIX=NO in your /root/.barracuda.cnf configuration file,
  plus, you are not sure if you follow best practices for managing permissions
  as recommended in our docs: https://omega8.cc/node/116 then we recommend
  that you change it to _PERMISSIONS_FIX=YES temporarily, or even permanently
  if your VPS is fast enough, and then run this powerful script as root:
  $ bash /var/xdrago/daily.sh
  Note that BOA 'legacy' mode is still at version 2.1.3
# Updated Octopus platforms:
  Commons 3.12 ----------------- https://drupal.org/project/commons
  Open Atrium 2.18 ------------- https://drupal.org/project/openatrium
  Open Outreach 1.6 ------------ https://drupal.org/project/openoutreach
# Changes in this release:
  * Add rsyslog/sysklogd to auto-healing procedures.
  * Make the aggressive scan_nginx mode optional and use old mode by default.
  * Nginx: Add HiScan to blocked crawlers list.
  * Nginx: Add Riddler to blocked crawlers list.
  * PHP: Use pm.process_idle_timeout = 10s for speed and RAM optimization.
# System upgrades in this release:
  * MySecureShell 1.33
  * PHP 5.4.28
  * PHP 5.5.12
# Fixes in this release:
  * Always define _PHP_CN variable properly.
  * Firewall: Sync CONNLIMIT for web ports with updated limit_conn in Nginx.
  * Fix for _NGINX_DOS_LIMIT logical error in the scan_nginx template.
  * Force Pure-FTPd server re-install if key files are missing for any reason.
  * Issue #2237167 - Improve authorized IPs detection in all protected vhosts.
  * Issue #2262935 - Modules dir must be group writable in custom platforms.
  * Nginx: Do not overwrite custom symlinks to the Under Construction template.
  * Nginx: Update limit_conn in all instances and vhosts on Barracuda upgrade.
  * PHP: Delete pear in legacy paths, if still exists.
  * PHP: Fix for CVE-2014-0185 privilege escalation in FPM (doesn't affect BOA)
  * Postfix: Force re-install if broken permisions detected on upgrade.
  * Pressflow 6: Fix #GH 84 by using drupal_page_is_cacheable().
  * Pressflow 6: Merge pull request #GH 85 from pressflow/SA-CORE-2014-002-fix.
  * Pressflow 6: Remove duplicate openid_update_6001().
  * Revert "Force MariaDB 5.5 re-install".
  * Set the TERM env variable if missing to avoid errors.
  * Skip packages set on hold when running apticron.
  * The ~/static/control must be writeable by lshell user to manage ctrl files.
  * Add extra cron semaphore to prevent concurrent cron invocations via
    multiple running runner.sh instances.

I'll do this update tonight, following wiki:PuffinServer#UpgradingBOA

#762: cannot log in to Puffin

annesley — Sat, 19 Jul 2014 08:46:53 GMT

hi, i think i've locked myself out of puffin again. i successfully logged in and navigated to ~ and /. but it wouldn't let me access /data/disk/tn/static/transition-network-d6-s012 it asked for more authentication and then stopped responding.

thanks, a

#760: New BOA-2.2.7 Stable Edition

chris — Thu, 17 Jul 2014 08:34:22 GMT

Email from wiki:PuffinServer:

There is new BOA-2.2.7 Stable Edition available.

Please review the changelog and upgrade as soon as possible to receive all security updates and new features.

Changelog: http://bit.ly/newboa

The Changelog:

### Stable BOA-2.2.5 Release - Full Edition
### Date: Thu May  8 11:59:23 PDT 2014
### Includes Aegir 2.x-boa-custom version.
### Latest hotfix added on: Sat May 10 09:05:19 PDT 2014
# Release Notes:
  This release includes no new features, but does include bug fixes plus latest
  Drupal 7.28.1 and Pressflow 6.31.2 core in all built-in Octopus platforms.
  There are also three updated distributions included, as listed below.
  We also list here all hot-fixes applied to previous stable after its release.
# Important - Read This First! (for self-hosted BOA only)
  If you haven't run full barracuda+octopus upgrade to latest BOA Stable
  Edition yet, don't use any partial upgrade modes explained in docs/UPGRADE.txt
  Once new BOA Stable is released, you must run *full* upgrades with commands:
  $ barracuda up-stable
  $ octopus up-stable all both
  For silent, logged mode with e-mail message sent once the upgrade is
  complete, but no progress is displayed in the terminal window, you can run
  alternatively, starting with screen session to avoid incomplete upgrade
  if your SSH session will be closed for any reason before the upgrade
  will complete:
  $ screen
  $ barracuda up-stable log
  $ octopus up-stable all both log
  Note that the silent, non-interactive mode will automatically say Y/Yes
  to all prompts and is thus useful to run auto-upgrades scheduled in cron.
  If you have skipped some recent BOA releases, and you have new default config
  option: _PERMISSIONS_FIX=NO in your /root/.barracuda.cnf configuration file,
  plus, you are not sure if you follow best practices for managing permissions
  as recommended in our docs: https://omega8.cc/node/116 then we recommend
  that you change it to _PERMISSIONS_FIX=YES temporarily, or even permanently
  if your VPS is fast enough, and then run this powerful script as root:
  $ bash /var/xdrago/daily.sh
  Note that BOA 'legacy' mode is still at version 2.1.3
# Updated Octopus platforms:
  Commons 3.12 ----------------- https://drupal.org/project/commons
  Open Atrium 2.18 ------------- https://drupal.org/project/openatrium
  Open Outreach 1.6 ------------ https://drupal.org/project/openoutreach
# Changes in this release:
  * Add rsyslog/sysklogd to auto-healing procedures.
  * Make the aggressive scan_nginx mode optional and use old mode by default.
  * Nginx: Add HiScan to blocked crawlers list.
  * Nginx: Add Riddler to blocked crawlers list.
  * PHP: Use pm.process_idle_timeout = 10s for speed and RAM optimization.
# System upgrades in this release:
  * MySecureShell 1.33
  * PHP 5.4.28
  * PHP 5.5.12
# Fixes in this release:
  * Always define _PHP_CN variable properly.
  * Firewall: Sync CONNLIMIT for web ports with updated limit_conn in Nginx.
  * Fix for _NGINX_DOS_LIMIT logical error in the scan_nginx template.
  * Force Pure-FTPd server re-install if key files are missing for any reason.
  * Issue #2237167 - Improve authorized IPs detection in all protected vhosts.
  * Issue #2262935 - Modules dir must be group writable in custom platforms.
  * Nginx: Do not overwrite custom symlinks to the Under Construction template.
  * Nginx: Update limit_conn in all instances and vhosts on Barracuda upgrade.
  * PHP: Delete pear in legacy paths, if still exists.
  * PHP: Fix for CVE-2014-0185 privilege escalation in FPM (doesn't affect BOA)
  * Postfix: Force re-install if broken permisions detected on upgrade.
  * Pressflow 6: Fix #GH 84 by using drupal_page_is_cacheable().
  * Pressflow 6: Merge pull request #GH 85 from pressflow/SA-CORE-2014-002-fix.
  * Pressflow 6: Remove duplicate openid_update_6001().
  * Revert "Force MariaDB 5.5 re-install".
  * Set the TERM env variable if missing to avoid errors.
  * Skip packages set on hold when running apticron.
  * The ~/static/control must be writeable by lshell user to manage ctrl files.
  * Add extra cron semaphore to prevent concurrent cron invocations via
    multiple running runner.sh instances.

I can't see any issues that have an immediate impact on us, I'll do the upgrade late one evening.

#756: Piwik 2.4.1 Update

chris — Fri, 11 Jul 2014 13:21:34 GMT

From the Changelog:

Piwik 2.4.1 is a new minor release of Piwik fixing a few bugs found by the community after the major 2.4.0 release.

#755: Site administrator's file upload capacity: not responding to changes

ed — Tue, 08 Jul 2014 09:21:16 GMT

Rob Hopkins reached the limit for file uploads and could not upload any more images (not good for him as he writes posts with lots of pictures daily).

Sam raised the limit. This change in the limit does not seem to have affected Rob's situation - he still can't upload any images.

Looking at these settings: https://www.transitionnetwork.org/admin/settings/uploads

Rob should be able to upload more - he is a site editor and admin - but he can't.

Please investigate

#753: wiki.transitionnetwork.org displaying error

chris — Fri, 04 Jul 2014 08:23:52 GMT

This is rather weird, the site was working yesterday, now at https://wiki.transitionnetwork.org/ we have:

bar(), etc etc) which throw parse errors in # PHP 4. Setup.php and ObjectCache.php have structures invalid in PHP 5.0 and # 5.1, respectively. if ( !function_exists( 'version_compare' ) || version_compare( phpversion(), '5.3.2' ) < 0 ) { // We need to use dirname( __FILE__ ) here cause __DIR__ is PHP5.3+ require dirname( __FILE__ ) . '/includes/PHPVersionError.php'; wfPHPVersionError( 'index.php' ); } require __DIR__ . '/includes/WebStart.php'; $mediaWiki = new MediaWiki(); $mediaWiki->run();

#752: Piwik 2.4.0 Update

chris — Thu, 03 Jul 2014 09:24:13 GMT

Piwik 2.4.0 is a new major release of Piwik! This release is rated critical. Please update now.

Security fixes

We would like to warmly thank Security researchers Aron Molnar (XSEC infosec GmbH) for reporting a XSS vulnerability which we have fixed in 2.4.0. We also thank Andrea Palazzo and Jose Luis Zayas for their security recommendations which are now implemented in 2.4.0.

http://piwik.org/changelog/piwik-2-4-0/

#751: Email alert changes

ed — Tue, 01 Jul 2014 11:14:42 GMT

Change the email alert template for news items to include the term 'news item' so it is:

"New news item: [title]"

When users click on the subs links at the bottom of their email alerts, and they are not logged in they get the ‘access denied’ screen. This is not good. Please investigate

(a) can this be changed (with small time investment) (b) can we change the access denied blurb to include something human encouraging the user to login to continue the journey:

"We are sorry for the inconvenience, but if you are seeing this screen having followed a link, you will probably need to login to continue with your request" (NB if they are coming from an email link with their id in it, how do we keep that journey so they get to the destinateion they wanted?)

When user clicks on the general subs link at the bottom of an email alert (and is not logged in), they get a 403 forbidden page. Not good - pls investigage

#749: Probs with REconomy site again - compromised?

chris — Thu, 26 Jun 2014 11:18:01 GMT

Email from Laura:

Looks like REconomy website has been compromised again.

Fi contacted this morning via email to say she's received a batch of 'new post' notifications on exceedingly old posts, so I logged into the site to check things out. I noted the footer wasn't correct on the site too displaying 'proudly powered by wordpress' rather than the widgets.

Had a whizz through folders/files via sftp to see any recent changes to files - and in the Reconomy theme files the 404.php and footer.php had been changed with a copy of the default wp twenty something one and base code 64 along the top. The footer was changed on 23/6 at 21.46, and I should have remembered when the 404 was changed before overwriting it - either the same date or time or on the 20/6. I've reinstated the correct files (but have downloaded a copy of the rogue 404 and footer files before replacing them with the correct ones if you wanted a copy for any purpose, though want to nuke these asap from my machine!)

Unlike the last time, no extra 'odd plugins' seem to have been added, nor anything odd by a (very) quick scan in wp-content/uploads folders and sub-folders.

Not sure how this has happened again, be good to know if you can spot anything your side, esp how these attacks happen especially incase I need to do something with the theme files (eg could it be some form of injection attack via the comments form somehow? Can't see how, but just wondering how these things tend to happen!). (do you think the file perms okay on the theme files, maybe worth a check too?). People can't register for an account on the website any longer, new users are added manually (been the case for some while now to stop spam signups)

All wp core is up-to date btw, and I've updated a couple of plugins whilst in there today.

And a follow up:

Following on from previous message just now, and quite poss unrelated altogether to the current site issue, looking at some of their blog posts on the site such as this one - http://www.reconomy.org/get-your-oats-here/, trackbacks come from a scraper type site eg - http://500biz.com/realwealth/get-your-oats-here-community-support-helps-new-enterprise-transform-local-food-supply-chain/ which seems to reprint reconomys posts.

#748: Urgent: Fiona having problems sending email

sam — Wed, 25 Jun 2014 12:42:27 GMT

Hi Chris, Fiona is having problems sending email. I have checked the quota in the web interface and she is not over her quota.

She initially sent this:

The message could not be sent because the server rejected the sender's email address. The sender's email address was 'fionaward@…'.

Subject 'Re: filming' Server Error: 550 Server Response: 550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1) Server: 'mail.transitionnetwork.org' Windows Live Mail Error ID: 0x800CCC78 Protocol: SMTP Port: 26 Secure(SSL): No

Which looked to me like the email had been sent and rejected by the receiving server.

So I sent this to Fiona:

On 24 June 2014 16:11, Sam Rossiter <samintransition@…> wrote: Hi Fiona I'll take a look now. It could have been rejected for a number of reasons. There's no keywords in the email that might trigger a spam rejection? Or have you Cc'd a large number of people?

As a workaround until we get to the bottom of it is it something a collegue could forward? Or does it have to come from you?

Thanks

Sam

Fiona replied:

Hi Sam I don;t think it's that email, as there are 13 that won't send frm my outbox even if I remove this email - same problem with the next one! Thanks Fiona

---

Chris I'm not working until next Tuesday, so I was wondering if you could pick this up and liase with Fiona? fionawardttt [AT] googlemail.com

Thanks

Sam

#745: Upgrade to BOA-2.2.6 Stable Edition

chris — Mon, 23 Jun 2014 09:32:31 GMT

Email from wiki:PuffinServer:

There is new BOA-2.2.6 Stable Edition available.

Please review the changelog and upgrade as soon as possible to receive all security updates and new features.

Changelog: http://bit.ly/newboa

Reading through the change log there doesn't appear to be anything of note that directly effects us, the new php versions:

PHP 5.4.28
PHP 5.5.12

Don't as we are still on PHP Version 5.3.28.

I think it would be worth doing this update one evening this week just to keep upto date with BOA.

Previous updates: wiki:PuffinServer#Upgradetickets

#744: Add CSS Injector module to the D6 mix

annesley — Thu, 19 Jun 2014 10:50:03 GMT

CSS Injector module allows admin dynamic adding of CSS in to a live production server without code updates. this is to respond quickly to client needs whilst implementing the requests in the correct place in the themes on the next promotion from dev.

#739: Set up DEV and other drupal accounts for Annesley

ed — Wed, 11 Jun 2014 14:38:42 GMT

is this you chris? or a sam job? or paul?

#736: Upgrade to MediaWiki 1.23.0

chris — Thu, 05 Jun 2014 09:43:50 GMT

From the announcements list:

I am happy to announce the availability of the first stable release of the new MediaWiki 1.23 release series.

MediaWiki 1.23 is a large release that contains many new features and bug fixes. This is a summary of the major changes of interest to users. You can consult the RELEASE-NOTES-1.23 file for the full list of changes in this version.

This is a Long Term Support release (LTS) and will be supported until May 2017.

Our thanks to everyone who helped to improve MediaWiki by testing the release candidates and submitting bug reports.

What's new?

MediaWiki 1.23 includes all changes released in the smaller 1.23wmfX software deployments to Wikimedia sites.
Skin autodiscovery deprecated

Skin autodiscovery, the legacy skin installation mechanism used by MediaWiki since very early versions (around 2004), has been officially deprecated and will be removed in MediaWiki 1.25.

MediaWiki 1.23 will emit warnings in production if a skin using the deprecated mechanism is found.
See Manual:Skin autodiscovery for more information and a migration guide for site admins and skin developers.
Notifications

With 1.23, MediaWiki starts to behave more like a modern website as regards notifications, to keep the editors of your wiki engaged and always up to date about what interests them. This used to require several custom settings.

(bug 45020) Make preferences "Add pages I create and files I upload to my watchlist" and "pages and files I edit" true by default.
(bug 45022) Make preference "Email me when a page or file on my watchlist is changed" true by default.
(bug 49719) Watch user page and user talk page by default.
This will allow your new users to immediately start benefiting from the watchlist and email notification features, without needing to first read all the docs to find out that they're as useful as they are.

Merged extensions

Merged into 1.23:

ExpandTemplates (bug 28264).
AssertEdit (bug 27841) - documented at API:Assert.
Interface

(bug 42026) Add option to only show page creations in Special:Contributions (and API).
Add new special page to list duplicate files, Special:ListDuplicatedFiles.
(bug 60333) Add new special page listing tracking categories (Special:TrackingCategories).
Editing

A new special page Special:Diff was added, allowing users to create internal links to revision comparison pages using syntax such as Special:Diff/12345, Special:Diff/12345/prev or Special:Diff/12345/98765.
Help pages

With 1.23, MediaWiki begins a process of consolidation of its help pages. Now, most are using the Translate extension and can be easily translated and updated in hundreds languages.

In the coming months, we'll focus on making more of the central help pages translatable and on linking them from the relevant MediaWiki interfaces for better discoverability. Please help: add your own translations; update existing pages and cover missing MediaWiki topics.

Traditionally, help pages have been scattered on countless wikis and poorly translated; most of those on mediawiki.org were migrated with the help of some Google Code-in students.

CSS refresh for Vector

Various Vector CSS properties have been converted to LESS variables.
The font size of #bodyContent/.mw-body-content has been increased to 0.875em.
The line-height of #bodyContent/.mw-body-content has been increased to 1.6.
The line-height of superscript (sup) and subscript (sub) are now set to 1.
The default color for content text (but not the headers) is now #252525; (dark grey).
All headers have updated sizes and margins.
H1 and H2 headers now use a serif font.
Body font is "sans-serif" as always.
For more information see Typography refresh.

Configuration

Add Config and GlobalConfig classes:

Allows configuration options to be fetched from context.
Only one implementation, GlobalConfig, is provided, which simply returns $GLOBALS[$name]. There can be more classes in the future, possibly a database-based one. For convinience the "wg" prefix is automatically added.
This adds the $wgConfigClass global variable which is used to determine which implementation of Config to use by default.
The ContextSource getConfig and setConfig methods were introduced.
Full release notes: https://git.wikimedia.org/blob/mediawiki%2Fcore.git/1.23.0/RELEASE-NOTES-1.23 https://www.mediawiki.org/wiki/Release_notes/1.23

Download: http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.0.tar.gz

GPG signatures: http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.0.tar.gz.sig

Public keys: https://www.mediawiki.org/keys/keys.html

I'd suggest we upgrade to this version and then perhaps stick with it, only doing security updates, until we need to move to another version due to it no longer being supported or because we need some new functionality.

#733: Mediawiki 1.22.7 security update

chris — Sun, 01 Jun 2014 09:20:53 GMT

See https://www.mediawiki.org/wiki/Release_notes/1.22#MediaWiki_1.22.6

#732: Upgrade Piwik to 2.3.0

chris — Tue, 27 May 2014 09:21:24 GMT

Piwik 2.3.0 is a new major release of Piwik!

http://piwik.org/changelog/piwik-2-3-0/

#730: Redis Munin stats for puffin

chris — Fri, 23 May 2014 08:38:33 GMT

The Redis stats for wiki:PuffinServer are not being generated:

https://penguin.transitionnetwork.org/munin/transitionnetwork.org/puffin.transitionnetwork.org/index.html#redis

#729: Upgrade to Piwik 2.2.2

chris — Fri, 23 May 2014 08:21:12 GMT

2.2.2 came out on 8th May, not sure why I missed this at the time, the change log is here: http://piwik.org/changelog/piwik-2-2-2/

The last upgrade was 2.2.1 ticket:726 and the upgrade notes are at wiki:PiwikServer#Updates

#728: Re-patch location module

sam — Tue, 20 May 2014 12:53:16 GMT

Bugger just realised that I didn't finish the pull request into the main branch: https://trac.transitionnetwork.org/trac/ticket/681

So the location module patch is not on the live site.

I have now done the patch correctly I think: https://github.com/transitionnetwork/transitionnetwork.org-d6.profile/pull/2

Shall I additionally add the patch to the live site using Drush as I did before?

Thanks

Sam

#726: Upgrade to Piwik 2.2.1

chris — Tue, 06 May 2014 11:14:05 GMT

Piwik 2.2.1 is a new minor release which brings more stability to the platform.

http://piwik.org/changelog/piwik-2-2-1/

#725: Upgrade to BOA-2.2.5

chris — Fri, 02 May 2014 08:49:22 GMT

Note this ticket was opened to upgrade to BOA-2.2.4 but when the upgrade was done BOA-2.2.5 was out so BOA-2.2.4 was skipped

From the Changelog at http://bit.ly/newboa

### Stable BOA-2.2.4 Release - Full Edition
### Date: Wed Apr 30 17:03:36 PDT 2014
### Includes Aegir 2.x-boa-custom version.
# Release Notes:
  This release includes several bug fixes along with five updated platforms,
  plus some hot-fixes applied to previous stable after its release. We have
  also added a fix for known problem is recent Drupal 7.27 [#2245331] hence
  the change from Drupal 7.27.1 to 7.27.2 in all D7 platforms.
# Important - Read This First! (for self-hosted BOA only)
  If you haven't run full barracuda+octopus upgrade to latest BOA Stable
  Edition yet, don't use any partial upgrade modes explained in docs/UPGRADE.txt
  Once new BOA Stable is released, you must run *full* upgrades with commands:
  $ barracuda up-stable
  $ octopus up-stable all both
  For silent, logged mode with e-mail message sent once the upgrade is
  complete, but no progress is displayed in the terminal window, you can run
  alternatively, starting with screen session to avoid incomplete upgrade
  if your SSH session will be closed for any reason before the upgrade
  will complete:
  $ screen
  $ barracuda up-stable log
  $ octopus up-stable all both log
  Note that the silent, non-interactive mode will automatically say Y/Yes
  to all prompts and is thus useful to run auto-upgrades scheduled in cron.
  If you have skipped some recent BOA releases, and you have new default config
  option: _PERMISSIONS_FIX=NO in your /root/.barracuda.cnf configuration file,
  plus, you are not sure if you follow best practices for managing permissions
  as recommended in our docs: https://omega8.cc/node/116 then we recommend
  that you change it to _PERMISSIONS_FIX=YES temporarily, or even permanently
  if your VPS is fast enough, and then run this powerful script as root:
  $ bash /var/xdrago/daily.sh
  Note that BOA 'legacy' mode is still at version 2.1.3
# Updated Octopus platforms:
  ### Drupal 7.27.2
  Commerce 1.25 ---------------- https://drupal.org/project/commerce_kickstart
  Commerce 2.14 ---------------- https://drupal.org/project/commerce_kickstart
  Commons 3.11 ----------------- https://drupal.org/project/commons
  Panopoly 1.5 ----------------- https://drupal.org/project/panopoly
  ### Pressflow 6.31.1
  Commons 2.17 ----------------- https://drupal.org/project/commons
  Note: Always read and follow upgrade procedure if explained in the distro
  release notes, like for Panopoly 1.5 at https://drupal.org/node/2255133
# New o_contrib modules:
  * print-6.x-1.19 (includes patch to auto-detect /usr/bin/wkhtmltopdf)
  * print-7.x-2.0  (includes patch to auto-detect /usr/bin/wkhtmltopdf)
# New features and enhancements in this release:
  * Support for session.gc_maxlifetime configurable via INI files.
  You can control session garbage collector (EOL) per site and per platform.
  The value (in seconds) of the session_gc_eol variable is used as
  session.gc_maxlifetime value and specifies the number of seconds after which
  data will be seen as 'garbage' and potentially cleaned up, resulting with
  $_SESSION variable discarded and affected authenticated users logged out.
  BOA default defined in the system level global.inc file is 86400 == 24h.
# Changes in this release:
  * Drush: Upgrade command line version 6 to mini-6-26-04-2014
  * Nginx: Use higher defaults for limit_conn to avoid error 503 (CloudFlare)
  * Nginx: Use more aggressive limits against spambots trying to rgstr accounts.
  * Redis: Integration module (the modern variant) upgrade to 7.x-2.x-o8-2.6-B
# System upgrades in this release:
  * Nginx 1.7.0
  * PHP 5.5.12
  * Redis 2.8.9
# Fixes in this release:
  * Add symlinks in the home directory if missing (every 5 minutes).
  * Add warning that Compass Tools install and upgrade may take a LONG time.
  * Always define _PHP_CN variable properly.
  * Do not delete symlinks to wrappers to avoid false LFD alarms.
  * Fix for 'Force backward compatible SERVER_SOFTWARE'.
  * Fix in websh for _IN_PATH logic to not break backend Drush tasks.
  * Fix the logic for wrappers update and symlinks.
  * Force MariaDB 5.5 re-install if installed version doesn't match latest.
  * Improve status messages to display when silent mode is used on upgrade.
  * Improve whitelisting in the websh wrapper.
  * Issue #2238805 - Command filtering - no word containing *drush* is allowed.
  * Issue #2241495 - wkhtmltopdf stopped working after upgrade.
  * Issue #2247997 - Update docs/REMOTE.txt with workaround for websh issue.
  * Issue #2250397 - Always follow (limited) redirects in cURL requests.
  * Issue #GH-304  - [rvm] use $_RUBY_VERSION as default.
  * Issue #GH-305  - Check disk usage before running install/upgrade.
  * Issue #GH-306  - Allow ruby 1.8 to remain installed.
  * Nginx: Allow to configure keywords for aggressive requests rate monitoring.
  * Nginx: Sync FastCGI timeouts with other Nginx and PHP-FPM defaults.
  * PHP: Add /opt/local/bin/php tmp symlink on barracuda/octopus upgrade.
  * PHP: Allow to set custom _PHP_FPM_TIMEOUT but not lower than 60 (in seconds)
  * PHP: Always respect _PHP_FPM_WORKERS variable if set to numeric value > 0
  * PHP: Better defaults for realpath_cache_ttl and realpath_cache_size.
  * PHP: Fix for CVE-2014-0185 privilege escalation in FPM (doesn't affect BOA)
  * PHP: pm.max_children was not properly updated on FPM version self-switch.
  * PHP: Sync incorrect default_socket_timeout with max_execution_time (180s).
  * PHP: Use 30s for pm.process_idle_timeout - it prevents too high RAM usage.
  * PHP: Variable _PROCESS_MAX_FPM is not used on the Satellite Instance level.
  * Postfix: Force re-install if broken permisions detected on upgrade.
  * Prevent duplicate cron invocations with more strict delays.
  * Shell: Proper fix for wildcard in the path (cd command only)
  * Standardize install and upgrade for Chive, SQL Buddy and CGP.
  * Sync Redis timeout with default FPM timeout (180s).
  * Sync SQL connect_timeout with default mysql.connect_timeout in PHP (60s).
  * Update the logic for multi-version PHP support in BOND.
  * Update the logic for multi-version PHP support in docs/REMOTE.txt

#724: Subscription emails from Rob's blog not arriving.

sam — Tue, 29 Apr 2014 09:21:12 GMT

A user has got in touch to let us know he is not getting Rob's updates by email. He's still subscribed.

I just checked my mail and the last one I received was on the 11/4. I'll have a look and see if I can work it out.

#723: Mediawiki 1.22.6 Upgrade

chris — Mon, 28 Apr 2014 10:10:48 GMT

Announced a few days ago:

I would like to announce the release of MediaWiki 1.22.6 and 1.21.9. This is a regular security and maintenance release. Download links are given at the end of this email. Please note there is no new release of the 1.19 branch, as it is not affected by the security issue.

Security

(bug 63251) SECURITY: escape sortKey in pageInfo.
Bugfixes in 1.21.9

(bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.
Full release notes for 1.22.6: https://www.mediawiki.org/wiki/Release_notes/1.22

#721: Upgrade to BOA-2.2.3 Stable Edition

chris — Sat, 19 Apr 2014 05:58:00 GMT

wiki:PuffinServer has sent this email:

There is new BOA-2.2.3 Stable Edition available.

Please review the changelog and upgrade as soon as possible to receive all security updates and new features.

Changelog: http://bit.ly/newboa

The Changelog contains:

### Stable BOA-2.2.3 Release - Full Edition
### Date: Fri Apr 18 12:57:40 PDT 2014
### Includes Aegir 2.x-boa-custom version.
# Release Notes:
  This release includes several bug fixes and security upgrades both for the
  system services and Drupal core, along with three updated platforms and new
  features, including support for MariaDB 10.0 and Ubuntu 14.04 LTS Trusty.
# Important - Read This First! (for self-hosted BOA only)
  If you haven't run full barracuda+octopus upgrade to latest BOA Stable
  Edition yet, don't use any partial upgrade modes explained in docs/UPGRADE.txt
  Once new BOA Stable is released, you must run *full* upgrades with commands:
  $ barracuda up-stable
  $ octopus up-stable all both
  For silent, logged mode with e-mail message sent once the upgrade is
  complete, but no progress is displayed in the terminal window, you can run
  alternatively, starting with screen session to avoid incomplete upgrade
  if your SSH session will be closed for any reason before the upgrade
  will complete:
  $ screen
  $ barracuda up-stable log
  $ octopus up-stable all both log
  Note that the silent, non-interactive mode will automatically say Y/Yes
  to all prompts and is thus useful to run auto-upgrades scheduled in cron.
# Updated Octopus platforms:
  ### Drupal 7.27.1
  Guardr 1.3 ------------------- https://drupal.org/project/guardr
  Open Atrium 2.17 ------------- https://drupal.org/project/openatrium
  Recruiter 1.2 ---------------- https://drupal.org/project/recruiter
# New features and enhancements in this release:
  * Add docs/FAQ.txt
  * Add support for MariaDB 10.0 or 5.5 install via _DB_SERIES variable.
  * Add support for Ubuntu 14.04 LTS Trusty.
  * Improve auto-healing for multi-version PHP-FPM setup.
  * Improve docs/UPGRADE.txt
  * Improve health check for protected vhosts during live SSH-auth update.
# Changes in this release:
  * Issue #GH-299 - Force disable LESS developer mode on production sites.
  * Move custom scripts to /opt/local/bin/
  * Normalize localhost entry in /etc/hosts to avoid FQDN mapped to 127.0.0.1
  * PHP: Do not use separate FPM pool for cron if _PHP_FPM_DENY is empty.
# System upgrades in this release:
  * MariaDB 5.5.37
# Fixes in this release:
  * Add 'exit 0' line if missing.
  * Add /opt/local/bin to PATH by default.
  * Add symlinks for wrappers only temporarily.
  * Better gem uninstall options.
  * Compass: Multiple fixes for various expected gems versions install/upgrades.
  * Do not override lshell env_path in websh wrapper.
  * Do not use monitored bin path for custom scripts to avoid LFD false alarms.
  * Extra db GRANT for 127.0.0.1 not added when migrating site.
  * Improve auto-healing to create required directories in /var/run/ if missing.
  * Issue #2230269 - New Jetty 9 version overrides JETTY_PORT=8099 with 8080.
  * Issue #2235991 - Drush make needs better exceptions in websh wrapper.
  * Issue #2236475 - Clarify what the Legacy mode really means.
  * Issue #2238965 - Add missing path to switch_to_bash().
  * Issue #2241013 - Git commands should be whitelisted in websh wrapper.
  * Issue #2241495 - wkhtmltopdf stopped working after upgrade.
  * Issue #GH-301 - Update the list of restricted keywords for Octopus username.
  * Make sure that permissions on Chive Manager dir/files are correct.
  * Note: _SSL_FROM_SOURCES=YES is ignored and not needed on Wheezy and Precise.
  * Remove the line with header TABLE_NAME (sqlmagic).
  * Reset PATH to avoid RVM overrides after Compass Tools install/upgrade.
  * Shell: Allow to run 'drush cache-clear drush' in any directory.
  * The _PHP_MODERN_ONLY variable is no longer used.
  * Ubuntu 14.04 LTS Trusty requires MariaDB 10.0
  * Use hostname -b instead of deprecated hostname -v.

Note that we are already running the latest MariaDB, see ticket:692#comment:31

See also the last BOA upgrade ticket, BOA-2.2.2 ticket:707 and also ticket:670

#720: Upgrade to Piwik 2.2.0

chris — Thu, 17 Apr 2014 07:51:50 GMT

From the Changelog, http://piwik.org/changelog/piwik-2-2-0/

Piwik 2.2.0 is a major new release. This release is rated critical. Please update now.

We highly recommend that you upgrade your server to Piwik 2.2.0 today to benefit from design, performance and security improvements in this release.

Piwik 2.2 helps you focus on your data

All reports: display as much text as possible before the label becomes truncated (useful when you want to see more data at a glance without having to hover to view the full label)
Make Datatables more readable and flatter – we have removed some borders.
On the dashboard, the Data Tables and graph icons are now hidden by default and are now available by clicking on the widget footer.
New features

Event Tracking: track your custom events with Piwik. An event is defined by a Category, an Action, an optional Name and an optional Value. Event Tracking is a powerful feature which can be used for many purposes! http://piwik.org/docs/event-tracking/
Site Search reports are now available in Scheduled email reports and on Piwik Mobile
New Websites Groups (available on request) functionality now allows you to group a cluster of websites in the All Websites Dashboard.
Security fixes: we would like to warmly thank Security researchers Mateusz Goik and Vivek S. Jadhav for responsibly reporting two XSS security issues in Piwik which are now fixed in 2.2.0.
API breaking change for Plugins developers
Deprecated the function Schema::dropTables() and DbHelper::dropTables, for the new Db::dropTables()
Removed the code that was deprecated in 2.1.0. Learn more http://piwik.org/blog/2014/02/piwik-2-1-changes-plugin-developers/

#718: REconomy site showing adverts randomly

ed — Thu, 10 Apr 2014 08:19:34 GMT

Load http://www.reconomy.org and the first time you get it, and other times at random and you get spam.

URGENT check please - on REconomy and all WP sites...