Transition Technology: Ticket Query http://localhost:8080/trac/query?status=accepted&status=assigned&status=new&status=reopened&type=maintenance&col=id&col=summary&col=status&col=type&col=priority&col=milestone&col=component&report=18&desc=1&order=priority Support and issues tracking for the Transition Network Web Project. en-US Transition Technology /trac/chrome/site/TransitionNetwork-Logo-Web-Small.jpg http://localhost:8080/trac/query?status=accepted&status=assigned&status=new&status=reopened&type=maintenance&col=id&col=summary&col=status&col=type&col=priority&col=milestone&col=component&report=18&desc=1&order=priority Trac 0.12.5 http://localhost:8080/trac/ticket/541 http://localhost:8080/trac/ticket/541 #541: Documentation of the WordPress sites Wed, 01 May 2013 20:25:57 GMT chris <p> These pages have been created for the documentation of the <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">wiki:WordPress</a> sites running on <a class="wiki" href="http://localhost:8080/trac/wiki/PenguinServer">wiki:PenguinServer</a>: </p> <ul><li><a class="wiki" href="http://localhost:8080/trac/wiki/InTransitionWordPress">wiki:InTransitionWordPress</a> </li><li><a class="wiki" href="http://localhost:8080/trac/wiki/ReconomyWordPress">wiki:ReconomyWordPress</a> </li><li><a class="wiki" href="http://localhost:8080/trac/wiki/EarthInheritorsWordPress">wiki:EarthInheritorsWordPress</a> </li></ul><p> So far they only have a listing on the plugins for each site. </p> <p> Ideally they would document all the plugins, the theme and the steps that need to be taken to upgrade each site and also any other things that need documenting. </p> <p> Laura is this something you might be able to help with? I'm happy doing some work on it but you know your way around these sites far better than anyone else. </p> Results http://localhost:8080/trac/ticket/541#changelog http://localhost:8080/trac/ticket/598 http://localhost:8080/trac/ticket/598 #598: Redirect reconomyproject.org to reconomy.org Fri, 20 Sep 2013 12:16:56 GMT chris <p> Request from Shane: </p> <blockquote class="citation"> <p> I've noticed that the domain www.reconomyproject.org is still live and running. i.e. can surf around it. I think you set it up so that it would auto redirect to reconomy.org - not 100% sure about the technical spec behind how you did this but is it still working? I noticed this because a lot of the referrals on to our fb page our coming from reconomyproject.org rather than reconomy.org </p> </blockquote> Results http://localhost:8080/trac/ticket/598#changelog http://localhost:8080/trac/ticket/645 http://localhost:8080/trac/ticket/645 #645: APC Tuning on Parrot and Penguin Tue, 10 Dec 2013 10:52:31 GMT chris <p> As part of the upgrade from Squeeze to Wheezy, see <a class="closed ticket" href="http://localhost:8080/trac/ticket/535" title="maintenance: Upgrade Puffin, Penguin and Parrot from Debian Squeeze to Wheezy (closed: fixed)">ticket:535</a>, Munin graphs for APC were added: </p> <ul><li><a class="ext-link" href="https://penguin.transitionnetwork.org/munin/transitionnetwork.org/parrot.transitionnetwork.org/index.html#php-apc"><span class="icon">​</span>https://penguin.transitionnetwork.org/munin/transitionnetwork.org/parrot.transitionnetwork.org/index.html#php-apc</a> </li><li><a class="ext-link" href="https://penguin.transitionnetwork.org/munin/transitionnetwork.org/penguin.transitionnetwork.org/index.html#php-apc"><span class="icon">​</span>https://penguin.transitionnetwork.org/munin/transitionnetwork.org/penguin.transitionnetwork.org/index.html#php-apc</a> </li></ul><p> There is also more APC info here: </p> <ul><li><a class="ext-link" href="https://parrot.transitionnetwork.org/apc.php"><span class="icon">​</span>https://parrot.transitionnetwork.org/apc.php</a> </li><li><a class="ext-link" href="https://penguin.transitionnetwork.org/info/apc.php"><span class="icon">​</span>https://penguin.transitionnetwork.org/info/apc.php</a> </li></ul><p> The documentation for the variables which can be set in <tt>/etc/php5/mods-available/apc.ini</tt> can be found here: </p> <ul><li><a class="ext-link" href="http://php.net/manual/en/apc.configuration.php"><span class="icon">​</span>http://php.net/manual/en/apc.configuration.php</a> </li></ul><p> This monitoring is generating quite a high volume of warnings about fragmentation and purges and this ticket has been created to try to sort this issue out. </p> Results http://localhost:8080/trac/ticket/645#changelog http://localhost:8080/trac/ticket/675 http://localhost:8080/trac/ticket/675 #675: Piwik Geolocation Tue, 14 Jan 2014 12:16:36 GMT chris <p> We have this warning in the Piwik admin interface: </p> <blockquote class="citation"> <p> Geolocation works, but you are not using one of the recommended providers. If you have to import log files or do something else that requires setting IP addresses, use the PECL GeoIP implementation (recommended) or the PHP GeoIP implementation. </p> </blockquote> <p> We currently do Geolocation at a Nginx level, it is possible that it would now be better to switch to do it at a Piwik level, see the documentation here: <a class="ext-link" href="http://piwik.org/docs/geo-locate/"><span class="icon">​</span>http://piwik.org/docs/geo-locate/</a> </p> Results http://localhost:8080/trac/ticket/675#changelog http://localhost:8080/trac/ticket/676 http://localhost:8080/trac/ticket/676 #676: Alternative to Skype for TTech Meetings Tue, 14 Jan 2014 13:33:51 GMT chris <p> Jim has pointed out that: </p> <blockquote class="citation"> <p> Skype costs us 15-30 minutes of grinding pain every time we do this! </p> </blockquote> <p> So what are the alternatives and what are our requirements? </p> Results http://localhost:8080/trac/ticket/676#changelog http://localhost:8080/trac/ticket/737 http://localhost:8080/trac/ticket/737 #737: SPF / Emails rejected from the website contact form Thu, 05 Jun 2014 15:46:13 GMT sam <p> We had a user report that they could not send a message via our contact form: </p> <p> "Yesterday I sent a message to you via the contact form on the website. But obviously something went wrong: for I got a failure notice saying my message could not be delivered. Therefore I'm sending it directly via email (see below) hoping that you're receiving my message this way." </p> <p> &lt;info@…&gt;: host mx1.spamfiltering.com[72.249.150.158] said: </p> <blockquote> <p> 550 81.95.XX.XX is not allowed to send mail from gmx.de. Please see <a class="ext-link" href="http://www.openspf.net/Why?scope=mfrom;identity=userXX@gmx.de;ip=81.95.XX.XX"><span class="icon">​</span>http://www.openspf.net/Why?scope=mfrom;identity=userXX@gmx.de;ip=81.95.XX.XX</a> (in reply to end of DATA command) </p> </blockquote> <p> (User details edited as this is publicly archived) </p> <p> I'm not sure I quite understand what's going on here. Chris indicated in email that this would affect other users whose email provider has set this kind of SPF record. </p> <p> Can we make an educated guess as to what proportion of email providers set this kind of SPF? </p> <p> How many messages do we never get to see? Is it a problem? Or a small enough number of users that we just don't worry about it? </p> <p> Thanks </p> <p> Sam </p> Results http://localhost:8080/trac/ticket/737#changelog http://localhost:8080/trac/ticket/740 http://localhost:8080/trac/ticket/740 #740: Add 'class button block' to Soundcloud block Thu, 12 Jun 2014 09:55:05 GMT sam <p> Hi Ben </p> <p> Could you add 'class button block' to the block class settings for this block: </p> <p> <a class="ext-link" href="https://www.transitionnetwork.org/admin/build/block/configure/block/98?destination=blogs%2Frob-hopkins"><span class="icon">​</span>https://www.transitionnetwork.org/admin/build/block/configure/block/98?destination=blogs%2Frob-hopkins</a> </p> <p> Or shall I give myself 'developer' permissions so I can add these myself? </p> <p> Thanks </p> <p> Sam </p> Results http://localhost:8080/trac/ticket/740#changelog http://localhost:8080/trac/ticket/763 http://localhost:8080/trac/ticket/763 #763: Server Backups Mon, 21 Jul 2014 17:09:21 GMT chris <p> Two weeks ago <a class="closed ticket" href="http://localhost:8080/trac/ticket/754#comment:21" title="maintenance: Can we upgrade from PHP 5.3? (closed: wontfix)">annesley asked</a>: </p> <blockquote class="citation"> <p> what off-site data storage, file backup and quick setup do we have? </p> </blockquote> <p> I <a class="closed ticket" href="http://localhost:8080/trac/ticket/754#comment:22" title="maintenance: Can we upgrade from PHP 5.3? (closed: wontfix)">answered</a>: </p> <blockquote class="citation"> <p> The 3 virtual servers have their file system mounted off a BSD/NFS/ZFS file server and the whole file system is backed up and stored onto another BSD/ZFS server in the same data centre. We did have backups also being copied to a server in Manchester but this is currently off-line as the Manchester server needs a disk swapping and rebuilding as a BSD/ZFS server. </p> </blockquote> <p> A problem with this is that it's only me and Alan that have access to these backups, so I'd like to suggest I set up a new account for backups on our backup server and sort out cron jobs to rsync data to this account and document how people can access these backups. </p> <p> The result would be that everybody would have SFTP access to 60 days worth of snapshots of backups from all three servers whenever needed without any need for my or Alan's intervention. </p> <p> I expect this would take abount an hour to set up and another hour to document and help people understand it. </p> <p> There would be no additional cost to the TN because backup space is already paid for. </p> Results http://localhost:8080/trac/ticket/763#changelog http://localhost:8080/trac/ticket/768 http://localhost:8080/trac/ticket/768 #768: Piwik Archive Cron Error Fri, 01 Aug 2014 17:14:59 GMT chris <p> Have been getting these emails from <a class="wiki" href="http://localhost:8080/trac/wiki/PiwikServer">PiwikServer</a>: </p> <pre class="wiki">From: root@penguin.webarch.net (Cron Daemon) Date: Fri, 1 Aug 2014 14:06:48 +0100 (BST) To: root@localhost Subject: Cron &lt;www-data@penguin&gt; /web/stats.transitionnetwork.org/piwik/console core:archive --url=http://stats.transitionnetwork.org/ &gt; /var/log/piwik-archive.log ERROR CoreConsole[2014-08-01 13:05:18] [3e5ac] Got invalid response from API request: +http://stats.transitionnetwork.org/index.php?module=API&amp;method=API.get&amp;idSite=1&amp;period=week&amp;date=last2&amp;format=php&amp;token_auth=XXXXXXXXXXXX&amp;trigger=archivephp. Response was ' &lt;div style='word-wrap: break-word; border: 3px solid red; padding:4px; width:70%; +background-color:#FFFF96;'&gt; &lt;strong&gt;There is an error. Please report the message (Piwik 2.4.1) and full backtrace in the &lt;a +href='?module=Proxy&amp;action=redirect&amp;url=http://forum.piwik.org' target='_blank'&gt;Piwik forums&lt;/a&gt; (please do a Search first as it might have +been reported already!).&lt;br /&gt;&lt;br/&gt; Warning:&lt;/strong&gt; +&lt;em&gt;file_get_contents(http://api.piwik.org/1.0/getLatestVersion/?piwik_version=2.4.1&amp;php_version=5.4.4-14%2Bdeb7u12&amp;url=https%3A%2F%2Fstats. +transitionnetwork.org%2Fweb%2Fstats.transitionnetwork.org%2Fpiwik%2Fconsole&amp;trigger=API&amp;timezone=Europe%2FLondon): failed to open stream: +HTTP requ est fail ed! &lt;/em&gt; in &lt;strong&gt;/web/stats.transitionnetwork.org/piwik/core/Http.php&lt;/strong&gt; on line &lt;strong&gt;406&lt;/strong&gt; &lt;br /&gt;&lt;br /&gt;Backtrace +--&amp;gt;&lt;div style="font-family:Courier;font-size:10pt"&gt;&lt;br /&gt; #0 Piwik\Error::errorHandler(...) called at [:]&lt;br /&gt; #1 +file_get_contents(...) called at [/web/stats.transitionnetwork.org/piwik/core/Http.php:406]&lt;br /&gt; #2 Piwik\Http::sendHttpRequestBy(...) +called at [/web/stats.transitionnetwork.org/piwik/core/Http.php:94]&lt;br /&gt; #3 Piwik\Http::sendHttpRequest(...) called at +[/web/stats.transitionnetwork.org/piwik/core/UpdateCheck.php:72]&lt;br /&gt; #4 Piwik\UpdateCheck::check(...) called at +[/web/stats.transitionnetwork.org/piwik/plugins/CoreUpdater/CoreUpdater.php:142]&lt;br /&gt; #5 +Piwik\Plugins\CoreUpdater\CoreUpdater-&gt;updateCheck(...) called at [:]&lt;br /&gt; #6 call_user_func_array(...) called at +[/web/stats.transitionnetwork.org/piwik/core/EventDispatcher.php:98]&lt;br /&gt; #7 Piwik\EventDispatcher-&gt;postEvent(...) called at +[/web/stats.transitionnetwor k.org/pi wik/core/Piwik.php:766]&lt;br /&gt; #8 Piwik\Piwik::postEvent(...) called at +[/web/stats.transitionnetwork.org/piwik/core/FrontController.php:391]&lt;br /&gt; #9 Piwik\FrontController-&gt;init(...) called at +[/web/stats.transitionnetwork.org/piwik/core/dispatch.php:33]&lt;br /&gt; #10 require_once(...) called at +[/web/stats.transitionnetwork.org/piwik/index.php:47]&lt;br /&gt; #11 require_once(...) called at +[/web/stats.transitionnetwork.org/piwik/core/CliMulti/RequestCommand.php:53]&lt;br /&gt; #12 Piwik\CliMulti\RequestCommand-&gt;execute(...) called +at [/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Console/Command/Command.php:252]&lt;br /&gt; #13 +Symfony\Component\Console\Command\Command-&gt;run(...) called at +[/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Console/Application.php:887]&lt;br /&gt; #14 +Symfony\Component\Console\Application-&gt;doRunCommand(...) called at +[/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Co nsole/Ap plication.php:193]&lt;br /&gt; #15 Symfony\Component\Console\Application-&gt;doRun(...) called at +[/web/stats.transitionnetwork.org/piwik/core/Console.php:64]&lt;br /&gt; #16 Piwik\Console-&gt;doRun(...) called at +[/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Console/Application.php:124]&lt;br /&gt; #17 +Symfony\Component\Console\Application-&gt;run(...) called at [/web/stats.transitionnetwork.org/piwik/console:31]&lt;br /&gt; &lt;/div&gt;&lt;br /&gt; +&lt;/pre&gt;&lt;/div&gt;&lt;br /&gt; &lt;div style='word-wrap: break-word; border: 3px solid red; padding:4px; width:70%; background-color:#FFFF96;'&gt; +&lt;strong&gt;There is an error. Please report the message (Piwik 2.4.1) and full backtrace in the &lt;a +href='?module=Proxy&amp;action=redirect&amp;url=http://forum.piwik.org' target='_blank'&gt;Piwik forums&lt;/a&gt; (please do a Search first as it might have +been reported already!).&lt;br /&gt;&lt;br/&gt; Warning:&lt;/strong&gt; +&lt;em&gt;file_get_contents(http://api.piwik.org/1.0/getLatestVersion/?piwik_version=2.4.1&amp;php_version =5.4.4-1 </pre> Results http://localhost:8080/trac/ticket/768#changelog http://localhost:8080/trac/ticket/787 http://localhost:8080/trac/ticket/787 #787: Access to Parrot Mon, 15 Sep 2014 07:21:51 GMT annesley <p> is it ok for me to send through my normal, non-passphrase protected public key to you Chris for parrot? </p> <p> the documentation wants a passphrase protected key. however this may be what is causing the access issues from my laptop. i certainly could find a way around it but would suggest that the passphrase is not a great improvement to security anyway in this instance so it would be ok to use my normal public key. note that i can access all my other servers with the normal key without problems. </p> Results http://localhost:8080/trac/ticket/787#changelog http://localhost:8080/trac/ticket/814 http://localhost:8080/trac/ticket/814 #814: Higher that usual loads on PuffinServer since early September Wed, 03 Dec 2014 17:12:35 GMT chris <p> The following <a class="ext-link" href="https://penguin.transitionnetwork.org/munin/transitionnetwork.org/puffin.transitionnetwork.org/load.html"><span class="icon">​</span>load graph</a> from <a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer">PuffinServer</a> shows that the load increased substantially in early September 2014, does anyone know why? </p> <p> <a style="padding:0; border:none" href="http://localhost:8080/trac/attachment/ticket/814/puffin-load-2014-11-03.png"><img src="http://localhost:8080/trac/raw-attachment/ticket/814/puffin-load-2014-11-03.png" /></a> </p> <p> When I found <a class="ext-link" href="http://www.vdmi.nl/blog/i-went-drupal-733-and-all-i-got-was-slow-site"><span class="icon">​</span>I went to Drupal 7.33 and all I got was a slow site</a> I thought that perhaps a Drupal 7 site on the server could be the cause but 7.33 came out on <a class="ext-link" href="https://www.drupal.org/drupal-7.33-release-notes"><span class="icon">​</span>7th November 2014</a>. </p> <p> Anyone have any ideas? </p> Results http://localhost:8080/trac/ticket/814#changelog http://localhost:8080/trac/ticket/824 http://localhost:8080/trac/ticket/824 #824: Analysis of the 2014 maintenance ticket time Wed, 07 Jan 2015 15:48:14 GMT chris <p> Ed has ask that I spend up to 2 hours on an analysis of the 2014 maintenance ticket time for our meeting tomorrow in Bristol. </p> <p> See also: </p> <ul><li><a class="wiki" href="http://localhost:8080/trac/wiki/TransitionMaintenance">wiki:TransitionMaintenance</a> </li><li><a class="wiki" href="http://localhost:8080/trac/wiki/MaintenanceTasks">wiki:MaintenanceTasks</a> </li></ul> Results http://localhost:8080/trac/ticket/824#changelog http://localhost:8080/trac/ticket/882 http://localhost:8080/trac/ticket/882 #882: Login to PiWik stats Tue, 03 Nov 2015 10:52:30 GMT annesley <p> hi Chris! could i have a login to <a class="missing wiki">PiWik?</a> stats please? </p> Results http://localhost:8080/trac/ticket/882#changelog http://localhost:8080/trac/ticket/887 http://localhost:8080/trac/ticket/887 #887: Lot's of failed logins on conference15.transitionnetwork.org Fri, 04 Dec 2015 11:39:10 GMT sam <p> Hi all </p> <p> Overnight I had 150 notifications of failed login attempts and subsequent IP address bans from the <a class="ext-link" href="https://en-gb.wordpress.org/plugins/wordfence/"><span class="icon">​</span>https://en-gb.wordpress.org/plugins/wordfence/</a> security plugin I installed. </p> <p> It's coming from multiple IP addresses in multiple countries. </p> <p> It seems like Wordfence is doing it's job and blocking IP's. I only mention it as I'm wondering if it could be related to the recent downtime. </p> <p> Feel free to close this ticket, just thought it was worth sticking in here. </p> <p> Thanks </p> <p> Sam </p> Results http://localhost:8080/trac/ticket/887#changelog http://localhost:8080/trac/ticket/892 http://localhost:8080/trac/ticket/892 #892: MediWiki Security Release: 1.26.1, 1.25.4, 1.24.5 and 1.23.12 Fri, 18 Dec 2015 10:46:18 GMT chris <p> Email to the <a class="ext-link" href="https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html"><span class="icon">​</span>announcements list</a>: </p> <pre class="wiki">I would like to announce the release of MediaWiki 1.26.1, 1.25.4, 1.24.5, and 1.23.12. These releases fix five security issues in core, in addition to other bug fixes. Download links are given at the end of this email == Security fixes == (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error (T119309) SECURITY: Use hash_compare() for edit token comparison (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads (T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki == Note about EOL of 1.24.x == Please note that 1.24.5 marks the end of support for the 1.24.x series of releases. Technically this ended a few weeks ago with the release of 1.26.0 but we dropped one final release of 1.24.x here to give it a nicer send off for those who have not yet upgraded. == Release notes == Full release notes for 1.26.1: &lt;https://www.mediawiki.org/wiki/Release_notes/1.26&gt; Full release notes for 1.25.4: &lt;https://www.mediawiki.org/wiki/Release_notes/1.25&gt; Full release notes for 1.24.5: &lt;https://www.mediawiki.org/wiki/Release_notes/1.24&gt; Full release notes for 1.23.12: &lt;https://www.mediawiki.org/wiki/Release_notes/1.23&gt; For information about how to upgrade, see &lt;https://www.mediawiki.org/wiki/Manual:Upgrading&gt; </pre> Results http://localhost:8080/trac/ticket/892#changelog http://localhost:8080/trac/ticket/912 http://localhost:8080/trac/ticket/912 #912: Stats for TTT Tue, 21 Jun 2016 10:29:02 GMT chris <p> Nicola at TTT has asked: </p> <blockquote class="citation"> <p> Could you let me know the size of the TTT and Transition Streets sites please? I have Google Analytics for TTT but not for Transition Streets, and I wonder if you could also tell me how many visitors it gets annually? </p> </blockquote> Results http://localhost:8080/trac/ticket/912#changelog http://localhost:8080/trac/ticket/924 http://localhost:8080/trac/ticket/924 #924: Sheffield Server Shutdown Timetable? Mon, 05 Sep 2016 08:46:27 GMT chris <p> Since <a class="ext-link" href="https://www.transitionnetwork.org/"><span class="icon">​</span>www.transitionnetwork.org</a> is now running on <tt>dedi2835.your-server.de</tt> there seems little point in the Transition Network continuing to pay for the <a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer">PuffinServer</a> and my time doing sysadmin updates on it? </p> <p> If the Transition Network would like Webarchitects to shutdown and delete this server and all it's backups could you please let me know when you would like it doing? </p> <p> I guess the same goes for <a class="wiki" href="http://localhost:8080/trac/wiki/PenguinServer">PenguinServer</a> and <a class="wiki" href="http://localhost:8080/trac/wiki/ParrotServer">ParrotServer</a>, though these servers still have live sites on them, including this Trac site that I use to keep track of time worked -- when <a class="wiki" href="http://localhost:8080/trac/wiki/PenguinServer">PenguinServer</a> is shutdown I will no longer have a public place to document the time I work for the Transition Network and all the server and site documentation from the last six years will be lost. </p> Results http://localhost:8080/trac/ticket/924#changelog http://localhost:8080/trac/ticket/264 http://localhost:8080/trac/ticket/264 #264: Context changes Fri, 17 Jun 2011 12:23:53 GMT ed <p> As discussed at meeting. Contexts not really working. Blocks on a right all over the place. Perhaps need some new page layouts (?) or other piece of work with panels (?) to sort out. </p> <p> One page to start with is the Training page (and subsection). Ed to meet Trainers and their marketing consultant on 21/6. </p> <p> Jim please advise Ed what Jim needs to </p> Results http://localhost:8080/trac/ticket/264#changelog http://localhost:8080/trac/ticket/513 http://localhost:8080/trac/ticket/513 #513: Please clarify what is a widget user Mon, 11 Mar 2013 08:17:47 GMT ed <p> What is a widget user? What role is this? Please clarify? </p> Results http://localhost:8080/trac/ticket/513#changelog http://localhost:8080/trac/ticket/537 http://localhost:8080/trac/ticket/537 #537: Parrot setup and documentation Tue, 30 Apr 2013 11:11:36 GMT chris <p> Things done setting up parrot.webarch.net -- a new virtual machine for running Wordpress sites, see <a class="wiki" href="http://localhost:8080/trac/wiki/ParrotServer">wiki:ParrotServer</a> </p> Results http://localhost:8080/trac/ticket/537#changelog http://localhost:8080/trac/ticket/540 http://localhost:8080/trac/ticket/540 #540: HTTPS for WordPress sites Wed, 01 May 2013 20:20:32 GMT chris <p> Currently the <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">wiki:WordPress</a> sites have have the following SSL certificates: </p> <ul><li><a class="ext-link" href="https://www.intransitionmovie.com/"><span class="icon">​</span>https://www.intransitionmovie.com/</a> -- Gandi commercial certificate and dedicated IP address </li><li><a class="ext-link" href="https://www.reconomy.org/"><span class="icon">​</span>https://www.reconomy.org/</a> -- CAcert non-commercial certificate and shared IP address (SNI) </li><li><a class="ext-link" href="https://www.earthinheritors.net/"><span class="icon">​</span>https://www.earthinheritors.net/</a> -- CAcert non-commercial certificate and shared IP address (SNI) </li><li><a class="ext-link" href="https://parrot.transitionnetwork.org/"><span class="icon">​</span>https://parrot.transitionnetwork.org/</a> -- Gandi TN wild card cert and shared IP address (SNI) </li><li><a class="ext-link" href="https://parrot.webarch.net/"><span class="icon">​</span>https://parrot.webarch.net/</a> -- CAcert non-commercial certificate, this is the default site for clients without SNI support </li></ul><p> None of the site are set to enforce HTTPS for logins, this should be done ASAP for intransitionmovie.com </p> <p> I think we have several options going forward, the first 3 of this are the only viable ones though, IMHO: </p> <h2 id="SNIandSeperateCertsandSharedIP">SNI and Seperate Certs and Shared IP</h2> <p> Get a Gandi SSL cert for each site and rely on SNI rather than having a dedicated IP address for each site, this is the cheapest way to solve the problem, the certs are around £15 each. </p> <p> The clients that don't work with SNI are listed here: <a class="ext-link" href="https://en.wikipedia.org/wiki/Server_Name_Indication#Client_side"><span class="icon">​</span>https://en.wikipedia.org/wiki/Server_Name_Indication#Client_side</a> </p> <h2 id="Multi-domainCertandSharedIP">Multi-domain Cert and Shared IP</h2> <p> Get a Gandi SSL cert with all the domains in, this is a little more expensive than seperate certs (around £20 per site) but it means that all the clients that don't work with SNI will work. One issue with this is when adding new site is that a brand new cert would be needed as additional names can't be added to multi-domain certs during their lifetime, this could be worked around by getting a single domain cert to run to the end of the life of the multi domain cert (this would use SNI). </p> <h2 id="SeperateCertsandDedicatedIPs">Seperate Certs and Dedicated IPs</h2> <p> Getting a cert per site and a dedicated IP per site, this would cost the most as each IP address costs around the same as each cert, (so about £30 per site). It also seems like a great waste to use up a IP per site when they are so scarce and when technical workarounds to this old problem like multi-domain certs and SNI are now available. I don't favour this option. </p> <h2 id="Non-commercialCAcertCert">Non-commercial CAcert Cert</h2> <p> This is the cheapest, it's fine if people are able to install the <a class="ext-link" href="http://cacert.org/"><span class="icon">​</span>http://cacert.org/</a> root certificate but this is something that non-technical people seem to find hard and they also don't understand the security warnings that they get when the cert isn't installed. This option is the one currently in use but it's far from ideal and one of the other options needs to be adopted before enforcing HTTPS logins is deployed. I don't favour this option. </p> Results http://localhost:8080/trac/ticket/540#changelog http://localhost:8080/trac/ticket/582 http://localhost:8080/trac/ticket/582 #582: TN.org platform and sites Mon, 02 Sep 2013 09:30:02 GMT jim <p> The TN.org platform and Drupal site updates are to be tracked in this ticket. </p> <p> Current PROD platform build = <strong>P009</strong> Current STG platform build = <strong>S010</strong> </p> <p> Updates pending: </p> <ul><li>SECURITY UPDATE - NO RISK: Pressflow core 6.30 is due, but the security holes fixed do not affect us, low priority. Platforms: present in S010, but not in P009. </li></ul> Results http://localhost:8080/trac/ticket/582#changelog http://localhost:8080/trac/ticket/587 http://localhost:8080/trac/ticket/587 #587: Puffin MySQL Tuning Thu, 05 Sep 2013 12:54:47 GMT chris <p> This ticket is to track the tuning we do to MySQL on <a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer">PuffinServer</a>. </p> <p> See also previous comments on this issue: </p> <ul><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:12" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:12</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:15" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:15</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:16" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:16</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:17" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:17</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:20" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:20</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:29" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:29</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#SettingsChanged" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#SettingsChanged</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:39" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:39</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:56" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:56</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:57" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:57</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:60" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:60</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:65" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:65</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:66" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:66</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:67" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:67</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:68" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:68</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:82" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:82</a> </li><li><a class="closed ticket" href="http://localhost:8080/trac/ticket/555#comment:85" title="maintenance: Load spikes causing the TN site to be stopped for 15 min at a time (closed: fixed)">ticket:555#comment:85</a> </li></ul> Results http://localhost:8080/trac/ticket/587#changelog http://localhost:8080/trac/ticket/619 http://localhost:8080/trac/ticket/619 #619: Upgrade WordPress sites to 3.9.1 Fri, 15 Nov 2013 14:38:05 GMT chris <p> News regarding the <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">WordPress</a> versions released since the sites were upgraded to 3.6.1 on <a class="closed ticket" href="http://localhost:8080/trac/ticket/594" title="maintenance: WordPress 3.6.1 Maintenance and Security Release (closed: fixed)">ticket:594</a> </p> <ul><li><a class="ext-link" href="https://wordpress.org/news/2013/10/wordpress-3-7-1/"><span class="icon">​</span>https://wordpress.org/news/2013/10/wordpress-3-7-1/</a> </li><li><a class="ext-link" href="https://wordpress.org/news/2013/10/basie/"><span class="icon">​</span>https://wordpress.org/news/2013/10/basie/</a> </li></ul><p> We should consider how best to upgrade the <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">wiki:WordPress</a> sites running on <a class="wiki" href="http://localhost:8080/trac/wiki/ParrotServer">wiki:ParrotServer</a> and then ensure that they are upgraded. </p> Results http://localhost:8080/trac/ticket/619#changelog http://localhost:8080/trac/ticket/692 http://localhost:8080/trac/ticket/692 #692: Debian Updates Tue, 25 Feb 2014 15:16:17 GMT chris <p> This is a ticket to track debian upgrades to the <a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer">wiki:PuffinServer</a>, <a class="wiki" href="http://localhost:8080/trac/wiki/PenguinServer">wiki:PenguinServer</a> and <a class="wiki" href="http://localhost:8080/trac/wiki/ParrotServer">wiki:ParrotServer</a> the time they take. </p> <p> See: </p> <ul><li><a class="ext-link" href="http://lists.debian.org/debian-security-announce/recent"><span class="icon">​</span>Recent Debian security announcements</a> </li><li><a class="ext-link" href="https://lists.debian.org/debian-lts-announce/recent"><span class="icon">​</span>Recent Debian LTS security announcements</a> </li><li><a class="ext-link" href="http://lists.askmonty.org/pipermail/announce/"><span class="icon">​</span>MariaDB Announce List archives</a> </li><li><a class="ext-link" href="http://groups.google.com/group/phusion-passenger-announcements"><span class="icon">​</span>phusion-passenger-announcements archive</a> </li></ul><p> These updates are generally done using the <a class="wiki" href="http://localhost:8080/trac/wiki/AptitudeUpdateScript">wiki:AptitudeUpdateScript</a> and this records all the changes in the <tt>/root/Changelog</tt> and then the contents of the Changelog are pasted into the ticket to document the upgrade. </p> <p> This ticket took over from <a class="closed ticket" href="http://localhost:8080/trac/ticket/218" title="maintenance: Debian upgrades and updates (closed: fixed)">ticket:218</a> on 2014-02-25. </p> Results http://localhost:8080/trac/ticket/692#changelog http://localhost:8080/trac/ticket/701 http://localhost:8080/trac/ticket/701 #701: Emails & Telephone calls Tue, 18 Mar 2014 09:38:24 GMT paul Results http://localhost:8080/trac/ticket/701#changelog http://localhost:8080/trac/ticket/711 http://localhost:8080/trac/ticket/711 #711: Emails & Telephone calls Tue, 01 Apr 2014 13:47:56 GMT paul Results http://localhost:8080/trac/ticket/711#changelog http://localhost:8080/trac/ticket/712 http://localhost:8080/trac/ticket/712 #712: Create a new stgX.transitionnetwork.org site Tue, 01 Apr 2014 15:03:53 GMT sam <p> Hi Paul </p> <p> I have been trying to build a staging site using your Github repository with the changes you made for ticket : <a class="ext-link" href="https://trac.transitionnetwork.org/trac/ticket/693"><span class="icon">​</span>https://trac.transitionnetwork.org/trac/ticket/693</a> </p> <p> I have edited the D6 s008 platform: <a class="ext-link" href="https://tn.puffin.webarch.net/node/1157/edit"><span class="icon">​</span>https://tn.puffin.webarch.net/node/1157/edit</a> to use your makefile. </p> <p> It builds a site, but I just get an empty pressflow site at the end. </p> <p> Could you build a staging site using your makefile? </p> <p> Thanks </p> <p> Sam </p> Results http://localhost:8080/trac/ticket/712#changelog http://localhost:8080/trac/ticket/750 http://localhost:8080/trac/ticket/750 #750: Annual update of SSL cert fingerprint for incomming emails to Trac Thu, 26 Jun 2014 13:42:42 GMT chris <p> Laura said she had replied to Trac email today but they didn't get through. </p> <p> The issues has come up before, see <a class="wiki" href="http://localhost:8080/trac/wiki/TransitionTrac#Fetchmail">wiki:TransitionTrac#Fetchmail</a> </p> Results http://localhost:8080/trac/ticket/750#changelog http://localhost:8080/trac/ticket/758 http://localhost:8080/trac/ticket/758 #758: * Advisory ID: DRUPAL-SA-CORE-2014-003 Wed, 16 Jul 2014 21:55:29 GMT paul <p> View online: <a class="ext-link" href="https://www.drupal.org/SA-CORE-2014-003"><span class="icon">​</span>https://www.drupal.org/SA-CORE-2014-003</a> </p> <ul><li>Advisory ID: DRUPAL-SA-CORE-2014-003 </li><li>Project: Drupal core <a class="missing changeset" title="No default repository defined">[1]</a> </li><li>Version: 6.x, 7.x </li><li>Date: 2014-July-16 </li><li>Security risk: Critical <a class="missing changeset" title="No default repository defined">[2]</a> </li><li>Exploitable from: Remote </li><li>Vulnerability: Multiple vulnerabilities </li></ul><hr /> <hr /> <p> Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. </p> <p> .... Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical) </p> <p> Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header. </p> <p> The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. </p> <p> .... Access bypass (File module - Drupal 7 - Critical) </p> <p> The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files. </p> <p> This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field. </p> <p> Note: The Drupal 6 <a class="missing wiki">FileField?</a> <a class="missing changeset" title="No default repository defined">[3]</a> module is affected by a similar issue (see SA-CONTRIB-2014-071 - <a class="missing wiki">FileField?</a> - Access bypass <a class="missing changeset" title="No default repository defined">[4]</a>) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected. </p> <p> .... Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical) </p> <p> A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules. </p> <p> This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself. </p> <p> .... Cross-site scripting (Ajax system - Drupal 7 - Moderately critical) </p> <p> A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field. </p> <p> This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules. </p> <hr /> <hr /> <ul><li>/A CVE identifier <a class="missing changeset" title="No default repository defined">[5]</a> will be requested, and added upon issuance, in </li></ul><p> accordance with Drupal Security Team processes./ </p> <hr /> <hr /> <ul><li>Drupal core 6.x versions prior to 6.32. </li><li>Drupal core 7.x versions prior to 7.29. </li></ul><hr /> <hr /> <p> Install the latest version: </p> <ul><li>If you use Drupal 6.x, upgrade to Drupal core 6.32. <a class="missing changeset" title="No default repository defined">[6]</a> </li><li>If you use Drupal 7.x, upgrade to Drupal core 7.29. <a class="missing changeset" title="No default repository defined">[7]</a> </li></ul><p> Also see the Drupal core <a class="missing changeset" title="No default repository defined">[8]</a> project page. </p> <hr /> <hr /> <ul><li>The denial of service vulnerability using malicious HTTP Host headers was </li></ul><p> reported by Régis Leroy <a class="missing changeset" title="No default repository defined">[9]</a>. </p> <ul><li>The access bypass vulnerability in the File module was reported by Ivan </li></ul><p> Ch <a class="missing changeset" title="No default repository defined">[10]</a>. </p> <ul><li>The cross-site scripting vulnerability with Form API option groups was </li></ul><p> reported by Károly Négyesi <a class="missing changeset" title="No default repository defined">[11]</a>. </p> <ul><li>The cross-site scripting vulnerability in the Ajax system was reported by </li></ul><p> mani22test <a class="missing changeset" title="No default repository defined">[12]</a>. </p> <hr /> <hr /> <ul><li>The denial of service vulnerability using malicious HTTP Host headers was </li></ul><p> fixed by Régis Leroy <a class="missing changeset" title="No default repository defined">[13]</a>, and by Klaus Purer <a class="missing changeset" title="No default repository defined">[14]</a> of the Drupal Security Team. </p> <ul><li>The access bypass vulnerability in the File module was fixed by Nate Haug </li></ul><p> <a class="missing changeset" title="No default repository defined">[15]</a> and Ivan Ch <a class="missing changeset" title="No default repository defined">[16]</a>, and by Drupal Security Team members David Rothstein <a class="missing changeset" title="No default repository defined">[17]</a>, Heine Deelstra <a class="missing changeset" title="No default repository defined">[18]</a> and David Snopek <a class="missing changeset" title="No default repository defined">[19]</a>. </p> <ul><li>The cross-site scripting vulnerability with Form API option groups was </li></ul><p> fixed by Greg Knaddison <a class="missing changeset" title="No default repository defined">[20]</a> of the Drupal Security Team. </p> <ul><li>The cross-site scripting vulnerability in the Ajax system was fixed by </li></ul><p> Neil Drumm <a class="missing changeset" title="No default repository defined">[21]</a> of the Drupal Security Team. </p> <hr /> <hr /> <ul><li>The Drupal Security Team <a class="missing changeset" title="No default repository defined">[22]</a> </li></ul><hr /> <hr /> <p> The Drupal security team can be reached at security at drupal.org or via the contact form at <a class="ext-link" href="http://drupal.org/contact"><span class="icon">​</span>http://drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[23]</a>. </p> <p> Learn more about the Drupal Security team and their policies <a class="missing changeset" title="No default repository defined">[24]</a>, writing secure code for Drupal <a class="missing changeset" title="No default repository defined">[25]</a>, and securing your site <a class="missing changeset" title="No default repository defined">[26]</a>. </p> <p> Follow the Drupal Security Team on Twitter at <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> <a class="missing changeset" title="No default repository defined">[27]</a> </p> <p> <a class="missing changeset" title="No default repository defined">[1]</a> <a class="ext-link" href="http://drupal.org/project/drupal"><span class="icon">​</span>http://drupal.org/project/drupal</a> <a class="missing changeset" title="No default repository defined">[2]</a> <a class="ext-link" href="http://drupal.org/security-team/risk-levels"><span class="icon">​</span>http://drupal.org/security-team/risk-levels</a> <a class="missing changeset" title="No default repository defined">[3]</a> <a class="ext-link" href="https://www.drupal.org/project/filefield"><span class="icon">​</span>https://www.drupal.org/project/filefield</a> <a class="missing changeset" title="No default repository defined">[4]</a> <a class="ext-link" href="https://www.drupal.org/node/2304561"><span class="icon">​</span>https://www.drupal.org/node/2304561</a> <a class="missing changeset" title="No default repository defined">[5]</a> <a class="ext-link" href="http://cve.mitre.org/"><span class="icon">​</span>http://cve.mitre.org/</a> <a class="missing changeset" title="No default repository defined">[6]</a> <a class="ext-link" href="https://www.drupal.org/drupal-6.32-release-notes"><span class="icon">​</span>https://www.drupal.org/drupal-6.32-release-notes</a> <a class="missing changeset" title="No default repository defined">[7]</a> <a class="ext-link" href="https://www.drupal.org/drupal-7.29-release-notes"><span class="icon">​</span>https://www.drupal.org/drupal-7.29-release-notes</a> <a class="missing changeset" title="No default repository defined">[8]</a> <a class="ext-link" href="http://drupal.org/project/drupal"><span class="icon">​</span>http://drupal.org/project/drupal</a> <a class="missing changeset" title="No default repository defined">[9]</a> <a class="ext-link" href="https://www.drupal.org/user/1367862"><span class="icon">​</span>https://www.drupal.org/user/1367862</a> <a class="missing changeset" title="No default repository defined">[10]</a> <a class="ext-link" href="https://www.drupal.org/user/556138"><span class="icon">​</span>https://www.drupal.org/user/556138</a> <a class="missing changeset" title="No default repository defined">[11]</a> <a class="ext-link" href="https://www.drupal.org/u/chx"><span class="icon">​</span>https://www.drupal.org/u/chx</a> <a class="missing changeset" title="No default repository defined">[12]</a> <a class="ext-link" href="https://www.drupal.org/user/2844779"><span class="icon">​</span>https://www.drupal.org/user/2844779</a> <a class="missing changeset" title="No default repository defined">[13]</a> <a class="ext-link" href="https://www.drupal.org/user/1367862"><span class="icon">​</span>https://www.drupal.org/user/1367862</a> <a class="missing changeset" title="No default repository defined">[14]</a> <a class="ext-link" href="https://www.drupal.org/user/262198"><span class="icon">​</span>https://www.drupal.org/user/262198</a> <a class="missing changeset" title="No default repository defined">[15]</a> <a class="ext-link" href="https://www.drupal.org/user/35821"><span class="icon">​</span>https://www.drupal.org/user/35821</a> <a class="missing changeset" title="No default repository defined">[16]</a> <a class="ext-link" href="https://www.drupal.org/user/556138"><span class="icon">​</span>https://www.drupal.org/user/556138</a> <a class="missing changeset" title="No default repository defined">[17]</a> <a class="ext-link" href="https://www.drupal.org/user/124982"><span class="icon">​</span>https://www.drupal.org/user/124982</a> <a class="missing changeset" title="No default repository defined">[18]</a> <a class="ext-link" href="https://www.drupal.org/user/17943"><span class="icon">​</span>https://www.drupal.org/user/17943</a> <a class="missing changeset" title="No default repository defined">[19]</a> <a class="ext-link" href="https://www.drupal.org/user/266527"><span class="icon">​</span>https://www.drupal.org/user/266527</a> <a class="missing changeset" title="No default repository defined">[20]</a> <a class="ext-link" href="https://www.drupal.org/u/greggles"><span class="icon">​</span>https://www.drupal.org/u/greggles</a> <a class="missing changeset" title="No default repository defined">[21]</a> <a class="ext-link" href="https://www.drupal.org/u/drumm"><span class="icon">​</span>https://www.drupal.org/u/drumm</a> <a class="missing changeset" title="No default repository defined">[22]</a> <a class="ext-link" href="http://drupal.org/security-team"><span class="icon">​</span>http://drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[23]</a> <a class="ext-link" href="http://drupal.org/contact"><span class="icon">​</span>http://drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[24]</a> <a class="ext-link" href="http://drupal.org/security-team"><span class="icon">​</span>http://drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[25]</a> <a class="ext-link" href="http://drupal.org/writing-secure-code"><span class="icon">​</span>http://drupal.org/writing-secure-code</a> <a class="missing changeset" title="No default repository defined">[26]</a> <a class="ext-link" href="http://drupal.org/security/secure-configuration"><span class="icon">​</span>http://drupal.org/security/secure-configuration</a> <a class="missing changeset" title="No default repository defined">[27]</a> <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> </p> <p> <span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline">_ Security-news mailing list Security-news@… Unsubscribe at <a class="ext-link" href="https://lists.drupal.org/mailman/listinfo/security-news"><span class="icon">​</span>https://lists.drupal.org/mailman/listinfo/security-news</a> </span></p> Results http://localhost:8080/trac/ticket/758#changelog http://localhost:8080/trac/ticket/759 http://localhost:8080/trac/ticket/759 #759: [Security-news] SA-CONTRIB-2014-071 - FileField - Access bypass Wed, 16 Jul 2014 21:59:46 GMT paul <p> View online: <a class="ext-link" href="https://www.drupal.org/node/2304561"><span class="icon">​</span>https://www.drupal.org/node/2304561</a> </p> <ul><li>Advisory ID: DRUPAL-SA-CONTRIB-2014-071 </li><li>Project: <a class="missing wiki">FileField?</a> <a class="missing changeset" title="No default repository defined">[1]</a> (third-party module) </li><li>Version: 6.x </li><li>Date: 2014-July-16 </li><li>Security risk: Critical <a class="missing changeset" title="No default repository defined">[2]</a> </li><li>Exploitable from: Remote </li><li>Vulnerability: Access bypass </li></ul><hr /> <hr /> <p> The <a class="missing wiki">FileField?</a> module enables you to define and use fields that contain files. </p> <p> The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files. </p> <p> This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field. </p> <hr /> <hr /> <ul><li>/A CVE identifier <a class="missing changeset" title="No default repository defined">[3]</a> will be requested, and added upon issuance, in </li></ul><p> accordance with Drupal Security Team processes./ </p> <hr /> <hr /> <ul><li><a class="missing wiki">FileField?</a> 6.x-3.x versions prior to 6.x-3.13. </li></ul><p> Drupal core is not affected. If you do not use the contributed <a class="missing wiki">FileField?</a> <a class="missing changeset" title="No default repository defined">[4]</a> module, there is nothing you need to do. </p> <hr /> <hr /> <ul><li>If you use the <a class="missing wiki">FileField?</a> module for Drupal 6.x, upgrade to Filefield </li></ul><p> 6.x-3.13 <a class="missing changeset" title="No default repository defined">[5]</a>, and also update to Drupal core 6.32 <a class="missing changeset" title="No default repository defined">[6]</a> (see SA-CORE-2014-003 <a class="missing changeset" title="No default repository defined">[7]</a>). </p> <hr /> <hr /> <ul><li>Ivan Ch <a class="missing changeset" title="No default repository defined">[8]</a> </li></ul><hr /> <hr /> <ul><li>Nate Haug <a class="missing changeset" title="No default repository defined">[9]</a> </li><li>Ivan Ch <a class="missing changeset" title="No default repository defined">[10]</a> </li><li>David Snopek <a class="missing changeset" title="No default repository defined">[11]</a> of the Drupal Security Team. </li></ul><hr /> <hr /> <p> The Drupal security team can be reached at security at drupal.org or via the contact form at <a class="ext-link" href="http://drupal.org/contact"><span class="icon">​</span>http://drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[12]</a>. </p> <p> Learn more about the Drupal Security team and their policies <a class="missing changeset" title="No default repository defined">[13]</a>, writing secure code for Drupal <a class="missing changeset" title="No default repository defined">[14]</a>, and securing your site <a class="missing changeset" title="No default repository defined">[15]</a>. </p> <p> Follow the Drupal Security Team on Twitter at <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> <a class="missing changeset" title="No default repository defined">[16]</a> </p> <p> <a class="missing changeset" title="No default repository defined">[1]</a> <a class="ext-link" href="https://www.drupal.org/project/filefield"><span class="icon">​</span>https://www.drupal.org/project/filefield</a> <a class="missing changeset" title="No default repository defined">[2]</a> <a class="ext-link" href="http://drupal.org/security-team/risk-levels"><span class="icon">​</span>http://drupal.org/security-team/risk-levels</a> <a class="missing changeset" title="No default repository defined">[3]</a> <a class="ext-link" href="http://cve.mitre.org/"><span class="icon">​</span>http://cve.mitre.org/</a> <a class="missing changeset" title="No default repository defined">[4]</a> <a class="ext-link" href="http://drupal.org/project/filefield"><span class="icon">​</span>http://drupal.org/project/filefield</a> <a class="missing changeset" title="No default repository defined">[5]</a> <a class="ext-link" href="https://www.drupal.org/node/2304517"><span class="icon">​</span>https://www.drupal.org/node/2304517</a> <a class="missing changeset" title="No default repository defined">[6]</a> <a class="ext-link" href="https://www.drupal.org/drupal-6.32-release-notes"><span class="icon">​</span>https://www.drupal.org/drupal-6.32-release-notes</a> <a class="missing changeset" title="No default repository defined">[7]</a> <a class="ext-link" href="https://www.drupal.org/SA-CORE-2014-003"><span class="icon">​</span>https://www.drupal.org/SA-CORE-2014-003</a> <a class="missing changeset" title="No default repository defined">[8]</a> <a class="ext-link" href="https://www.drupal.org/user/556138"><span class="icon">​</span>https://www.drupal.org/user/556138</a> <a class="missing changeset" title="No default repository defined">[9]</a> <a class="ext-link" href="https://www.drupal.org/user/35821"><span class="icon">​</span>https://www.drupal.org/user/35821</a> <a class="missing changeset" title="No default repository defined">[10]</a> <a class="ext-link" href="https://www.drupal.org/user/556138"><span class="icon">​</span>https://www.drupal.org/user/556138</a> <a class="missing changeset" title="No default repository defined">[11]</a> <a class="ext-link" href="https://www.drupal.org/user/266527"><span class="icon">​</span>https://www.drupal.org/user/266527</a> <a class="missing changeset" title="No default repository defined">[12]</a> <a class="ext-link" href="http://drupal.org/contact"><span class="icon">​</span>http://drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[13]</a> <a class="ext-link" href="http://drupal.org/security-team"><span class="icon">​</span>http://drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[14]</a> <a class="ext-link" href="http://drupal.org/writing-secure-code"><span class="icon">​</span>http://drupal.org/writing-secure-code</a> <a class="missing changeset" title="No default repository defined">[15]</a> <a class="ext-link" href="http://drupal.org/security/secure-configuration"><span class="icon">​</span>http://drupal.org/security/secure-configuration</a> <a class="missing changeset" title="No default repository defined">[16]</a> <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> </p> <p> <span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline">_ Security-news mailing list Security-news@… Unsubscribe at <a class="ext-link" href="https://lists.drupal.org/mailman/listinfo/security-news"><span class="icon">​</span>https://lists.drupal.org/mailman/listinfo/security-news</a> </span></p> Results http://localhost:8080/trac/ticket/759#changelog http://localhost:8080/trac/ticket/764 http://localhost:8080/trac/ticket/764 #764: Policy decisions re-assessment on BOA and Drupal security updates Tue, 22 Jul 2014 14:10:38 GMT annesley <p> on-line meeting 5 / August @ 14:00 GMT: we are phasing out the current D6 / BOA system. the new system may not use either. The TN.org website is not attractive to high level hackers or DOS attacks. </p> <p> what are the risks with cancelling all further Unix, BOA and Drupal updates completely that do not allow direct un-mitigated access to the backend via bad PHP code / SQL? </p> Results http://localhost:8080/trac/ticket/764#changelog http://localhost:8080/trac/ticket/789 http://localhost:8080/trac/ticket/789 #789: SA-CONTRIB-2014-088 - Mollom - Cross-site scripting (XSS) Mon, 22 Sep 2014 13:09:48 GMT paul <p> View online: <a class="ext-link" href="https://www.drupal.org/node/2340029"><span class="icon">​</span>https://www.drupal.org/node/2340029</a> </p> <ul><li>Advisory ID: DRUPAL-SA-CONTRIB-2014-088 </li><li>Project: Mollom <a class="missing changeset" title="No default repository defined">[1]</a> (third-party module) </li><li>Version: 6.x, 7.x </li><li>Date: 2014-September-17 </li><li>Security risk: 11/25 ( Moderately Critical) </li></ul><p> AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon <a class="missing changeset" title="No default repository defined">[2]</a> </p> <ul><li>Vulnerability: Cross Site Scripting </li></ul><hr /> <hr /> <p> Mollom is an "intelligent" content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites. </p> <p> Mollom offers a feature to report submitted content as inappropriate which allows end users to indicate that a piece of site content is objectionable or out of place. When reporting content, the content title is not sufficiently sanitized to prevent cross-site scripting (XSS) attacks. </p> <p> This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the content type must be enabled for "Flag as Inappropriate" within the Mollom advanced configuration settings (which is not the default setting). </p> <hr /> <hr /> <ul><li>/A CVE identifier <a class="missing changeset" title="No default repository defined">[3]</a> will be requested, and added upon issuance, in </li></ul><p> accordance with Drupal Security Team processes./ </p> <hr /> <hr /> <ul><li>Mollom 6.x-2.x versions from 6.x-2.7 to 6.x-2.10 </li><li>Mollom 7.x-2.x versions from 7.x-2.9 to 7.x-2.10 </li></ul><p> Drupal core is not affected. If you do not use the contributed Mollom <a class="missing changeset" title="No default repository defined">[4]</a> module, there is nothing you need to do. </p> <hr /> <hr /> <p> Install the latest version: </p> <ul><li>If you use the Mollom module for Drupal 6.x, upgrade to Mollom 6.x-2.11 </li></ul><p> <a class="missing changeset" title="No default repository defined">[5]</a> </p> <ul><li>If you use the Mollom module for Drupal 7.x, upgrade to Mollom 7.x-2.11 </li></ul><p> <a class="missing changeset" title="No default repository defined">[6]</a> </p> <p> Also see the Mollom <a class="missing changeset" title="No default repository defined">[7]</a> project page. </p> <hr /> <hr /> <ul><li>Matt Vance <a class="missing changeset" title="No default repository defined">[8]</a> </li></ul><hr /> <hr /> <ul><li>Lisa Backer <a class="missing changeset" title="No default repository defined">[9]</a> the module maintainer </li><li>Matt Vance <a class="missing changeset" title="No default repository defined">[10]</a> </li></ul><hr /> <hr /> <ul><li>Greg Knaddison <a class="missing changeset" title="No default repository defined">[11]</a> of the Drupal Security Team </li></ul><hr /> <hr /> <p> The Drupal security team can be reached at security at drupal.org or via the contact form at <a class="ext-link" href="https://www.drupal.org/contact"><span class="icon">​</span>https://www.drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[12]</a>. </p> <p> Learn more about the Drupal Security team and their policies <a class="missing changeset" title="No default repository defined">[13]</a>, writing secure code for Drupal <a class="missing changeset" title="No default repository defined">[14]</a>, and securing your site <a class="missing changeset" title="No default repository defined">[15]</a>. </p> <p> <a class="missing changeset" title="No default repository defined">[1]</a> <a class="ext-link" href="https://www.drupal.org/project/mollom"><span class="icon">​</span>https://www.drupal.org/project/mollom</a> <a class="missing changeset" title="No default repository defined">[2]</a> <a class="ext-link" href="https://www.drupal.org/security-team/risk-levels"><span class="icon">​</span>https://www.drupal.org/security-team/risk-levels</a> <a class="missing changeset" title="No default repository defined">[3]</a> <a class="ext-link" href="http://cve.mitre.org/"><span class="icon">​</span>http://cve.mitre.org/</a> <a class="missing changeset" title="No default repository defined">[4]</a> <a class="ext-link" href="https://www.drupal.org/project/mollom"><span class="icon">​</span>https://www.drupal.org/project/mollom</a> <a class="missing changeset" title="No default repository defined">[5]</a> <a class="ext-link" href="https://www.drupal.org/node/2338787"><span class="icon">​</span>https://www.drupal.org/node/2338787</a> <a class="missing changeset" title="No default repository defined">[6]</a> <a class="ext-link" href="https://www.drupal.org/node/2338789"><span class="icon">​</span>https://www.drupal.org/node/2338789</a> <a class="missing changeset" title="No default repository defined">[7]</a> <a class="ext-link" href="https://www.drupal.org/project/mollom"><span class="icon">​</span>https://www.drupal.org/project/mollom</a> <a class="missing changeset" title="No default repository defined">[8]</a> <a class="ext-link" href="https://www.drupal.org/user/88338"><span class="icon">​</span>https://www.drupal.org/user/88338</a> <a class="missing changeset" title="No default repository defined">[9]</a> <a class="ext-link" href="https://www.drupal.org/user/1951462"><span class="icon">​</span>https://www.drupal.org/user/1951462</a> <a class="missing changeset" title="No default repository defined">[10]</a> <a class="ext-link" href="https://www.drupal.org/user/88338"><span class="icon">​</span>https://www.drupal.org/user/88338</a> <a class="missing changeset" title="No default repository defined">[11]</a> <a class="ext-link" href="https://www.drupal.org/user/36762"><span class="icon">​</span>https://www.drupal.org/user/36762</a> <a class="missing changeset" title="No default repository defined">[12]</a> <a class="ext-link" href="https://www.drupal.org/contact"><span class="icon">​</span>https://www.drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[13]</a> <a class="ext-link" href="https://www.drupal.org/security-team"><span class="icon">​</span>https://www.drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[14]</a> <a class="ext-link" href="https://www.drupal.org/writing-secure-code"><span class="icon">​</span>https://www.drupal.org/writing-secure-code</a> <a class="missing changeset" title="No default repository defined">[15]</a> <a class="ext-link" href="https://www.drupal.org/security/secure-configuration"><span class="icon">​</span>https://www.drupal.org/security/secure-configuration</a> </p> Results http://localhost:8080/trac/ticket/789#changelog http://localhost:8080/trac/ticket/792 http://localhost:8080/trac/ticket/792 #792: [Security-news] SA-CONTRIB-2014-094 - Webform Patched - Cross Site Scripting (XSS) Mon, 29 Sep 2014 09:28:08 GMT paul <p> View online: <a class="ext-link" href="https://www.drupal.org/node/2344369"><span class="icon">​</span>https://www.drupal.org/node/2344369</a> </p> <ul><li>Advisory ID: DRUPAL-SA-CONTRIB-2014-094 </li><li>Project: Webform Patched <a class="missing changeset" title="No default repository defined">[1]</a> (third-party module) </li><li>Version: 6.x, 7.x </li><li>Date: 2014-September-24 </li><li>Security risk: 13/25 ( Moderately Critical) </li></ul><p> AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default <a class="missing changeset" title="No default repository defined">[2]</a> </p> <ul><li>Vulnerability: Cross Site Scripting </li></ul><hr /> <hr /> <p> The Webform Patched module is a fork of the Webform module with Token support added. The module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site. </p> <p> The module doesn't sufficiently sanitize field label titles when two fields have the same form_key, which can only be managed by carefully crafting the webform structure via a specific set of circumstances. </p> <p> This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create webform content". </p> <hr /> <hr /> <ul><li>/A CVE identifier <a class="missing changeset" title="No default repository defined">[3]</a> will be requested, and added upon issuance, in </li></ul><p> accordance with Drupal Security Team processes./ </p> <hr /> <hr /> <ul><li>Webform Patched 6.x-3.x versions prior to 6.x-3.20. </li><li>Webform Patched 7.x-3.x versions prior to 7.x-3.20. </li></ul><p> Drupal core is not affected. If you do not use the contributed Webform Patched <a class="missing changeset" title="No default repository defined">[4]</a> module, there is nothing you need to do. </p> <hr /> <hr /> <p> Install the latest version: </p> <ul><li>If you use the webform module for Drupal 6.x, upgrade to webform_patched </li></ul><p> 6.x-3.20 <a class="missing changeset" title="No default repository defined">[5]</a> </p> <ul><li>If you use the webform module for Drupal 7.x-3.x, upgrade to </li></ul><p> webform_patched 7.x-3.20 <a class="missing changeset" title="No default repository defined">[6]</a> </p> <p> Also see the Webform Patched <a class="missing changeset" title="No default repository defined">[7]</a> project page. </p> <hr /> <hr /> <ul><li>Maurits Lawende <a class="missing changeset" title="No default repository defined">[8]</a> </li><li>Matt Vance <a class="missing changeset" title="No default repository defined">[9]</a> </li></ul><hr /> <hr /> <ul><li>Nate Haug <a class="missing changeset" title="No default repository defined">[10]</a> the module maintainer </li></ul><hr /> <hr /> <ul><li>Greg Knaddison <a class="missing changeset" title="No default repository defined">[11]</a>, Dan Smith <a class="missing changeset" title="No default repository defined">[12]</a> and Lee Rowlands <a class="missing changeset" title="No default repository defined">[13]</a> of the Drupal </li></ul><p> Security Team </p> <hr /> <hr /> <p> The Drupal security team can be reached at security at drupal.org or via the contact form at <a class="ext-link" href="https://www.drupal.org/contact"><span class="icon">​</span>https://www.drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[14]</a>. </p> <p> Learn more about the Drupal Security team and their policies <a class="missing changeset" title="No default repository defined">[15]</a>, writing secure code for Drupal <a class="missing changeset" title="No default repository defined">[16]</a>, and securing your site <a class="missing changeset" title="No default repository defined">[17]</a>. </p> <p> <a class="missing changeset" title="No default repository defined">[1]</a> <a class="ext-link" href="https://www.drupal.org/project/webform_patched"><span class="icon">​</span>https://www.drupal.org/project/webform_patched</a> <a class="missing changeset" title="No default repository defined">[2]</a> <a class="ext-link" href="https://www.drupal.org/security-team/risk-levels"><span class="icon">​</span>https://www.drupal.org/security-team/risk-levels</a> <a class="missing changeset" title="No default repository defined">[3]</a> <a class="ext-link" href="http://cve.mitre.org/"><span class="icon">​</span>http://cve.mitre.org/</a> <a class="missing changeset" title="No default repository defined">[4]</a> <a class="ext-link" href="https://www.drupal.org/project/webform_patched"><span class="icon">​</span>https://www.drupal.org/project/webform_patched</a> <a class="missing changeset" title="No default repository defined">[5]</a> <a class="ext-link" href="http://drupal.org/node/2241675"><span class="icon">​</span>http://drupal.org/node/2241675</a> <a class="missing changeset" title="No default repository defined">[6]</a> <a class="ext-link" href="http://drupal.org/node/2241685"><span class="icon">​</span>http://drupal.org/node/2241685</a> <a class="missing changeset" title="No default repository defined">[7]</a> <a class="ext-link" href="https://www.drupal.org/project/webform_patched"><span class="icon">​</span>https://www.drupal.org/project/webform_patched</a> <a class="missing changeset" title="No default repository defined">[8]</a> <a class="ext-link" href="http://drupal.org/user/243897"><span class="icon">​</span>http://drupal.org/user/243897</a> <a class="missing changeset" title="No default repository defined">[9]</a> <a class="ext-link" href="https://www.drupal.org/user/10269"><span class="icon">​</span>https://www.drupal.org/user/10269</a> <a class="missing changeset" title="No default repository defined">[10]</a> <a class="ext-link" href="http://drupal.org/user/35821"><span class="icon">​</span>http://drupal.org/user/35821</a> <a class="missing changeset" title="No default repository defined">[11]</a> <a class="ext-link" href="http://drupal.org/user/36762"><span class="icon">​</span>http://drupal.org/user/36762</a> <a class="missing changeset" title="No default repository defined">[12]</a> <a class="ext-link" href="http://drupal.org/user/241220"><span class="icon">​</span>http://drupal.org/user/241220</a> <a class="missing changeset" title="No default repository defined">[13]</a> <a class="ext-link" href="https://drupal.org/user/395439"><span class="icon">​</span>https://drupal.org/user/395439</a> <a class="missing changeset" title="No default repository defined">[14]</a> <a class="ext-link" href="https://www.drupal.org/contact"><span class="icon">​</span>https://www.drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[15]</a> <a class="ext-link" href="https://www.drupal.org/security-team"><span class="icon">​</span>https://www.drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[16]</a> <a class="ext-link" href="https://www.drupal.org/writing-secure-code"><span class="icon">​</span>https://www.drupal.org/writing-secure-code</a> <a class="missing changeset" title="No default repository defined">[17]</a> <a class="ext-link" href="https://www.drupal.org/security/secure-configuration"><span class="icon">​</span>https://www.drupal.org/security/secure-configuration</a> </p> Results http://localhost:8080/trac/ticket/792#changelog http://localhost:8080/trac/ticket/804 http://localhost:8080/trac/ticket/804 #804: Investigating the site security following SA-CORE-2014-005 (Drupal 7.32) Mon, 03 Nov 2014 15:20:25 GMT paul <p> It was discovered that TN could have have been compromised from the recent security vulnerability (even though we are running Drupal 6) as the site is using the DBTNG module. However the site doesn't appear to have been compromised. I'll post my findings shortly. </p> Results http://localhost:8080/trac/ticket/804#changelog http://localhost:8080/trac/ticket/808 http://localhost:8080/trac/ticket/808 #808: WordPress email being rejected due to From field Mon, 17 Nov 2014 19:28:23 GMT chris <p> This issues is like <a class="assigned ticket" href="http://localhost:8080/trac/ticket/737" title="maintenance: SPF / Emails rejected from the website contact form (assigned)">ticket:737</a> but with <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">WordPress</a> rather than Drupal causing the problem. </p> <p> Laura has forwarded one of the returned emails which contains: </p> <blockquote class="citation"> <p> host aspmx.l.google.com [173.194.67.26]: 550-5.7.1 Unauthenticated email from yahoo.com is not accepted due to domain's 550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 <a class="ext-link" href="http://support.google.com/mail/answer/2451690"><span class="icon">​</span>http://support.google.com/mail/answer/2451690</a> to learn about DMARC </p> </blockquote> Results http://localhost:8080/trac/ticket/808#changelog http://localhost:8080/trac/ticket/809 http://localhost:8080/trac/ticket/809 #809: [Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006 Wed, 19 Nov 2014 21:35:25 GMT paul <p> View online: <a class="ext-link" href="https://www.drupal.org/SA-CORE-2014-006"><span class="icon">​</span>https://www.drupal.org/SA-CORE-2014-006</a> </p> <ul><li>Advisory ID: DRUPAL-SA-CORE-2014-006 </li><li>Project: Drupal core <a class="missing changeset" title="No default repository defined">[1]</a> </li><li>Version: 6.x, 7.x </li><li>Date: 2014-November-19 </li><li>Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon <a class="missing changeset" title="No default repository defined">[2]</a> </li><li>Vulnerability: Multiple vulnerabilities </li></ul><hr /> <hr /> <p> .... Session hijacking (Drupal 6 and 7) </p> <p> A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session. </p> <p> This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode" <a class="missing changeset" title="No default repository defined">[3]</a>), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7. </p> <p> .... Denial of service (Drupal 7 only) </p> <p> Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text. </p> <p> A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service). </p> <p> This vulnerability can be exploited by anonymous users. </p> <hr /> <hr /> <ul><li>/A CVE identifier <a class="missing changeset" title="No default repository defined">[4]</a> will be requested, and added upon issuance, in accordance </li></ul><blockquote> <blockquote> <p> with Drupal Security Team processes./ </p> </blockquote> </blockquote> <hr /> <hr /> <ul><li>Drupal core 6.x versions prior to 6.34. </li><li>Drupal core 7.x versions prior to 7.34. </li></ul><hr /> <hr /> <p> Install the latest version: </p> <ul><li>If you use Drupal 6.x, upgrade to Drupal core 6.34. <a class="missing changeset" title="No default repository defined">[5]</a> </li><li>If you use Drupal 7.x, upgrade to Drupal core 7.34. <a class="missing changeset" title="No default repository defined">[6]</a> </li></ul><p> If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113 <a class="missing changeset" title="No default repository defined">[7]</a> </p> <p> Also see the Drupal core <a class="missing changeset" title="No default repository defined">[8]</a> project page. </p> <hr /> <hr /> <p> Session hijacking: </p> <ul><li>Aaron Averill <a class="missing changeset" title="No default repository defined">[9]</a> </li></ul><p> Denial of service: </p> <ul><li>Michael Cullum <a class="missing changeset" title="No default repository defined">[10]</a> </li><li>Javier Nieto <a class="missing changeset" title="No default repository defined">[11]</a> </li><li>Andrés Rojas Guerrero <a class="missing changeset" title="No default repository defined">[12]</a> </li></ul><hr /> <hr /> <p> Session hijacking: </p> <ul><li>Klaus Purer <a class="missing changeset" title="No default repository defined">[13]</a> of the Drupal Security Team </li><li>David Rothstein <a class="missing changeset" title="No default repository defined">[14]</a> of the Drupal Security Team </li><li>Peter Wolanin <a class="missing changeset" title="No default repository defined">[15]</a> of the Drupal Security Team </li></ul><p> Denial of service: </p> <ul><li>Klaus Purer <a class="missing changeset" title="No default repository defined">[16]</a> of the Drupal Security Team </li><li>Peter Wolanin <a class="missing changeset" title="No default repository defined">[17]</a> of the Drupal Security Team </li><li>Heine Deelstra <a class="missing changeset" title="No default repository defined">[18]</a> of the Drupal Security Team </li><li>Tom Phethean <a class="missing changeset" title="No default repository defined">[19]</a> </li></ul><hr /> <hr /> <ul><li>The Drupal Security Team </li></ul><hr /> <hr /> <p> The Drupal security team can be reached at security at drupal.org or via the contact form at <a class="ext-link" href="https://www.drupal.org/contact"><span class="icon">​</span>https://www.drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[20]</a>. </p> <p> Learn more about the Drupal Security team and their policies <a class="missing changeset" title="No default repository defined">[21]</a>, writing secure code for Drupal <a class="missing changeset" title="No default repository defined">[22]</a>, and securing your site <a class="missing changeset" title="No default repository defined">[23]</a>. </p> <p> Follow the Drupal Security Team on Twitter at <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> <a class="missing changeset" title="No default repository defined">[24]</a> </p> <p> <a class="missing changeset" title="No default repository defined">[1]</a> <a class="ext-link" href="https://www.drupal.org/project/drupal"><span class="icon">​</span>https://www.drupal.org/project/drupal</a> <a class="missing changeset" title="No default repository defined">[2]</a> <a class="ext-link" href="https://www.drupal.org/security-team/risk-levels"><span class="icon">​</span>https://www.drupal.org/security-team/risk-levels</a> <a class="missing changeset" title="No default repository defined">[3]</a> <a class="ext-link" href="https://www.drupal.org/https-information"><span class="icon">​</span>https://www.drupal.org/https-information</a> <a class="missing changeset" title="No default repository defined">[4]</a> <a class="ext-link" href="http://cve.mitre.org/"><span class="icon">​</span>http://cve.mitre.org/</a> <a class="missing changeset" title="No default repository defined">[5]</a> <a class="ext-link" href="https://www.drupal.org/drupal-6.34-release-notes"><span class="icon">​</span>https://www.drupal.org/drupal-6.34-release-notes</a> <a class="missing changeset" title="No default repository defined">[6]</a> <a class="ext-link" href="https://www.drupal.org/drupal-7.34-release-notes"><span class="icon">​</span>https://www.drupal.org/drupal-7.34-release-notes</a> <a class="missing changeset" title="No default repository defined">[7]</a> <a class="ext-link" href="https://www.drupal.org/node/2378367"><span class="icon">​</span>https://www.drupal.org/node/2378367</a> <a class="missing changeset" title="No default repository defined">[8]</a> <a class="ext-link" href="https://www.drupal.org/project/drupal"><span class="icon">​</span>https://www.drupal.org/project/drupal</a> <a class="missing changeset" title="No default repository defined">[9]</a> <a class="ext-link" href="https://www.drupal.org/user/1317732"><span class="icon">​</span>https://www.drupal.org/user/1317732</a> <a class="missing changeset" title="No default repository defined">[10]</a> <a class="ext-link" href="https://www.drupal.org/u/MichaelCu"><span class="icon">​</span>https://www.drupal.org/u/MichaelCu</a> <a class="missing changeset" title="No default repository defined">[11]</a> <a class="ext-link" href="https://www.drupal.org/u/jnietotn"><span class="icon">​</span>https://www.drupal.org/u/jnietotn</a> <a class="missing changeset" title="No default repository defined">[12]</a> <a class="ext-link" href="https://www.drupal.org/u/c0r3dump3d"><span class="icon">​</span>https://www.drupal.org/u/c0r3dump3d</a> <a class="missing changeset" title="No default repository defined">[13]</a> <a class="ext-link" href="https://www.drupal.org/u/klausi"><span class="icon">​</span>https://www.drupal.org/u/klausi</a> <a class="missing changeset" title="No default repository defined">[14]</a> <a class="ext-link" href="https://www.drupal.org/u/David_Rothstein"><span class="icon">​</span>https://www.drupal.org/u/David_Rothstein</a> <a class="missing changeset" title="No default repository defined">[15]</a> <a class="ext-link" href="https://www.drupal.org/u/pwolanin"><span class="icon">​</span>https://www.drupal.org/u/pwolanin</a> <a class="missing changeset" title="No default repository defined">[16]</a> <a class="ext-link" href="https://www.drupal.org/u/klausi"><span class="icon">​</span>https://www.drupal.org/u/klausi</a> <a class="missing changeset" title="No default repository defined">[17]</a> <a class="ext-link" href="https://www.drupal.org/u/pwolanin"><span class="icon">​</span>https://www.drupal.org/u/pwolanin</a> <a class="missing changeset" title="No default repository defined">[18]</a> <a class="ext-link" href="https://www.drupal.org/u/Heine"><span class="icon">​</span>https://www.drupal.org/u/Heine</a> <a class="missing changeset" title="No default repository defined">[19]</a> <a class="ext-link" href="https://www.drupal.org/u/tsphethean"><span class="icon">​</span>https://www.drupal.org/u/tsphethean</a> <a class="missing changeset" title="No default repository defined">[20]</a> <a class="ext-link" href="https://www.drupal.org/contact"><span class="icon">​</span>https://www.drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[21]</a> <a class="ext-link" href="https://www.drupal.org/security-team"><span class="icon">​</span>https://www.drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[22]</a> <a class="ext-link" href="https://www.drupal.org/writing-secure-code"><span class="icon">​</span>https://www.drupal.org/writing-secure-code</a> <a class="missing changeset" title="No default repository defined">[23]</a> <a class="ext-link" href="https://www.drupal.org/security/secure-configuration"><span class="icon">​</span>https://www.drupal.org/security/secure-configuration</a> <a class="missing changeset" title="No default repository defined">[24]</a> <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> </p> Results http://localhost:8080/trac/ticket/809#changelog http://localhost:8080/trac/ticket/819 http://localhost:8080/trac/ticket/819 #819: Trac anti-spam measures Fri, 19 Dec 2014 10:28:01 GMT chris <p> Today we had our first item of Trac spam, <a class="new ticket" href="http://localhost:8080/trac/ticket/818" title="defect: For watch lovers. superwatches (new)">ticket:818</a>, since the open email interface was enabled almost 2 years ago on <a class="closed ticket" href="http://localhost:8080/trac/ticket/494" title="maintenance: Email account for TRAC (closed: fixed)">ticket:494</a>. </p> <p> This ticket has been created to investigate and implement some anti-spam measures. </p> Results http://localhost:8080/trac/ticket/819#changelog http://localhost:8080/trac/ticket/847 http://localhost:8080/trac/ticket/847 #847: Upgrade Servers to Debian Jessie Mon, 27 Apr 2015 09:30:11 GMT chris <p> The latest version of <a class="ext-link" href="https://www.debian.org/News/2015/20150426"><span class="icon">​</span>Debian, Jessie, 8.0</a>, came out over the weekend, we should consider upgrading the three servers, <a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer">PuffinServer</a>, <a class="wiki" href="http://localhost:8080/trac/wiki/PenguinServer">PenguinServer</a> and <a class="wiki" href="http://localhost:8080/trac/wiki/ParrotServer">ParrotServer</a> and what issues would arrise when we do. </p> <p> See the documentation on <a class="ext-link" href="https://www.debian.org/releases/jessie/amd64/release-notes/ch-upgrading.en.html"><span class="icon">​</span>Upgrades from Debian 7 (wheezy)</a> and <a class="ext-link" href="https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html"><span class="icon">​</span>Issues to be aware of for jessie</a>, specifically: </p> <ul><li><a class="ext-link" href="https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#libv8"><span class="icon">​</span>Lack of security support for the ecosystem around libv8 and Node.js</a> </li><li><a class="ext-link" href="https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#apache-httpd-incomat"><span class="icon">​</span>Incompatible changes in Apache HTTPD 2.4</a> </li><li><a class="ext-link" href="https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#php-incompat"><span class="icon">​</span>PHP 5.6 upgrade has behavioral changes</a> </li></ul> Results http://localhost:8080/trac/ticket/847#changelog http://localhost:8080/trac/ticket/851 http://localhost:8080/trac/ticket/851 #851: Bot attacks on Transition Culture Sun, 10 May 2015 11:12:12 GMT chris <p> Yesterday there was a load spike on <a class="wiki" href="http://localhost:8080/trac/wiki/ParrotServer">ParrotServer</a> caused by a bot doing thousands of POSTs to <tt>xmlrpc.php</tt>. </p> Results http://localhost:8080/trac/ticket/851#changelog http://localhost:8080/trac/ticket/871 http://localhost:8080/trac/ticket/871 #871: Brute Force Attacks Against WordPress Sites Mon, 21 Sep 2015 13:41:26 GMT chris <p> Today there have been 53,932 attempts to login to the <a class="ext-link" href="http://www.transitiontowntotnes.org/"><span class="icon">​</span>TTT web site</a> on <a class="wiki" href="http://localhost:8080/trac/wiki/ParrotServer">ParrotServer</a> all from the same IP address: </p> <pre class="wiki">grep POST /home/ttt/logs/access.log | grep wp-login.php | grep 217.174.240.254 | wc -l 53932 </pre><p> I noticed this due the higher than usual load it was generating. </p> <p> Would it be OK to spend an hour or two installing the <a class="ext-link" href="https://wordpress.org/plugins/wp-fail2ban/"><span class="icon">​</span>WP fail2ban</a> plugin on all the sites on the server? </p> <p> Some more background on this issue: </p> <ul><li><a class="ext-link" href="https://docs.webarch.net/wiki/WordPress#Brute_Force_Attacks"><span class="icon">​</span>https://docs.webarch.net/wiki/WordPress#Brute_Force_Attacks</a> </li></ul> Results http://localhost:8080/trac/ticket/871#changelog http://localhost:8080/trac/ticket/873 http://localhost:8080/trac/ticket/873 #873: New Wordpress site please Tue, 22 Sep 2015 12:25:12 GMT sam <p> Hi Chris </p> <p> I couldn't ssh into parrot for some reason, I think you said you created me a 'sam' user on there but I can't get in. </p> <p> So could you set up a new Wordpress site on there. </p> <p> wpdev.tn.org or similar, it's only going to be for testing some stuff so URL doesn't really matter. </p> <p> Thanks </p> <p> Sam </p> Results http://localhost:8080/trac/ticket/873#changelog http://localhost:8080/trac/ticket/875 http://localhost:8080/trac/ticket/875 #875: Free HTTPS certificates from Let's Encrypt Mon, 05 Oct 2015 10:48:11 GMT chris <p> From mid November 2015 <a class="ext-link" href="https://www.letsencrypt.org/"><span class="icon">​</span>Let's Encrypt</a> should be live, providing free SSL/TLS certificates. Currently the TN pays for a Gandi wild card cert, costing £130.50 a year, in addition most the <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">WordPress</a> sites on <a class="wiki" href="http://localhost:8080/trac/wiki/ParrotServer">ParrotServer</a> don't have certs due to the cost, see <a class="new ticket" href="http://localhost:8080/trac/ticket/540" title="maintenance: HTTPS for WordPress sites (new)">ticket:540</a>. </p> <p> The <a class="ext-link" href="https://github.com/letsencrypt/letsencrypt"><span class="icon">​</span>Let's Encrypt code</a> is designed to be set up to run automatically -- certs are only valid for 90 days and the automatic renewal process runs when the cert is 60 days old. </p> <p> We should consider if we want to use <a class="ext-link" href="https://www.letsencrypt.org/"><span class="icon">​</span>Let's Encrypt</a> and what things would need to be put in place to use it, the wild card cert is due to expire on 22/01/16. </p> <ol><li><a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer">PuffinServer</a> -- are we still going to be running <a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer">PuffinServer</a> in January 2016? Is there any chance that we might be able to consider the suggestions in <a class="closed ticket" href="http://localhost:8080/trac/ticket/754#comment:61" title="maintenance: Can we upgrade from PHP 5.3? (closed: wontfix)">ticket:754#comment:61</a>? I'm not sure if I want to spend time trying to get Let's Encrypt working with <a class="closed ticket" href="http://localhost:8080/trac/ticket/872" title="defect: BOA 2.4.6 (closed: wontfix)">a old version of BOA</a>, up to date versions of BOA might <a class="ext-link" href="https://github.com/omega8cc/boa/issues/500"><span class="icon">​</span>support it out of the box</a>. </li><li><a class="wiki" href="http://localhost:8080/trac/wiki/PenguinServer">PenguinServer</a> -- this site hosts a lot of sites, see <a class="ext-link" href="https://penguin.transitionnetwork.org/"><span class="icon">​</span>the listing</a>, automating Let's Encrypt would probably be a hour or two of work, it might makes sense to upgrade it to Debian Jessie at the same time. </li><li><a class="wiki" href="http://localhost:8080/trac/wiki/ParrotServer">ParrotServer</a> -- I suggest we rebuild this server from scratch, this would enable it to have the latest version of the <a class="ext-link" href="https://docs.webarch.net/wiki/Webarch_Secure_Hosting"><span class="icon">​</span>Webarch Secure Hosting scripts</a> and this include support for fail2ban for <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">WordPress</a> and phpMyAdmin, thus solving <a class="new ticket" href="http://localhost:8080/trac/ticket/871" title="maintenance: Brute Force Attacks Against WordPress Sites (new)">ticket:871</a> and includes automatic provisioning of Let's Encrypt certs for sites. </li></ol><p> What do people think? </p> Results http://localhost:8080/trac/ticket/875#changelog http://localhost:8080/trac/ticket/879 http://localhost:8080/trac/ticket/879 #879: MediaWiki 1.23.11 Fri, 16 Oct 2015 08:42:45 GMT chris <p> Email on <a class="ext-link" href="https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000180.html"><span class="icon">​</span>the announcements list</a>: </p> <pre class="wiki">Tomorrow we will be issuing a security release to all supported branches of MediaWiki. The new releases will be: 1.25.3 1.24.4 1.23.11 Fixes will be available in these respective release branches, the unreleased 1.26.x branch, and master. Tarballs will be available for the above mentioned point releases as well. This security release will encompass core only, no bundled extensions are affected. </pre> Results http://localhost:8080/trac/ticket/879#changelog http://localhost:8080/trac/ticket/881 http://localhost:8080/trac/ticket/881 #881: Site on ParrotServer with a memory leak? Fri, 23 Oct 2015 11:19:04 GMT chris <p> It appears a site, or application, on <a class="wiki" href="http://localhost:8080/trac/wiki/ParrotServer">ParrotServer</a> might have a memory leak. </p> <p> <a style="padding:0; border:none" href="http://localhost:8080/trac/attachment/ticket/881/parrot-memory-pinpoint-1411038915-1445598915.png"><img src="http://localhost:8080/trac/raw-attachment/ticket/881/parrot-memory-pinpoint-1411038915-1445598915.png" /></a> </p> Results http://localhost:8080/trac/ticket/881#changelog http://localhost:8080/trac/ticket/884 http://localhost:8080/trac/ticket/884 #884: RE: http://news.transitionnetwork.org Thu, 03 Dec 2015 12:40:03 GMT paul <pre class="wiki">Hi Chris, All Can you help me to reset my password for paulbooker for news.transitionnetwork.org? I just tried to use the reset password form but I never received an email and when I Iooked at the settings,php file for the website (generated by Aegir) I couldn't see immediately where to find the database. I think I may have missed some recent updates to news.transitionnetwork.org so urgently need to resolve this today. Not sure how this has fallen of my radar, but, I just noticed that news.transitionnetwork.org is no longer mentioned on the platform page on Aegir so may have got into thinking that this site no longer exists. http://news.transitionnetwork.org https://tn.puffin.webarch.net/hosting/platforms -- Paul Booker Drupal Support for Websites and Linux Servers Website: http://www.paulbooker.co.uk Tel: +44 01922 861636 </pre> Results http://localhost:8080/trac/ticket/884#changelog http://localhost:8080/trac/ticket/894 http://localhost:8080/trac/ticket/894 #894: Brute Force Attacks Against WordPress XMLRPC Thu, 07 Jan 2016 11:23:51 GMT chris <p> For a few months I have see a lot of requests going to <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">WordPress</a> <tt>/xmlrpc.php</tt> and wasn't sure why, now it is clear: </p> <blockquote class="citation"> <p> Instead of going against wp-login.php (which can be easily blocked or protected via .htaccess) or doing a single attempt against xmlrpc, attackers are leveraging the system.multicall method to attempt to guess hundreds of passwords within just one HTTP request. </p> <p> <a class="ext-link" href="https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html"><span class="icon">​</span>https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html</a> </p> </blockquote> <p> I'd like to install <a class="ext-link" href="https://wordpress.org/plugins/stop-xmlrpc-attack/"><span class="icon">​</span>Stop XML-RPC Attack</a> on all the <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">WordPress</a> site we host, unless anyone has a good reason not to. This plugin simply whitelists the JetPack/Automattic's subnets and blocks all other access to <tt>/xmlrpc.php</tt>. </p> <p> I started tracking the abuse a while ago and you can see it and manually address it on <a class="wiki" href="http://localhost:8080/trac/wiki/ParrotServer">ParrotServer</a> like this: </p> <pre class="wiki">sudo -i wp-xmlrpc-abuse IP addresses accessing xmlrpc.php more than twice for the last 1000 lines of each access.log: 2 46.148.XX.XX 733 195.62.53.243 177 195.62.53.243 2 66.76.XX.XX dig -x 195.62.53.243 +short 53-243.static.spheral.ru. ipdrop 195.62.53.243 </pre><p> But we need to be more pro-active in blocking access or we are going to probably see some compromised sites. </p> Results http://localhost:8080/trac/ticket/894#changelog http://localhost:8080/trac/ticket/897 http://localhost:8080/trac/ticket/897 #897: Hosting information/requirements for 2016 Tue, 19 Jan 2016 10:14:57 GMT chris <p> This is a ticket to track the time spent on an email thread with Ade. </p> Results http://localhost:8080/trac/ticket/897#changelog http://localhost:8080/trac/ticket/898 http://localhost:8080/trac/ticket/898 #898: Fwd: Access to Drupal Tue, 26 Jan 2016 17:35:05 GMT ade <pre class="wiki">Hi Chris, The web team at the development agency are requesting access to the webserver so that they can look at the sites make up. (Please see below) Would you please set up an account so that they can get root read access? I guess this would be done via FTP, but your thoughts greatly appreciated. best regards Ade ---------- Forwarded message ---------- From: Ainslie Beattie &lt;ainsliebeattie@transitionnetwork.org&gt; Date: 26 January 2016 at 17:25 Subject: Fwd: Access to Drupal To: Sam Rossiter &lt;samrossiter@transitionnetwork.org&gt;, Ade Stuart &lt; adestuart@transitionnetwork.org&gt;, Yvonne Struthers &lt;yvonne@thisisyoke.com&gt; Hey both, can you please action this urgently so that Yoke can have access. Cheers ---------- Forwarded message ---------- From: "Yvonne Struthers" &lt;yvonne@thisisyoke.com&gt; Date: 26 Jan 2016 10:58 Subject: Access to Drupal To: &lt;ainsliebeattie@transitionnetwork.org&gt; Cc: Hi Ainslie, Just a quick email as I'm out seeing a client today,but just to say,it looks like you have only given us access to the database. What we need please is admin access to the Drupal site and to the code base so that we can get a sense of how it's all set up. Thanks in advance! Yvonne Sent from my iPhone -- Ade Stuart Web Manager - Transition network 07595 331877 The Transition Network is a registered charity address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK website: www.transitionnetwork.org TN company no: 6135675 TN charity no: 1128675 </pre> Results http://localhost:8080/trac/ticket/898#changelog http://localhost:8080/trac/ticket/901 http://localhost:8080/trac/ticket/901 #901: Enable SSH access to PuffinServer for Ade Wed, 03 Feb 2016 13:25:27 GMT chris <p> This is a ticket to track the time spent sorting out SSH access for Ade to <a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer">PuffinServer</a>. </p> Results http://localhost:8080/trac/ticket/901#changelog http://localhost:8080/trac/ticket/903 http://localhost:8080/trac/ticket/903 #903: Large load spike on PuffinServer Mon, 08 Feb 2016 08:46:37 GMT chris <p> There was a large load spike this morning on <a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer">PuffinServer</a>, which appears to have been caused by 12k requests for pages (Nginx doesn't log requests for anything other than PHP generated pages) from one IP address, this IP address has been blocked and I'll post some details below. </p> Results http://localhost:8080/trac/ticket/903#changelog http://localhost:8080/trac/ticket/904 http://localhost:8080/trac/ticket/904 #904: Issues to consider in the migration from Drupal to WordPress Fri, 19 Feb 2016 10:41:04 GMT chris <p> A few weeks ago Ade said he though it would be worth me opening a ticket to use to flag up some issues to be considered in the migration of the <a class="ext-link" href="https://www.transitionnetwork.org.uk/"><span class="icon">​</span>Transition Network site</a> from Drupal 6 to <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">WordPress</a>. </p> Results http://localhost:8080/trac/ticket/904#changelog http://localhost:8080/trac/ticket/907 http://localhost:8080/trac/ticket/907 #907: TN Drupal database size Wed, 02 Mar 2016 10:20:10 GMT chris <p> 6 weeks ago the datadase dump was 447M, see <a class="ext-link" href="http://trac.edgewall.org/intertrac/ticket/896%23comment%3A3" title="ticket/896#comment:3 in Trac project trac"><span class="icon">​</span>trac:ticket/896#comment:3</a> but now it is 1.8G: </p> <pre class="wiki">ls -lah /var/backups/mysql/sqldump/transitionnetw_0.sql -rw------- 1 root root 1.8G Mar 2 01:23 /var/backups/mysql/sqldump/transitionnetw_0.sql </pre><p> Anyone have any idea what happened to cause this? Are we keeping too many log entries? </p> Results http://localhost:8080/trac/ticket/907#changelog http://localhost:8080/trac/ticket/916 http://localhost:8080/trac/ticket/916 #916: SSH to parrot please Wed, 13 Jul 2016 11:01:58 GMT sam <p> Hi Chris could you set up a SSH account on parrot please </p> <p> Kevin support@… </p> <p> Public SSH key attached. </p> <p> Thanks </p> <p> Sam </p> Results http://localhost:8080/trac/ticket/916#changelog http://localhost:8080/trac/ticket/919 http://localhost:8080/trac/ticket/919 #919: Site offline Thu, 14 Jul 2016 18:17:26 GMT chris <p> The <a class="ext-link" href="https://www.transitionnetwork.org/"><span class="icon">​</span>https://www.transitionnetwork.org/</a> site has been "off-line" since about 7pm, I see that Paul is logged on via <tt>ssh</tt> -- is this something that we should worry about or is this intentional? </p> Results http://localhost:8080/trac/ticket/919#changelog http://localhost:8080/trac/ticket/716 http://localhost:8080/trac/ticket/716 #716: Heartbleed Wed, 09 Apr 2014 08:53:58 GMT chris <p> Following on from <a class="new ticket" href="http://localhost:8080/trac/ticket/692#comment:18" title="maintenance: Debian Updates (new)">ticket:692#comment:18</a> we should undertake the steps Drupal have taken: <a class="ext-link" href="https://drupal.org/news/2014-04-08-security-update"><span class="icon">​</span>https://drupal.org/news/2014-04-08-security-update</a> </p> Results http://localhost:8080/trac/ticket/716#changelog http://localhost:8080/trac/ticket/812 http://localhost:8080/trac/ticket/812 #812: space.transitionnetwork.org hacked? Thu, 27 Nov 2014 11:09:32 GMT chris <p> BOA email from <a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer">PuffinServer</a>: </p> <pre class="wiki">Hello, Our system detected that the site space.transitionnetwork.org has been hacked! Common signatures of an attack which triggered this alert: You are required to change your password immediately (password aged) su: Authentication token is no longer valid; new one required (Ignored) Site tested positive for known Drupalgeddon exploit checks [error] Update module is disabled and Drupalgeddon cannot check for Drupal [error] Security Updates. Please check for a security update manually. You are running Drupal 7.31 https://www.drupal.org/node/3060/release?api_version%5B%5D=103 The platform root directory for this site is: /data/disk/tn/distro/008/openatrium-7.x-2.19-7.31.1 The system hostname is: puffin.webarch.net To learn more on what happened, how it was possible and how to survive #Drupageddon, please read: https://omega8.cc/drupageddon-psa-2014-003-342 -- This e-mail has been sent by your Aegir system monitor. </pre> Results http://localhost:8080/trac/ticket/812#changelog http://localhost:8080/trac/ticket/821 http://localhost:8080/trac/ticket/821 #821: Projects forms being hammered by Spam Wed, 07 Jan 2015 09:53:33 GMT ed <p> Projects forms being hammered by spammers. I got 24 in the last 45 minutes. </p> <blockquote> <p> What to do? </p> </blockquote> <ol><li>Lock off to a certain type of user? </li><li> </li></ol><p> ? </p> <p> Adding Sam as owner to follow this up </p> Results http://localhost:8080/trac/ticket/821#changelog http://localhost:8080/trac/ticket/790 http://localhost:8080/trac/ticket/790 #790: Annesley locked out of puffin Tue, 23 Sep 2014 14:05:18 GMT chris <p> Email from lfd: </p> <pre class="wiki">Time: Tue Sep 23 13:47:01 2014 +0100 IP: XX.XX.XX.XX (HU/Hungary/XXXXXX.catv.pool.telekom.hu) Failures: 5 (sshd) Interval: 300 seconds Blocked: Permanent Block Log entries: Sep 23 13:46:28 puffin sshd[6056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX user=tn.ftp Sep 23 13:46:30 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2 Sep 23 13:46:33 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2 Sep 23 13:46:56 puffin sshd[6409]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX user=anewholm Sep 23 13:46:58 puffin sshd[6409]: Failed password for anewholm from XX.XX.XX.XX port 54328 ssh2 </pre> Results http://localhost:8080/trac/ticket/790#changelog http://localhost:8080/trac/ticket/905 http://localhost:8080/trac/ticket/905 #905: TN site down due to redis not running Thu, 25 Feb 2016 10:28:40 GMT chris <p> I'm working on this... </p> Results http://localhost:8080/trac/ticket/905#changelog