http://localhost:8080/trac/query?status=!closed&cc=~ed&desc=1&order=status Support and issues tracking for the Transition Network Web Project. en-US /trac/chrome/site/TransitionNetwork-Logo-Web-Small.jpg http://localhost:8080/trac/query?status=!closed&cc=~ed&desc=1&order=status Trac 0.12.5 http://localhost:8080/trac/ticket/598 http://localhost:8080/trac/ticket/598 Fri, 20 Sep 2013 12:16:56 GMT chris <p> Request from Shane: </p> <blockquote class="citation"> <p> I've noticed that the domain www.reconomyproject.org is still live and running. i.e. can surf around it. I think you set it up so that it would auto redirect to reconomy.org - not 100% sure about the technical spec behind how you did this but is it still working? I noticed this because a lot of the referrals on to our fb page our coming from reconomyproject.org rather than reconomy.org </p> </blockquote> Results http://localhost:8080/trac/ticket/598#changelog http://localhost:8080/trac/ticket/712 http://localhost:8080/trac/ticket/712 Tue, 01 Apr 2014 15:03:53 GMT sam <p> Hi Paul </p> <p> I have been trying to build a staging site using your Github repository with the changes you made for ticket : <a class="ext-link" href="https://trac.transitionnetwork.org/trac/ticket/693"><span class="icon">​</span>https://trac.transitionnetwork.org/trac/ticket/693</a> </p> <p> I have edited the D6 s008 platform: <a class="ext-link" href="https://tn.puffin.webarch.net/node/1157/edit"><span class="icon">​</span>https://tn.puffin.webarch.net/node/1157/edit</a> to use your makefile. </p> <p> It builds a site, but I just get an empty pressflow site at the end. </p> <p> Could you build a staging site using your makefile? </p> <p> Thanks </p> <p> Sam </p> Results http://localhost:8080/trac/ticket/712#changelog http://localhost:8080/trac/ticket/802 http://localhost:8080/trac/ticket/802 Thu, 23 Oct 2014 10:20:29 GMT sam <p> User reported: "I'm trying to register our fledgling initiative based in Dovje-Mojstrana, Slovenia. When I select the country, the <a class="missing wiki">Province/State?</a> box automatically comes up as not listed. But then when I press preview to be ready to send, it says "The specified province was not found in the specified country." So I can't submit the form :-( Please help! I think we will be the first official Transition town in Slovenia!" </p> <p> I had a go at creating the initiative in a different country, then editing it to Slovenia as a workaround, but that didn't work either: <a class="ext-link" href="https://www.transitionnetwork.org/node/37435/edit"><span class="icon">​</span>https://www.transitionnetwork.org/node/37435/edit</a> </p> <p> Any idea's as to why it won't accept 'not listed' as a valid choice? Or what we can do about it? </p> <p> Thanks </p> <p> Sam </p> Results http://localhost:8080/trac/ticket/802#changelog http://localhost:8080/trac/ticket/384 http://localhost:8080/trac/ticket/384 Tue, 20 Dec 2011 23:25:32 GMT ed <p> Laura to re-design IA and interface for admin and public profiles for project profile CT and directory. </p> <p> Considered as part of PSE Project, hence design in Jan, build in Feb 2012 </p> Results http://localhost:8080/trac/ticket/384#changelog http://localhost:8080/trac/ticket/458 http://localhost:8080/trac/ticket/458 Thu, 08 Nov 2012 18:17:09 GMT laura <p> 2 – Project Profile individual page display </p> <ul><li>Panels to re-arrange layout. </li><li>Summary on left upper brick, findability on right upper brick with map under (will be a case of working on mockups via LW’s virtual machine, map may need to go further down, but a listing of town, country still to appear in top part). Description to become an expanding box and other data underneath - full width. </li><li>Tidy up image display to be more attractive for users. Enable ‘contact’ button for project contact to be more visible. </li><li>Panels, views, and CSS theming for frontend enhanced display. </li></ul> Results http://localhost:8080/trac/ticket/458#changelog http://localhost:8080/trac/ticket/459 http://localhost:8080/trac/ticket/459 Thu, 08 Nov 2012 18:19:53 GMT laura <p> <strong>3 - Projects Directory (frontend of website)</strong> Create new tabbed views for a variety of outputs. New views result listings to be mainly in display format of: </p> <ul><li>Title (heading) </li><li><a class="missing wiki">City/Country?</a> (bold, slightly larger and possible on right) </li><li>New summary field and ‘read more about this project’ link </li></ul><p> <em>Similar to the ‘full’ PSE widget output list (except not showing distance but town or city and Country)</em> </p> <p> <strong>Tabs:</strong> <strong>Tab One</strong> (default) Projects Home – Introduction short paragraph text and link to adding projects. Lists featured projects Pagination </p> <p> <strong>Tab Two</strong> Find by theme – Introduction brief sentence. Search functionality (exposed view filter) for selection of projects by theme. Default view: random pagination </p> <p> <strong>Tab Three</strong> Find by location - Introduction brief sentence. Search functionality (exposed view filter) for selection of projects by location to use Names rather than miles. Default view: random or London? <em>(note: LW will test ideas on this)</em> pagination </p> <p> <strong>Tab Four</strong> Find by benefits – <em><strong> note this may need to be set up ready but hidden initially until a substantial number of projects have updated their profiles with inclusion of the benefits/outcomes field </strong></em> Introduction brief sentence. Search functionality (exposed view filter) for selection of projects by outcome/benefits Default view: all by date added. pagination </p> <p> <strong>Tab five</strong> [Similar to existing projects home page] Find by title with exposed search as is present. and tabular layout with a-z Custom CSS may be needed </p> <hr /> <p> <strong>Longer term:</strong> (possible January?) Enhance projects map page to show attached view of latest projects with relational popups on hover for easy browsing, and / or map filters by theme or benefit to enable a more usable feature of the map ability. </p> Results http://localhost:8080/trac/ticket/459#changelog http://localhost:8080/trac/ticket/519 http://localhost:8080/trac/ticket/519 Fri, 15 Mar 2013 13:47:21 GMT chris <p> This page: </p> <ul><li><a class="ext-link" href="http://transitionnetwork.org/support/what-transition-initiative"><span class="icon">​</span>http://transitionnetwork.org/support/what-transition-initiative</a> </li></ul><p> Contains this HTML: </p> <pre class="wiki">&lt;p&gt;&lt;img alt="TransitionSantaCruz" src="http://transitionsc.org/sites/www.transitionnetwork.org/files/pixture_reloaded_logo.png" align="right" height="69" width="150"&gt;&lt;/p&gt; </pre><p> The image is a 404: </p> <ul><li><a class="ext-link" href="http://transitionsc.org/sites/www.transitionnetwork.org/files/pixture_reloaded_logo.png"><span class="icon">​</span>http://transitionsc.org/sites/www.transitionnetwork.org/files/pixture_reloaded_logo.png</a> </li></ul><p> The correct location for the image is: </p> <ul><li><a class="ext-link" href="http://transitionsc.org/sites/default/files/pixture_reloaded_logo.png"><span class="icon">​</span>http://transitionsc.org/sites/default/files/pixture_reloaded_logo.png</a> </li></ul><p> Looking at the Internet Archive this was correct back in October 2012, </p> <ul><li><a class="ext-link" href="http://web.archive.org/web/20121022030350/http://www.transitionnetwork.org/support/what-transition-initiative"><span class="icon">​</span>http://web.archive.org/web/20121022030350/http://www.transitionnetwork.org/support/what-transition-initiative</a> </li></ul><p> Their munged HTML contains the correct URL: </p> <pre class="wiki">&lt;p&gt;&lt;a href="/web/20121022030350/http://transitionsc.org/sites/default/files/pixture_reloaded_logo.png" class="colorbox initColorbox-processed cboxElement"&gt; </pre><p> It appears to me that an edit must have been done on the database something like: </p> <pre class="wiki">s;/sites/default/files/;/sites/www.transitionnetwork.org/files/; </pre><p> There might well be other URLs to other Drupal sites that were changed when they shouldn't have been? </p> <p> I have had a quick look at the database dump and couldn't find any examples of this problem, but there are 113 lines to check: </p> <pre class="wiki">grep "sites/www.transitionnetwork.org/files" /var/backups/mysql/sqldump/transitionnetwor.sql | wc -l 113 </pre><p> I did notice that there are a lot of URLs in the database like this: </p> <pre class="wiki">src=\"http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/uploaded/u5857/Map-TransitionNetworkOffice.jpg\" </pre><p> And </p> <pre class="wiki">src=\"https://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/uploaded/u4/transition%20companion%20cover.jpg\" </pre><p> Both the above links would be better starting with <tt>/</tt> or <tt>//www.transitionnetwork.org/</tt> as this would avoid people getting HTTPS content when using HTTP and also getting HTTP content when using HTTPS. </p> <p> I think it would be worth putting the site into maintenance mode, doing a dump of the database, checking these 113 lines for issues like those above, correcting them all and then reinserting the data, however this would need to be done at a suitable time. </p> <p> I'd be happy to do this task. Ed, Jim, any thoughts about when would be a good time to do it? </p> Results http://localhost:8080/trac/ticket/519#changelog http://localhost:8080/trac/ticket/520 http://localhost:8080/trac/ticket/520 Fri, 15 Mar 2013 23:16:49 GMT chris <p> There is this warning displaying at <a class="ext-link" href="https://www.transitionnetwork.org/admin/reports/status"><span class="icon">​</span>https://www.transitionnetwork.org/admin/reports/status</a> </p> <pre class="wiki">Settings.php is not setup correctly. With the current configuration of 443 Session module, the following lines must be in settings.php. if (!empty($_SERVER['HTTPS']) &amp;&amp; $_SERVER['HTTPS'] != 'off') { ini_set('session.cookie_secure', 1); } </pre><p> Based on the check of what is happening with cookies done on <a class="closed ticket" href="http://localhost:8080/trac/ticket/371#comment:34" title="maintenance: Piwik Hosting (closed: fixed)">ticket:371#comment:34</a> and <a class="closed ticket" href="http://localhost:8080/trac/ticket/371#comment:36" title="maintenance: Piwik Hosting (closed: fixed)">ticket:371#comment:36</a> things are currently working OK, session cookies do have the secure flag set, so I'm a bit confused by this warning message. I also think that the PHP suggested to add to settings.php looks perfectly sensible and should be included, I'm sure we did have it on the old server, however there are 33 settings.php files on <a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer">wiki:PuffinServer</a> and I'm not clear which one the live site uses. </p> Results http://localhost:8080/trac/ticket/520#changelog http://localhost:8080/trac/ticket/521 http://localhost:8080/trac/ticket/521 Sat, 16 Mar 2013 09:46:57 GMT chris <p> I don't know if these matter? </p> <p> I found them when hunting for 502 errors. </p> <pre class="wiki">grep "Unsafe statement written to the binary log" /var/log/daemon.log | wc -l 343 </pre><p> Some examples: </p> <pre class="wiki">Mar 16 09:28:20 puffin mysqld: 130316 9:28:20 [Warning] Unsafe statement written to the binary log using statement format since BINLOG_FORMAT = STATEMENT. Statements writing to a table with an auto-increment column after selecting from another table are unsafe because the order in which rows are retrieved determines what (if any) rows will be written. This order cannot be predicted and may differ on master and the slave. Statement: DELETE FROM notifications_event WHERE created &lt; 1363426040 AND eid &lt; (SELECT MIN(eid) FROM notifications_queue) </pre><pre class="wiki">Mar 16 05:52:12 puffin mysqld: 130316 5:52:12 [Warning] Unsafe statement written to the binary log using statement format since BINLOG_FORMAT = STATEMENT. Statements writing to a table with an auto-increment column after selecting from another table are unsafe because the order in which rows are retrieved determines what (if any) rows will be written. This order cannot be predicted and may differ on master and the slave. Statement: INSERT INTO notifications_queue (uid, mdid, send_method, sid, module, eid, send_interval, language, cron, created, conditions) SELECT DISTINCT s.uid, s.mdid, s.send_method, s.sid, s.module, 61233, s.send_interval, s.language, s.cron, 1363413132, s.conditions FROM notifications s LEFT JOIN notifications_fields f ON s.sid = f.sid WHERE (s.status = 1) AND (s.event_type = 'node') AND (s.send_interval &gt;= 0) AND ((f.field = 'nid' AND f.intval = 30718) OR (f.field = 'type' AND f.value = 'profile') OR (f.field = 'author' AND f.intval = 16908)) GROUP BY s.uid, s.mdid, s.send_method, s.sid, s.module, s.send_interval, s. </pre> Results http://localhost:8080/trac/ticket/521#changelog http://localhost:8080/trac/ticket/523 http://localhost:8080/trac/ticket/523 Tue, 19 Mar 2013 11:33:38 GMT ed <p> Following on from comment 4 of ticket 516 (<a class="ext-link" href="https://tech.transitionnetwork.org/trac/ticket/516#comment:4"><span class="icon">​</span>https://tech.transitionnetwork.org/trac/ticket/516#comment:4</a>) , I wanted to check the integrity of the field tables, so I crafted and ran this query: </p> <p> SELECT count(cck.nid) FROM <tt>content_field_region</tt> cck LEFT JOIN node node on cck.nid = node.nid WHERE node.nid IS NULL </p> <p> Which returned 1,173 rows. I then replaced the 'content_field_region' with other fields found on the user profile nodes (which have their own database table) so the full breakdown is: </p> <blockquote> <p> content_field_region = 1173 content_field_initiative = 1165 content_field_themes = 6256 content_field_training_attended = 1165 content_field_roles_offered = 1285 content_field_other_websites = 1181 content_field_user_types = 1165 </p> </blockquote> <p> So what this means is there are around 1200 entries in field database storage for the above tables that do not have an associated node. This means the data is not properly referentially integral, and ideally these should be cleaned up one day. </p> <p> The risk is low but it's worth doing a the rest of the audit (with the other fields that have tables of their own) and then cleaning these up at some point. These will have been caused by manual deletes and imports over the years. Drupal would normally keep these sorted but we've had to bypass Drupal a few times. </p> <p> Or we can leave it as is and let the migration to Drupal 8 resolve this. The cost is a bit more database space and a slightly slower site... Though this *may* cause a bug or two. </p> Results http://localhost:8080/trac/ticket/523#changelog http://localhost:8080/trac/ticket/537 http://localhost:8080/trac/ticket/537 Tue, 30 Apr 2013 11:11:36 GMT chris <p> Things done setting up parrot.webarch.net -- a new virtual machine for running Wordpress sites, see <a class="wiki" href="http://localhost:8080/trac/wiki/ParrotServer">wiki:ParrotServer</a> </p> Results http://localhost:8080/trac/ticket/537#changelog http://localhost:8080/trac/ticket/540 http://localhost:8080/trac/ticket/540 Wed, 01 May 2013 20:20:32 GMT chris <p> Currently the <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">wiki:WordPress</a> sites have have the following SSL certificates: </p> <ul><li><a class="ext-link" href="https://www.intransitionmovie.com/"><span class="icon">​</span>https://www.intransitionmovie.com/</a> -- Gandi commercial certificate and dedicated IP address </li><li><a class="ext-link" href="https://www.reconomy.org/"><span class="icon">​</span>https://www.reconomy.org/</a> -- CAcert non-commercial certificate and shared IP address (SNI) </li><li><a class="ext-link" href="https://www.earthinheritors.net/"><span class="icon">​</span>https://www.earthinheritors.net/</a> -- CAcert non-commercial certificate and shared IP address (SNI) </li><li><a class="ext-link" href="https://parrot.transitionnetwork.org/"><span class="icon">​</span>https://parrot.transitionnetwork.org/</a> -- Gandi TN wild card cert and shared IP address (SNI) </li><li><a class="ext-link" href="https://parrot.webarch.net/"><span class="icon">​</span>https://parrot.webarch.net/</a> -- CAcert non-commercial certificate, this is the default site for clients without SNI support </li></ul><p> None of the site are set to enforce HTTPS for logins, this should be done ASAP for intransitionmovie.com </p> <p> I think we have several options going forward, the first 3 of this are the only viable ones though, IMHO: </p> <h2 id="SNIandSeperateCertsandSharedIP">SNI and Seperate Certs and Shared IP</h2> <p> Get a Gandi SSL cert for each site and rely on SNI rather than having a dedicated IP address for each site, this is the cheapest way to solve the problem, the certs are around £15 each. </p> <p> The clients that don't work with SNI are listed here: <a class="ext-link" href="https://en.wikipedia.org/wiki/Server_Name_Indication#Client_side"><span class="icon">​</span>https://en.wikipedia.org/wiki/Server_Name_Indication#Client_side</a> </p> <h2 id="Multi-domainCertandSharedIP">Multi-domain Cert and Shared IP</h2> <p> Get a Gandi SSL cert with all the domains in, this is a little more expensive than seperate certs (around £20 per site) but it means that all the clients that don't work with SNI will work. One issue with this is when adding new site is that a brand new cert would be needed as additional names can't be added to multi-domain certs during their lifetime, this could be worked around by getting a single domain cert to run to the end of the life of the multi domain cert (this would use SNI). </p> <h2 id="SeperateCertsandDedicatedIPs">Seperate Certs and Dedicated IPs</h2> <p> Getting a cert per site and a dedicated IP per site, this would cost the most as each IP address costs around the same as each cert, (so about £30 per site). It also seems like a great waste to use up a IP per site when they are so scarce and when technical workarounds to this old problem like multi-domain certs and SNI are now available. I don't favour this option. </p> <h2 id="Non-commercialCAcertCert">Non-commercial CAcert Cert</h2> <p> This is the cheapest, it's fine if people are able to install the <a class="ext-link" href="http://cacert.org/"><span class="icon">​</span>http://cacert.org/</a> root certificate but this is something that non-technical people seem to find hard and they also don't understand the security warnings that they get when the cert isn't installed. This option is the one currently in use but it's far from ideal and one of the other options needs to be adopted before enforcing HTTPS logins is deployed. I don't favour this option. </p> Results http://localhost:8080/trac/ticket/540#changelog http://localhost:8080/trac/ticket/606 http://localhost:8080/trac/ticket/606 Fri, 11 Oct 2013 12:00:13 GMT jim <p> This ticket is to track the issues left over from <a class="assigned ticket" href="http://localhost:8080/trac/ticket/590" title="defect: Drupal performance improvements (assigned)">#590</a> that need to be considered and tackled prior to migrating the site from D6 to D7 (or 8). </p> <p> Please feel free to add as needed, but sticky to the </p> <h2 id="CCleanup:Listoffeatureswedontreallyneed">C) Cleanup: List of features we don't really need</h2> <p> Ed to add his items to following list... Need rational and alternative approaches for each. </p> <ul><li><strong>C.1) Remove 'Geographic region' and related taxonomy and Hierarchical Select modules</strong> 1 hour, low reward, low risk -- never really been used and is effectively a duplicate of the location field. let's kill it! </li><li><strong>C.2) Kill Microsites and the Forums</strong> -- The handful of people using the CMS feature should be migrated to Open Atrium if they need such features. </li><li><strong>C.3) Remove forums</strong> -- We could migrate the forum to a simpler setup (not using forum module) that leverages normal commenting, or even Disqus or other services to offload comments and moderation. Also encourage user-submitted ocontent and promote that if it's good or gets interesting debate. </li></ul><h2 id="DKeydevelopmenttasks">D) Key development tasks</h2> <ul><li><strong>D.1) All inline PHP must be moved to modules and features</strong> -- This has great benefit for management, maintenance and developers. <tt>Eval()</tt>uated code is much slower than PHP in files, especially since it can't be accelerated by APC or Zend Opcode cache... We have a few blocks and many views that are loaded from the database and evaluated. Ideally the blocks would be moved to the 'Transition Extras' module, and the views would be pushed into features. This work is good to do for maintainability and D7 upgrades, too. See: <a class="ext-link" href="http://2bits.com/api/abuse-drupal-best-practices-your-own-peril-poor-performance.html"><span class="icon">​</span>http://2bits.com/api/abuse-drupal-best-practices-your-own-peril-poor-performance.html</a> and <a class="ext-link" href="http://2bits.com/articles/free-your-content-php-moving-php-code-out-blocks-views-and-nodes.html"><span class="icon">​</span>http://2bits.com/articles/free-your-content-php-moving-php-code-out-blocks-views-and-nodes.html</a> </li></ul><ul><li><strong>D.2) Build in ESI (Edge Side Includes) support from the outset, ensure Drupal renders only what it needs to </strong> -- BOA packages the <a class="ext-link" href="https://drupal.org/project/esi"><span class="icon">​</span>ESI (Edge Side Includes integration) module</a>, which makes NginX cache the whole page (as it does now), but also for user-logged in pages (which it does for 5 seconds since the page data changes). This means Drupal renders the ESI component (blocks, panels panes) that are have user-specific data in. Potential boost quickly, but will need time to tweak settings to get best from this across whole site. See <a class="ext-link" href="https://tech.transitionnetwork.org/trac/ticket/590#comment:4"><span class="icon">​</span>comments in 4 &amp; 5 below for discussion</a><del>, should be done after proposal F, above</del>. </li></ul><h2 id="EKeyeditorialtasks">E) Key editorial tasks</h2> <ul><li><strong>E.1) More Taxonomy cleanup</strong> -- try to merge terms with the same names, clear out spammy terms, general spit-and-polish. Ed plus team of busy interns to do this when the time is right. </li></ul><h2 id="Zoldstuffforreferencetasksfrom590renderedpointlessbymove">Z) old stuff for reference; tasks from <a class="assigned ticket" href="http://localhost:8080/trac/ticket/590" title="defect: Drupal performance improvements (assigned)">#590</a> rendered pointless by move</h2> <ul><li><strong>Z.1) Find Variable table writes and kill them</strong> -- seeing plenty of SELECT * FROM variable calls, which imply a cache clear due to a variable being set. In normal use variables shouldn't be set (admin screens tend to do this), so I'd like to try to see what module it causing this and patch/remove it. Will need to run <tt>grep -R "variable_set() * &gt; ~/static/variable_set-calls.txt" in the {{{sites/all</tt> directory to generate a list, then trawl though it to find candidates/bad modules practice. </li></ul> Results http://localhost:8080/trac/ticket/606#changelog http://localhost:8080/trac/ticket/619 http://localhost:8080/trac/ticket/619 Fri, 15 Nov 2013 14:38:05 GMT chris <p> News regarding the <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">WordPress</a> versions released since the sites were upgraded to 3.6.1 on <a class="closed ticket" href="http://localhost:8080/trac/ticket/594" title="maintenance: WordPress 3.6.1 Maintenance and Security Release (closed: fixed)">ticket:594</a> </p> <ul><li><a class="ext-link" href="https://wordpress.org/news/2013/10/wordpress-3-7-1/"><span class="icon">​</span>https://wordpress.org/news/2013/10/wordpress-3-7-1/</a> </li><li><a class="ext-link" href="https://wordpress.org/news/2013/10/basie/"><span class="icon">​</span>https://wordpress.org/news/2013/10/basie/</a> </li></ul><p> We should consider how best to upgrade the <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">wiki:WordPress</a> sites running on <a class="wiki" href="http://localhost:8080/trac/wiki/ParrotServer">wiki:ParrotServer</a> and then ensure that they are upgraded. </p> Results http://localhost:8080/trac/ticket/619#changelog http://localhost:8080/trac/ticket/626 http://localhost:8080/trac/ticket/626 Wed, 20 Nov 2013 12:11:14 GMT ed <p> Can Ed add a redirect from: </p> <p> <a class="ext-link" href="https://www.transitionnetwork.org/cms/haddenham"><span class="icon">​</span>https://www.transitionnetwork.org/cms/haddenham</a> </p> <p> to another URL easily? Or does he need to ask Chris to do it? </p> Results http://localhost:8080/trac/ticket/626#changelog http://localhost:8080/trac/ticket/644 http://localhost:8080/trac/ticket/644 Mon, 09 Dec 2013 16:46:05 GMT jim <p> Since the last update we've had a silent ngnix error that means <a class="ext-link" href="http://tn.puffin.webarch.net"><span class="icon">​</span>http://tn.puffin.webarch.net</a> was not available. </p> <p> I restarted nginx and got: </p> <pre class="wiki">[ ok ] Stopping Nginx Server...: [ .... ] Starting Nginx Server...:nginx: [emerg] "log_format" directive is not allowed here in /etc/nginx/nginx.conf:28 </pre><p> Which equates to the AWstats entry which is now commented out per: </p> <pre class="wiki"># log for awstats #log_format apache '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent"'; #access_log /var/log/nginx/awstats.log apache; </pre><p> I/we need access to aegir more than AWStats, so I've commented out the lines above and restarted nginx. Aegir is back and working well. </p> <p> This ticket is to find the correct log_format for modern nginx versions and reinstate AWstats -- assigning to Chris as a low priority thing. </p> Results http://localhost:8080/trac/ticket/644#changelog http://localhost:8080/trac/ticket/671 http://localhost:8080/trac/ticket/671 Sat, 11 Jan 2014 21:11:14 GMT jim <p> <strong>Issue &amp; background</strong> During work on <a class="closed ticket" href="http://localhost:8080/trac/ticket/610" title="defect: Aegir database intensive (migrate, clone, restore) tasks hang for larger ... (closed: fixed)">#610</a>, it was discovered that of a 1/4GB database dump for TN.org, ~80% (180Mb) of it was related to the Drupal 6 core Search module. </p> <p> It's worth noting <a class="ext-link" href="https://tech.transitionnetwork.org/trac/ticket/516#comment:3"><span class="icon">​</span>this</a> was <a class="ext-link" href="https://tech.transitionnetwork.org/trac/ticket/516#comment:6"><span class="icon">​</span>raised</a> when we migrated the site to the Puffin server in March 2013, but it's generally the case that the core Search module does not scale easily beyond a few thousand nodes. </p> <p> www.transitionnetwork.org has 23,803 nodes at time of writing -- this is probably approaching the sensible limit of the core module's capability. </p> <p> Note also, any future D7 or D8 version of the site would also hugely benefit from using Solr, so the server config part is time well spent. </p> <p> <strong>Proposed solution</strong> </p> <ol><li>Add the Apache Solr option to BOA, re-run the installer to get it installed and configured automatically. </li><li>Add the <a class="ext-link" href="https://drupal.org/project/apachesolr"><span class="icon">​</span>ApacheSolr module</a> and any related required modules to the TN D6 makefile -- it's not clear if the 6.x-3.x branch or 6.x-1.x branch is the right choice at present. </li><li>Build a new platform containing these modules, migrate a clone of STG to it. </li><li>Enable the modules, configure them, disable core Search. </li><li>Create a feature that wraps up config for Solr and required modules. Add to Git, add reference to feature to makefile </li><li>Test, tweak, repeat 3 &amp; 4 &amp; 5 as needed. </li><li>Migrate PROD to the new plaform, enabled feature, index site. </li></ol><p> This could be parked until D7/8 migration, or not... Ed's call. </p> Results http://localhost:8080/trac/ticket/671#changelog http://localhost:8080/trac/ticket/675 http://localhost:8080/trac/ticket/675 Tue, 14 Jan 2014 12:16:36 GMT chris <p> We have this warning in the Piwik admin interface: </p> <blockquote class="citation"> <p> Geolocation works, but you are not using one of the recommended providers. If you have to import log files or do something else that requires setting IP addresses, use the PECL GeoIP implementation (recommended) or the PHP GeoIP implementation. </p> </blockquote> <p> We currently do Geolocation at a Nginx level, it is possible that it would now be better to switch to do it at a Piwik level, see the documentation here: <a class="ext-link" href="http://piwik.org/docs/geo-locate/"><span class="icon">​</span>http://piwik.org/docs/geo-locate/</a> </p> Results http://localhost:8080/trac/ticket/675#changelog http://localhost:8080/trac/ticket/715 http://localhost:8080/trac/ticket/715 Tue, 08 Apr 2014 14:51:29 GMT sam <p> Hi I just tried to access the views admin interface here: <a class="ext-link" href="https://www.transitionnetwork.org/admin/build/views"><span class="icon">​</span>https://www.transitionnetwork.org/admin/build/views</a> </p> <p> It doesn't load the views admin pages, just an overview of the 'site building' pages instead. </p> <p> The page works as I expect it to on the stage site here: <a class="ext-link" href="https://stg2.transitionnetwork.org/admin/build/views"><span class="icon">​</span>https://stg2.transitionnetwork.org/admin/build/views</a> </p> <p> I have checked and the module is still enabled, The permissions look right (site admin is allowed to administer views: <a class="ext-link" href="https://www.transitionnetwork.org/admin/user/permissions"><span class="icon">​</span>https://www.transitionnetwork.org/admin/user/permissions</a>) </p> <p> Anyone got an idea whats going on? </p> <p> Thanks </p> <p> Sam </p> Results http://localhost:8080/trac/ticket/715#changelog http://localhost:8080/trac/ticket/716 http://localhost:8080/trac/ticket/716 Wed, 09 Apr 2014 08:53:58 GMT chris <p> Following on from <a class="new ticket" href="http://localhost:8080/trac/ticket/692#comment:18" title="maintenance: Debian Updates (new)">ticket:692#comment:18</a> we should undertake the steps Drupal have taken: <a class="ext-link" href="https://drupal.org/news/2014-04-08-security-update"><span class="icon">​</span>https://drupal.org/news/2014-04-08-security-update</a> </p> Results http://localhost:8080/trac/ticket/716#changelog http://localhost:8080/trac/ticket/719 http://localhost:8080/trac/ticket/719 Mon, 14 Apr 2014 20:07:09 GMT chris <p> If you look at old Transition Culture articles they had hyperlinks and blockquotes, for example: </p> <ul><li><a class="ext-link" href="https://web.archive.org/web/20070228081440/http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/"><span class="icon">​</span>https://web.archive.org/web/20070228081440/http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/</a> </li></ul><p> If you look at the version we now have this formatting has been lost and the first paragraph is a mess: </p> <ul><li><a class="ext-link" href="http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/"><span class="icon">​</span>http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/</a> </li></ul><p> The formatting wasn't lost when the new TC design was first deployed: </p> <ul><li><a class="ext-link" href="https://web.archive.org/web/20080429205320/http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/"><span class="icon">​</span>https://web.archive.org/web/20080429205320/http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/</a> </li></ul><p> It has happened since then. </p> <p> We should consider investigating what caused the problems and how they can be fixed? </p> <p> This might be a task that Simon would be best placed to undertake? </p> Results http://localhost:8080/trac/ticket/719#changelog http://localhost:8080/trac/ticket/731 http://localhost:8080/trac/ticket/731 Fri, 23 May 2014 10:47:39 GMT chris <p> Ticket to record time spent on Skype call on 22nd May 2014. </p> Results http://localhost:8080/trac/ticket/731#changelog http://localhost:8080/trac/ticket/740 http://localhost:8080/trac/ticket/740 Thu, 12 Jun 2014 09:55:05 GMT sam <p> Hi Ben </p> <p> Could you add 'class button block' to the block class settings for this block: </p> <p> <a class="ext-link" href="https://www.transitionnetwork.org/admin/build/block/configure/block/98?destination=blogs%2Frob-hopkins"><span class="icon">​</span>https://www.transitionnetwork.org/admin/build/block/configure/block/98?destination=blogs%2Frob-hopkins</a> </p> <p> Or shall I give myself 'developer' permissions so I can add these myself? </p> <p> Thanks </p> <p> Sam </p> Results http://localhost:8080/trac/ticket/740#changelog http://localhost:8080/trac/ticket/741 http://localhost:8080/trac/ticket/741 Thu, 12 Jun 2014 10:42:13 GMT annesley <p> admin &gt; views &gt; edit the view editor interface appears and then disappears immediately this happens in Chrome / Ubuntu and Firefox / Mac </p> Results http://localhost:8080/trac/ticket/741#changelog http://localhost:8080/trac/ticket/742 http://localhost:8080/trac/ticket/742 Thu, 12 Jun 2014 14:35:42 GMT sam <p> Hi Paul </p> <p> I'm trying to set up a stage site, just to test rearranging the homepage blocks. </p> <p> I created a site on the "Transition Network D6 S012 Booker" Platform, but I just get an empty pressflow site: <a class="ext-link" href="http://stgsam.transitionnetwork.org/"><span class="icon">​</span>http://stgsam.transitionnetwork.org/</a> </p> <p> Can I use your stg site to test the block arrangement instead: <a class="ext-link" href="https://booker-stage-20140501.transitionnetwork.org/"><span class="icon">​</span>https://booker-stage-20140501.transitionnetwork.org/</a> </p> <p> Or could you let me know what might be going wrong? </p> <p> Thanks </p> <p> Sam </p> Results http://localhost:8080/trac/ticket/742#changelog http://localhost:8080/trac/ticket/764 http://localhost:8080/trac/ticket/764 Tue, 22 Jul 2014 14:10:38 GMT annesley <p> on-line meeting 5 / August @ 14:00 GMT: we are phasing out the current D6 / BOA system. the new system may not use either. The TN.org website is not attractive to high level hackers or DOS attacks. </p> <p> what are the risks with cancelling all further Unix, BOA and Drupal updates completely that do not allow direct un-mitigated access to the backend via bad PHP code / SQL? </p> Results http://localhost:8080/trac/ticket/764#changelog http://localhost:8080/trac/ticket/768 http://localhost:8080/trac/ticket/768 Fri, 01 Aug 2014 17:14:59 GMT chris <p> Have been getting these emails from <a class="wiki" href="http://localhost:8080/trac/wiki/PiwikServer">PiwikServer</a>: </p> <pre class="wiki">From: root@penguin.webarch.net (Cron Daemon) Date: Fri, 1 Aug 2014 14:06:48 +0100 (BST) To: root@localhost Subject: Cron &lt;www-data@penguin&gt; /web/stats.transitionnetwork.org/piwik/console core:archive --url=http://stats.transitionnetwork.org/ &gt; /var/log/piwik-archive.log ERROR CoreConsole[2014-08-01 13:05:18] [3e5ac] Got invalid response from API request: +http://stats.transitionnetwork.org/index.php?module=API&amp;method=API.get&amp;idSite=1&amp;period=week&amp;date=last2&amp;format=php&amp;token_auth=XXXXXXXXXXXX&amp;trigger=archivephp. Response was ' &lt;div style='word-wrap: break-word; border: 3px solid red; padding:4px; width:70%; +background-color:#FFFF96;'&gt; &lt;strong&gt;There is an error. Please report the message (Piwik 2.4.1) and full backtrace in the &lt;a +href='?module=Proxy&amp;action=redirect&amp;url=http://forum.piwik.org' target='_blank'&gt;Piwik forums&lt;/a&gt; (please do a Search first as it might have +been reported already!).&lt;br /&gt;&lt;br/&gt; Warning:&lt;/strong&gt; +&lt;em&gt;file_get_contents(http://api.piwik.org/1.0/getLatestVersion/?piwik_version=2.4.1&amp;php_version=5.4.4-14%2Bdeb7u12&amp;url=https%3A%2F%2Fstats. +transitionnetwork.org%2Fweb%2Fstats.transitionnetwork.org%2Fpiwik%2Fconsole&amp;trigger=API&amp;timezone=Europe%2FLondon): failed to open stream: +HTTP requ est fail ed! &lt;/em&gt; in &lt;strong&gt;/web/stats.transitionnetwork.org/piwik/core/Http.php&lt;/strong&gt; on line &lt;strong&gt;406&lt;/strong&gt; &lt;br /&gt;&lt;br /&gt;Backtrace +--&amp;gt;&lt;div style="font-family:Courier;font-size:10pt"&gt;&lt;br /&gt; #0 Piwik\Error::errorHandler(...) called at [:]&lt;br /&gt; #1 +file_get_contents(...) called at [/web/stats.transitionnetwork.org/piwik/core/Http.php:406]&lt;br /&gt; #2 Piwik\Http::sendHttpRequestBy(...) +called at [/web/stats.transitionnetwork.org/piwik/core/Http.php:94]&lt;br /&gt; #3 Piwik\Http::sendHttpRequest(...) called at +[/web/stats.transitionnetwork.org/piwik/core/UpdateCheck.php:72]&lt;br /&gt; #4 Piwik\UpdateCheck::check(...) called at +[/web/stats.transitionnetwork.org/piwik/plugins/CoreUpdater/CoreUpdater.php:142]&lt;br /&gt; #5 +Piwik\Plugins\CoreUpdater\CoreUpdater-&gt;updateCheck(...) called at [:]&lt;br /&gt; #6 call_user_func_array(...) called at +[/web/stats.transitionnetwork.org/piwik/core/EventDispatcher.php:98]&lt;br /&gt; #7 Piwik\EventDispatcher-&gt;postEvent(...) called at +[/web/stats.transitionnetwor k.org/pi wik/core/Piwik.php:766]&lt;br /&gt; #8 Piwik\Piwik::postEvent(...) called at +[/web/stats.transitionnetwork.org/piwik/core/FrontController.php:391]&lt;br /&gt; #9 Piwik\FrontController-&gt;init(...) called at +[/web/stats.transitionnetwork.org/piwik/core/dispatch.php:33]&lt;br /&gt; #10 require_once(...) called at +[/web/stats.transitionnetwork.org/piwik/index.php:47]&lt;br /&gt; #11 require_once(...) called at +[/web/stats.transitionnetwork.org/piwik/core/CliMulti/RequestCommand.php:53]&lt;br /&gt; #12 Piwik\CliMulti\RequestCommand-&gt;execute(...) called +at [/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Console/Command/Command.php:252]&lt;br /&gt; #13 +Symfony\Component\Console\Command\Command-&gt;run(...) called at +[/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Console/Application.php:887]&lt;br /&gt; #14 +Symfony\Component\Console\Application-&gt;doRunCommand(...) called at +[/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Co nsole/Ap plication.php:193]&lt;br /&gt; #15 Symfony\Component\Console\Application-&gt;doRun(...) called at +[/web/stats.transitionnetwork.org/piwik/core/Console.php:64]&lt;br /&gt; #16 Piwik\Console-&gt;doRun(...) called at +[/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Console/Application.php:124]&lt;br /&gt; #17 +Symfony\Component\Console\Application-&gt;run(...) called at [/web/stats.transitionnetwork.org/piwik/console:31]&lt;br /&gt; &lt;/div&gt;&lt;br /&gt; +&lt;/pre&gt;&lt;/div&gt;&lt;br /&gt; &lt;div style='word-wrap: break-word; border: 3px solid red; padding:4px; width:70%; background-color:#FFFF96;'&gt; +&lt;strong&gt;There is an error. Please report the message (Piwik 2.4.1) and full backtrace in the &lt;a +href='?module=Proxy&amp;action=redirect&amp;url=http://forum.piwik.org' target='_blank'&gt;Piwik forums&lt;/a&gt; (please do a Search first as it might have +been reported already!).&lt;br /&gt;&lt;br/&gt; Warning:&lt;/strong&gt; +&lt;em&gt;file_get_contents(http://api.piwik.org/1.0/getLatestVersion/?piwik_version=2.4.1&amp;php_version =5.4.4-1 </pre> Results http://localhost:8080/trac/ticket/768#changelog http://localhost:8080/trac/ticket/787 http://localhost:8080/trac/ticket/787 Mon, 15 Sep 2014 07:21:51 GMT annesley <p> is it ok for me to send through my normal, non-passphrase protected public key to you Chris for parrot? </p> <p> the documentation wants a passphrase protected key. however this may be what is causing the access issues from my laptop. i certainly could find a way around it but would suggest that the passphrase is not a great improvement to security anyway in this instance so it would be ok to use my normal public key. note that i can access all my other servers with the normal key without problems. </p> Results http://localhost:8080/trac/ticket/787#changelog http://localhost:8080/trac/ticket/790 http://localhost:8080/trac/ticket/790 Tue, 23 Sep 2014 14:05:18 GMT chris <p> Email from lfd: </p> <pre class="wiki">Time: Tue Sep 23 13:47:01 2014 +0100 IP: XX.XX.XX.XX (HU/Hungary/XXXXXX.catv.pool.telekom.hu) Failures: 5 (sshd) Interval: 300 seconds Blocked: Permanent Block Log entries: Sep 23 13:46:28 puffin sshd[6056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX user=tn.ftp Sep 23 13:46:30 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2 Sep 23 13:46:33 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2 Sep 23 13:46:56 puffin sshd[6409]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX user=anewholm Sep 23 13:46:58 puffin sshd[6409]: Failed password for anewholm from XX.XX.XX.XX port 54328 ssh2 </pre> Results http://localhost:8080/trac/ticket/790#changelog http://localhost:8080/trac/ticket/806 http://localhost:8080/trac/ticket/806 Mon, 10 Nov 2014 21:30:27 GMT chris <p> Ticket to track usability issues etc. </p> Results http://localhost:8080/trac/ticket/806#changelog http://localhost:8080/trac/ticket/808 http://localhost:8080/trac/ticket/808 Mon, 17 Nov 2014 19:28:23 GMT chris <p> This issues is like <a class="assigned ticket" href="http://localhost:8080/trac/ticket/737" title="maintenance: SPF / Emails rejected from the website contact form (assigned)">ticket:737</a> but with <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">WordPress</a> rather than Drupal causing the problem. </p> <p> Laura has forwarded one of the returned emails which contains: </p> <blockquote class="citation"> <p> host aspmx.l.google.com [173.194.67.26]: 550-5.7.1 Unauthenticated email from yahoo.com is not accepted due to domain's 550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 <a class="ext-link" href="http://support.google.com/mail/answer/2451690"><span class="icon">​</span>http://support.google.com/mail/answer/2451690</a> to learn about DMARC </p> </blockquote> Results http://localhost:8080/trac/ticket/808#changelog http://localhost:8080/trac/ticket/809 http://localhost:8080/trac/ticket/809 Wed, 19 Nov 2014 21:35:25 GMT paul <p> View online: <a class="ext-link" href="https://www.drupal.org/SA-CORE-2014-006"><span class="icon">​</span>https://www.drupal.org/SA-CORE-2014-006</a> </p> <ul><li>Advisory ID: DRUPAL-SA-CORE-2014-006 </li><li>Project: Drupal core <a class="missing changeset" title="No default repository defined">[1]</a> </li><li>Version: 6.x, 7.x </li><li>Date: 2014-November-19 </li><li>Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon <a class="missing changeset" title="No default repository defined">[2]</a> </li><li>Vulnerability: Multiple vulnerabilities </li></ul><hr /> <hr /> <p> .... Session hijacking (Drupal 6 and 7) </p> <p> A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session. </p> <p> This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode" <a class="missing changeset" title="No default repository defined">[3]</a>), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7. </p> <p> .... Denial of service (Drupal 7 only) </p> <p> Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text. </p> <p> A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service). </p> <p> This vulnerability can be exploited by anonymous users. </p> <hr /> <hr /> <ul><li>/A CVE identifier <a class="missing changeset" title="No default repository defined">[4]</a> will be requested, and added upon issuance, in accordance </li></ul><blockquote> <blockquote> <p> with Drupal Security Team processes./ </p> </blockquote> </blockquote> <hr /> <hr /> <ul><li>Drupal core 6.x versions prior to 6.34. </li><li>Drupal core 7.x versions prior to 7.34. </li></ul><hr /> <hr /> <p> Install the latest version: </p> <ul><li>If you use Drupal 6.x, upgrade to Drupal core 6.34. <a class="missing changeset" title="No default repository defined">[5]</a> </li><li>If you use Drupal 7.x, upgrade to Drupal core 7.34. <a class="missing changeset" title="No default repository defined">[6]</a> </li></ul><p> If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113 <a class="missing changeset" title="No default repository defined">[7]</a> </p> <p> Also see the Drupal core <a class="missing changeset" title="No default repository defined">[8]</a> project page. </p> <hr /> <hr /> <p> Session hijacking: </p> <ul><li>Aaron Averill <a class="missing changeset" title="No default repository defined">[9]</a> </li></ul><p> Denial of service: </p> <ul><li>Michael Cullum <a class="missing changeset" title="No default repository defined">[10]</a> </li><li>Javier Nieto <a class="missing changeset" title="No default repository defined">[11]</a> </li><li>Andrés Rojas Guerrero <a class="missing changeset" title="No default repository defined">[12]</a> </li></ul><hr /> <hr /> <p> Session hijacking: </p> <ul><li>Klaus Purer <a class="missing changeset" title="No default repository defined">[13]</a> of the Drupal Security Team </li><li>David Rothstein <a class="missing changeset" title="No default repository defined">[14]</a> of the Drupal Security Team </li><li>Peter Wolanin <a class="missing changeset" title="No default repository defined">[15]</a> of the Drupal Security Team </li></ul><p> Denial of service: </p> <ul><li>Klaus Purer <a class="missing changeset" title="No default repository defined">[16]</a> of the Drupal Security Team </li><li>Peter Wolanin <a class="missing changeset" title="No default repository defined">[17]</a> of the Drupal Security Team </li><li>Heine Deelstra <a class="missing changeset" title="No default repository defined">[18]</a> of the Drupal Security Team </li><li>Tom Phethean <a class="missing changeset" title="No default repository defined">[19]</a> </li></ul><hr /> <hr /> <ul><li>The Drupal Security Team </li></ul><hr /> <hr /> <p> The Drupal security team can be reached at security at drupal.org or via the contact form at <a class="ext-link" href="https://www.drupal.org/contact"><span class="icon">​</span>https://www.drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[20]</a>. </p> <p> Learn more about the Drupal Security team and their policies <a class="missing changeset" title="No default repository defined">[21]</a>, writing secure code for Drupal <a class="missing changeset" title="No default repository defined">[22]</a>, and securing your site <a class="missing changeset" title="No default repository defined">[23]</a>. </p> <p> Follow the Drupal Security Team on Twitter at <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> <a class="missing changeset" title="No default repository defined">[24]</a> </p> <p> <a class="missing changeset" title="No default repository defined">[1]</a> <a class="ext-link" href="https://www.drupal.org/project/drupal"><span class="icon">​</span>https://www.drupal.org/project/drupal</a> <a class="missing changeset" title="No default repository defined">[2]</a> <a class="ext-link" href="https://www.drupal.org/security-team/risk-levels"><span class="icon">​</span>https://www.drupal.org/security-team/risk-levels</a> <a class="missing changeset" title="No default repository defined">[3]</a> <a class="ext-link" href="https://www.drupal.org/https-information"><span class="icon">​</span>https://www.drupal.org/https-information</a> <a class="missing changeset" title="No default repository defined">[4]</a> <a class="ext-link" href="http://cve.mitre.org/"><span class="icon">​</span>http://cve.mitre.org/</a> <a class="missing changeset" title="No default repository defined">[5]</a> <a class="ext-link" href="https://www.drupal.org/drupal-6.34-release-notes"><span class="icon">​</span>https://www.drupal.org/drupal-6.34-release-notes</a> <a class="missing changeset" title="No default repository defined">[6]</a> <a class="ext-link" href="https://www.drupal.org/drupal-7.34-release-notes"><span class="icon">​</span>https://www.drupal.org/drupal-7.34-release-notes</a> <a class="missing changeset" title="No default repository defined">[7]</a> <a class="ext-link" href="https://www.drupal.org/node/2378367"><span class="icon">​</span>https://www.drupal.org/node/2378367</a> <a class="missing changeset" title="No default repository defined">[8]</a> <a class="ext-link" href="https://www.drupal.org/project/drupal"><span class="icon">​</span>https://www.drupal.org/project/drupal</a> <a class="missing changeset" title="No default repository defined">[9]</a> <a class="ext-link" href="https://www.drupal.org/user/1317732"><span class="icon">​</span>https://www.drupal.org/user/1317732</a> <a class="missing changeset" title="No default repository defined">[10]</a> <a class="ext-link" href="https://www.drupal.org/u/MichaelCu"><span class="icon">​</span>https://www.drupal.org/u/MichaelCu</a> <a class="missing changeset" title="No default repository defined">[11]</a> <a class="ext-link" href="https://www.drupal.org/u/jnietotn"><span class="icon">​</span>https://www.drupal.org/u/jnietotn</a> <a class="missing changeset" title="No default repository defined">[12]</a> <a class="ext-link" href="https://www.drupal.org/u/c0r3dump3d"><span class="icon">​</span>https://www.drupal.org/u/c0r3dump3d</a> <a class="missing changeset" title="No default repository defined">[13]</a> <a class="ext-link" href="https://www.drupal.org/u/klausi"><span class="icon">​</span>https://www.drupal.org/u/klausi</a> <a class="missing changeset" title="No default repository defined">[14]</a> <a class="ext-link" href="https://www.drupal.org/u/David_Rothstein"><span class="icon">​</span>https://www.drupal.org/u/David_Rothstein</a> <a class="missing changeset" title="No default repository defined">[15]</a> <a class="ext-link" href="https://www.drupal.org/u/pwolanin"><span class="icon">​</span>https://www.drupal.org/u/pwolanin</a> <a class="missing changeset" title="No default repository defined">[16]</a> <a class="ext-link" href="https://www.drupal.org/u/klausi"><span class="icon">​</span>https://www.drupal.org/u/klausi</a> <a class="missing changeset" title="No default repository defined">[17]</a> <a class="ext-link" href="https://www.drupal.org/u/pwolanin"><span class="icon">​</span>https://www.drupal.org/u/pwolanin</a> <a class="missing changeset" title="No default repository defined">[18]</a> <a class="ext-link" href="https://www.drupal.org/u/Heine"><span class="icon">​</span>https://www.drupal.org/u/Heine</a> <a class="missing changeset" title="No default repository defined">[19]</a> <a class="ext-link" href="https://www.drupal.org/u/tsphethean"><span class="icon">​</span>https://www.drupal.org/u/tsphethean</a> <a class="missing changeset" title="No default repository defined">[20]</a> <a class="ext-link" href="https://www.drupal.org/contact"><span class="icon">​</span>https://www.drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[21]</a> <a class="ext-link" href="https://www.drupal.org/security-team"><span class="icon">​</span>https://www.drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[22]</a> <a class="ext-link" href="https://www.drupal.org/writing-secure-code"><span class="icon">​</span>https://www.drupal.org/writing-secure-code</a> <a class="missing changeset" title="No default repository defined">[23]</a> <a class="ext-link" href="https://www.drupal.org/security/secure-configuration"><span class="icon">​</span>https://www.drupal.org/security/secure-configuration</a> <a class="missing changeset" title="No default repository defined">[24]</a> <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> </p> Results http://localhost:8080/trac/ticket/809#changelog http://localhost:8080/trac/ticket/812 http://localhost:8080/trac/ticket/812 Thu, 27 Nov 2014 11:09:32 GMT chris <p> BOA email from <a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer">PuffinServer</a>: </p> <pre class="wiki">Hello, Our system detected that the site space.transitionnetwork.org has been hacked! Common signatures of an attack which triggered this alert: You are required to change your password immediately (password aged) su: Authentication token is no longer valid; new one required (Ignored) Site tested positive for known Drupalgeddon exploit checks [error] Update module is disabled and Drupalgeddon cannot check for Drupal [error] Security Updates. Please check for a security update manually. You are running Drupal 7.31 https://www.drupal.org/node/3060/release?api_version%5B%5D=103 The platform root directory for this site is: /data/disk/tn/distro/008/openatrium-7.x-2.19-7.31.1 The system hostname is: puffin.webarch.net To learn more on what happened, how it was possible and how to survive #Drupageddon, please read: https://omega8.cc/drupageddon-psa-2014-003-342 -- This e-mail has been sent by your Aegir system monitor. </pre> Results http://localhost:8080/trac/ticket/812#changelog http://localhost:8080/trac/ticket/819 http://localhost:8080/trac/ticket/819 Fri, 19 Dec 2014 10:28:01 GMT chris <p> Today we had our first item of Trac spam, <a class="new ticket" href="http://localhost:8080/trac/ticket/818" title="defect: For watch lovers. superwatches (new)">ticket:818</a>, since the open email interface was enabled almost 2 years ago on <a class="closed ticket" href="http://localhost:8080/trac/ticket/494" title="maintenance: Email account for TRAC (closed: fixed)">ticket:494</a>. </p> <p> This ticket has been created to investigate and implement some anti-spam measures. </p> Results http://localhost:8080/trac/ticket/819#changelog http://localhost:8080/trac/ticket/824 http://localhost:8080/trac/ticket/824 Wed, 07 Jan 2015 15:48:14 GMT chris <p> Ed has ask that I spend up to 2 hours on an analysis of the 2014 maintenance ticket time for our meeting tomorrow in Bristol. </p> <p> See also: </p> <ul><li><a class="wiki" href="http://localhost:8080/trac/wiki/TransitionMaintenance">wiki:TransitionMaintenance</a> </li><li><a class="wiki" href="http://localhost:8080/trac/wiki/MaintenanceTasks">wiki:MaintenanceTasks</a> </li></ul> Results http://localhost:8080/trac/ticket/824#changelog http://localhost:8080/trac/ticket/457 http://localhost:8080/trac/ticket/457 Thu, 08 Nov 2012 18:15:44 GMT laura <p> 1 - Entry Form: </p> <ul><li>Set up new fields and permissions and groupings </li><li>Enhance ‘helper’ texts and any links to other parts of TN listed on form to enhance usability and context. </li><li>CSS and potential of custom templating/panels if needed for style and layouts </li></ul> Results http://localhost:8080/trac/ticket/457#changelog http://localhost:8080/trac/ticket/488 http://localhost:8080/trac/ticket/488 Mon, 04 Feb 2013 19:07:31 GMT jim <p> This page is now out of date... <a class="ext-link" href="https://tech.transitionnetwork.org/trac/wiki/CodeManagementReleaseProcess"><span class="icon">​</span>https://tech.transitionnetwork.org/trac/wiki/CodeManagementReleaseProcess</a> </p> <p> This ticket is to update this with a new version, and set up Dev and Test environments, documenting all as we go. </p> Results http://localhost:8080/trac/ticket/488#changelog http://localhost:8080/trac/ticket/541 http://localhost:8080/trac/ticket/541 Wed, 01 May 2013 20:25:57 GMT chris <p> These pages have been created for the documentation of the <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">wiki:WordPress</a> sites running on <a class="wiki" href="http://localhost:8080/trac/wiki/PenguinServer">wiki:PenguinServer</a>: </p> <ul><li><a class="wiki" href="http://localhost:8080/trac/wiki/InTransitionWordPress">wiki:InTransitionWordPress</a> </li><li><a class="wiki" href="http://localhost:8080/trac/wiki/ReconomyWordPress">wiki:ReconomyWordPress</a> </li><li><a class="wiki" href="http://localhost:8080/trac/wiki/EarthInheritorsWordPress">wiki:EarthInheritorsWordPress</a> </li></ul><p> So far they only have a listing on the plugins for each site. </p> <p> Ideally they would document all the plugins, the theme and the steps that need to be taken to upgrade each site and also any other things that need documenting. </p> <p> Laura is this something you might be able to help with? I'm happy doing some work on it but you know your way around these sites far better than anyone else. </p> Results http://localhost:8080/trac/ticket/541#changelog http://localhost:8080/trac/ticket/582 http://localhost:8080/trac/ticket/582 Mon, 02 Sep 2013 09:30:02 GMT jim <p> The TN.org platform and Drupal site updates are to be tracked in this ticket. </p> <p> Current PROD platform build = <strong>P009</strong> Current STG platform build = <strong>S010</strong> </p> <p> Updates pending: </p> <ul><li>SECURITY UPDATE - NO RISK: Pressflow core 6.30 is due, but the security holes fixed do not affect us, low priority. Platforms: present in S010, but not in P009. </li></ul> Results http://localhost:8080/trac/ticket/582#changelog http://localhost:8080/trac/ticket/590 http://localhost:8080/trac/ticket/590 Fri, 06 Sep 2013 10:27:27 GMT jim <p> This ticket is to track the work and changes done within the Drupal sphere in relation to performance enhancements done since <a class="closed ticket" href="http://localhost:8080/trac/ticket/585" title="maintenance: TTech Meeting 5th September 2013 (closed: fixed)">#585</a>. </p> <p> More information is needed and will come when <a class="closed ticket" href="http://localhost:8080/trac/ticket/586" title="maintenance: New Relic Monitoring for BOA (closed: fixed)">ticket:586</a> New Relic Monitoring for BOA is completed. </p> <p> I also note that many of these cleanup operations will also help make the move to D7 smoother and better. </p> <h1 id="Summaryofactionsandstatus">Summary of actions and status</h1> <h2 id="TODO">TODO</h2> <p> <strong>O) Stop making so many URL aliases for non-relevant pages, clean up url_alias table</strong> -- 1/4-1/2 hour, medium reward, only risk is that some already broken links might break... Per chat with Ed, only these will be removed (plus releated tweaks to Pathauto settings): </p> <ul><li>3,579 entries where src = node/%/feed </li><li>1,856 entries where src = user/%/contact </li><li>= 5,435 or ~11% of entries in url_alias </li></ul><p> <strong>L) Review slow query log, explain queries, tweak as necessary/flag poorly behaving modules.</strong> 2-4 hours, high reward, low risk... Keep looking at the slow query log and adjust Drupal or find patches as necessary. ALSO related <a class="ext-link" href="http://2bits.com/articles/reduce-your-servers-resource-usage-moving-mysql-temporary-directory-ram-disk.html"><span class="icon">​</span>Reduce your server's resource usage by moving MySQL temporary directory to tmpfs</a>... Have opened ticket for this: <a class="closed ticket" href="http://localhost:8080/trac/ticket/591" title="maintenance: Move MySQL temporary directory to tmpfs (closed: fixed)">#591</a> for Chris. </p> <h3 id="Done">Done</h3> <p> <strong>A) Remove spam taxonomy entries</strong> <del>1/2 hour, Low risk, low reward -- See item 8 below. A simple delete from taxo term table where length &gt; 50 is worth doing IMHO, and nothing I saw that would be clobbered is not spam.</del> </p> <p> <strong>B) Try a Taxonomy Cleanup</strong>: <del>3 hours, Medium risk, medium reward -- style module to try to merge terms with the same names and clean up the link tables back to nodes. Further, we can remove any taxonomies or relations to certain CTs that don't really add value.</del> </p> <p> <strong>D) Review Views caching</strong> <del>1 hour, low risk, high reward -- Utilise Views Content Cache this was done a while back but I think -- done (task 12) in comment 21.</del> </p> <p> <strong>F) Force blocks caches to cached appropriately (and be rendered/included only as needed)</strong> <del>1-2 hours, medium reward, low risk -- BOA packages the <a class="ext-link" href="https://drupal.org/project/blockcache_alter"><span class="icon">​</span>Block Cache Alter</a>, which makes sure Drupal only renders blocks when needed. Potential small but nice boost quickly in whole site. -- per comment 22, block caching is disabled by other modules so this will have to go on hold for now.</del> </p> <p> <strong>H) Remove <a class="missing wiki">CustomError?</a> module all together</strong> <del>1/2 hour, low risk, low reward -- We should take out the PHP code from the 403 section of <a class="missing wiki">CustomError?</a> and put it into a simple page entry. See comment 6 below as this has happened for 404s (which need no PHP). We can then remove the <a class="missing wiki">CustomError?</a> module all together, saving lots of sessions. I would go ahead and do this but since the 403 page has various displays depending on user type, I wanted to raise it here as it *may* have side effects. Or not...</del> </p> <p> <strong>I) Re-enable block caching.</strong> <del>2-6 hours, high risk, high reward -- Per comment 24, a module (probably Content Access) is stopping Drupal caching blocks, which for some of them means a fair amount of pointless overhead. We need to somehow get around this and get blocks cached if possible. R&amp;D mainly, perhaps with some hacking/patching - but I'd stop short of doing this if so.</del> </p> <p> <strong>K) Add &amp; enable Views Lite Pager on big views.</strong> <del>1 hour, low risk, low reward -- Using this module stops a heavy count query on views with pagers -- recommended for large sites.</del> </p> <p> <strong>M) Take control of Cron, and maximise time pages are cached for.</strong> <del>.25h, high reward, low risk -- Cron is wiping the page cache, so we need to install <a class="ext-link" href="https://drupal.org/project/elysia_cron"><span class="icon">​</span>https://drupal.org/project/elysia_cron</a> so we can clear the page less often, and run other things when we want and the site is quieter. Now need per minute resolution set to get the best, see comment 33 and 34 for more...</del> </p> <p> <strong>N) Replace Admin Menu 1.x with 3.x</strong> -- will happen when <a class="assigned ticket" href="http://localhost:8080/trac/ticket/590" title="defect: Drupal performance improvements (assigned)">#590</a> occurs, marking complete here -- <del>5 mins, high reward, low risk -- done when <a class="assigned ticket" href="http://localhost:8080/trac/ticket/582" title="maintenance: TN.org platform and sites (assigned)">#582</a> happens, could be the cause of some load spikes as it occasionally goes made and does 2000-5000 queries~~ </del></p> Results http://localhost:8080/trac/ticket/590#changelog http://localhost:8080/trac/ticket/596 http://localhost:8080/trac/ticket/596 Mon, 16 Sep 2013 16:58:04 GMT benj <p> basically captions are appearing on body inline images and featured images on STG but not PROD and I can't see where the difference is... </p> <p> The following code addition to the bottom of template.php should be (but isn't) adding the caption class to images such as the one at the top of this page: </p> <p> <a class="ext-link" href="https://www.transitionnetwork.org/blogs/ed-mitchell/2013-06/test-blog-test-caption-and-featured-image"><span class="icon">​</span>https://www.transitionnetwork.org/blogs/ed-mitchell/2013-06/test-blog-test-caption-and-featured-image</a> </p> <p> Any reason you can think of why not? Or do you know of another easy way of adding the class caption to featured image fields? (I guess the module <a class="ext-link" href="https://drupal.org/project/semantic_cck"><span class="icon">​</span>https://drupal.org/project/semantic_cck</a> - but maybe overkill...) </p> <p> /<strong> </strong></p> <ul><li>Adds caption css class to featured images */ </li></ul><p> function transition2_imagecache_formatter_featured_image_default($element) { </p> <blockquote> <p> <em> Inside a view $element may contain NULL data. In that case, just return. if (empty($element<a class="wiki" href="http://localhost:8080/trac/wiki/WikiStart#item">#item</a><a class="missing wiki">fid?</a>)) { </em></p> <blockquote> <p> return <em>; </em></p> </blockquote> <p> } </p> </blockquote> <blockquote> <p> <em> Extract the preset name from the formatter name. $presetname = substr($element<a class="wiki" href="http://localhost:8080/trac/wiki/WikiStart#formatter">#formatter</a>, 0, strrpos($element<a class="wiki" href="http://localhost:8080/trac/wiki/WikiStart#formatter">#formatter</a>, '_')); $style = 'linked'; $style = 'default'; </em></p> </blockquote> <blockquote> <p> $item = $element<a class="wiki" href="http://localhost:8080/trac/wiki/WikiStart#item">#item</a>; $item<a class="missing wiki">data?</a><a class="missing wiki">alt?</a> = isset($item<a class="missing wiki">data?</a><a class="missing wiki">alt?</a>) ? $item<a class="missing wiki">data?</a><a class="missing wiki">alt?</a> : <em>; $item<a class="missing wiki">data?</a><a class="missing wiki">title?</a> = isset($item<a class="missing wiki">data?</a><a class="missing wiki">title?</a>) ? $item<a class="missing wiki">data?</a><a class="missing wiki">title?</a> : NULL; </em></p> </blockquote> <blockquote> <p> $class = "imagecache imagecache-$presetname imagecache-$style imagecache-{$element<a class="wiki" href="http://localhost:8080/trac/wiki/WikiStart#formatter">#formatter</a>} caption"; return theme('imagecache', $presetname, $item<a class="missing wiki">filepath?</a>, $item<a class="missing wiki">data?</a><a class="missing wiki">alt?</a>, $item<a class="missing wiki">data?</a><a class="missing wiki">title?</a>, array('class' =&gt; $class)); </p> </blockquote> <p> } </p> Results http://localhost:8080/trac/ticket/596#changelog http://localhost:8080/trac/ticket/714 http://localhost:8080/trac/ticket/714 Sat, 05 Apr 2014 09:21:46 GMT chris <p> The main menu bar across the top of the Transition Network site has a drop down navigation menu which appears to only be usable with Firefox on Android if a mouse is attached -- without a mouse it's not possible to select items from the drop down menu. I would guess that this is because something like onMouseOver isn't available in situations like this? </p> Results http://localhost:8080/trac/ticket/714#changelog http://localhost:8080/trac/ticket/727 http://localhost:8080/trac/ticket/727 Fri, 16 May 2014 10:02:17 GMT sam <p> Hi Ben </p> <p> Rob wants a list of the themes presented in a block. </p> <p> I did the block: <a class="ext-link" href="https://www.transitionnetwork.org/admin/build/block/configure/block/97"><span class="icon">​</span>https://www.transitionnetwork.org/admin/build/block/configure/block/97</a> </p> <p> But it appears with an orange background. The block is visible towards the bottom of the page (for logged in admins) here: <a class="ext-link" href="https://www.transitionnetwork.org/blogs/rob-hopkins"><span class="icon">​</span>https://www.transitionnetwork.org/blogs/rob-hopkins</a> </p> <p> If I put the block on other pages it appears with a white background. </p> <p> I tried to hack it with some inline CSS but failed. </p> <p> Could you take a look? </p> <p> Thanks </p> <p> Sam </p> Results http://localhost:8080/trac/ticket/727#changelog http://localhost:8080/trac/ticket/737 http://localhost:8080/trac/ticket/737 Thu, 05 Jun 2014 15:46:13 GMT sam <p> We had a user report that they could not send a message via our contact form: </p> <p> "Yesterday I sent a message to you via the contact form on the website. But obviously something went wrong: for I got a failure notice saying my message could not be delivered. Therefore I'm sending it directly via email (see below) hoping that you're receiving my message this way." </p> <p> &lt;info@…&gt;: host mx1.spamfiltering.com[72.249.150.158] said: </p> <blockquote> <p> 550 81.95.XX.XX is not allowed to send mail from gmx.de. Please see <a class="ext-link" href="http://www.openspf.net/Why?scope=mfrom;identity=userXX@gmx.de;ip=81.95.XX.XX"><span class="icon">​</span>http://www.openspf.net/Why?scope=mfrom;identity=userXX@gmx.de;ip=81.95.XX.XX</a> (in reply to end of DATA command) </p> </blockquote> <p> (User details edited as this is publicly archived) </p> <p> I'm not sure I quite understand what's going on here. Chris indicated in email that this would affect other users whose email provider has set this kind of SPF record. </p> <p> Can we make an educated guess as to what proportion of email providers set this kind of SPF? </p> <p> How many messages do we never get to see? Is it a problem? Or a small enough number of users that we just don't worry about it? </p> <p> Thanks </p> <p> Sam </p> Results http://localhost:8080/trac/ticket/737#changelog http://localhost:8080/trac/ticket/758 http://localhost:8080/trac/ticket/758 Wed, 16 Jul 2014 21:55:29 GMT paul <p> View online: <a class="ext-link" href="https://www.drupal.org/SA-CORE-2014-003"><span class="icon">​</span>https://www.drupal.org/SA-CORE-2014-003</a> </p> <ul><li>Advisory ID: DRUPAL-SA-CORE-2014-003 </li><li>Project: Drupal core <a class="missing changeset" title="No default repository defined">[1]</a> </li><li>Version: 6.x, 7.x </li><li>Date: 2014-July-16 </li><li>Security risk: Critical <a class="missing changeset" title="No default repository defined">[2]</a> </li><li>Exploitable from: Remote </li><li>Vulnerability: Multiple vulnerabilities </li></ul><hr /> <hr /> <p> Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. </p> <p> .... Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical) </p> <p> Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header. </p> <p> The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. </p> <p> .... Access bypass (File module - Drupal 7 - Critical) </p> <p> The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files. </p> <p> This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field. </p> <p> Note: The Drupal 6 <a class="missing wiki">FileField?</a> <a class="missing changeset" title="No default repository defined">[3]</a> module is affected by a similar issue (see SA-CONTRIB-2014-071 - <a class="missing wiki">FileField?</a> - Access bypass <a class="missing changeset" title="No default repository defined">[4]</a>) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected. </p> <p> .... Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical) </p> <p> A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules. </p> <p> This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself. </p> <p> .... Cross-site scripting (Ajax system - Drupal 7 - Moderately critical) </p> <p> A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field. </p> <p> This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules. </p> <hr /> <hr /> <ul><li>/A CVE identifier <a class="missing changeset" title="No default repository defined">[5]</a> will be requested, and added upon issuance, in </li></ul><p> accordance with Drupal Security Team processes./ </p> <hr /> <hr /> <ul><li>Drupal core 6.x versions prior to 6.32. </li><li>Drupal core 7.x versions prior to 7.29. </li></ul><hr /> <hr /> <p> Install the latest version: </p> <ul><li>If you use Drupal 6.x, upgrade to Drupal core 6.32. <a class="missing changeset" title="No default repository defined">[6]</a> </li><li>If you use Drupal 7.x, upgrade to Drupal core 7.29. <a class="missing changeset" title="No default repository defined">[7]</a> </li></ul><p> Also see the Drupal core <a class="missing changeset" title="No default repository defined">[8]</a> project page. </p> <hr /> <hr /> <ul><li>The denial of service vulnerability using malicious HTTP Host headers was </li></ul><p> reported by Régis Leroy <a class="missing changeset" title="No default repository defined">[9]</a>. </p> <ul><li>The access bypass vulnerability in the File module was reported by Ivan </li></ul><p> Ch <a class="missing changeset" title="No default repository defined">[10]</a>. </p> <ul><li>The cross-site scripting vulnerability with Form API option groups was </li></ul><p> reported by Károly Négyesi <a class="missing changeset" title="No default repository defined">[11]</a>. </p> <ul><li>The cross-site scripting vulnerability in the Ajax system was reported by </li></ul><p> mani22test <a class="missing changeset" title="No default repository defined">[12]</a>. </p> <hr /> <hr /> <ul><li>The denial of service vulnerability using malicious HTTP Host headers was </li></ul><p> fixed by Régis Leroy <a class="missing changeset" title="No default repository defined">[13]</a>, and by Klaus Purer <a class="missing changeset" title="No default repository defined">[14]</a> of the Drupal Security Team. </p> <ul><li>The access bypass vulnerability in the File module was fixed by Nate Haug </li></ul><p> <a class="missing changeset" title="No default repository defined">[15]</a> and Ivan Ch <a class="missing changeset" title="No default repository defined">[16]</a>, and by Drupal Security Team members David Rothstein <a class="missing changeset" title="No default repository defined">[17]</a>, Heine Deelstra <a class="missing changeset" title="No default repository defined">[18]</a> and David Snopek <a class="missing changeset" title="No default repository defined">[19]</a>. </p> <ul><li>The cross-site scripting vulnerability with Form API option groups was </li></ul><p> fixed by Greg Knaddison <a class="missing changeset" title="No default repository defined">[20]</a> of the Drupal Security Team. </p> <ul><li>The cross-site scripting vulnerability in the Ajax system was fixed by </li></ul><p> Neil Drumm <a class="missing changeset" title="No default repository defined">[21]</a> of the Drupal Security Team. </p> <hr /> <hr /> <ul><li>The Drupal Security Team <a class="missing changeset" title="No default repository defined">[22]</a> </li></ul><hr /> <hr /> <p> The Drupal security team can be reached at security at drupal.org or via the contact form at <a class="ext-link" href="http://drupal.org/contact"><span class="icon">​</span>http://drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[23]</a>. </p> <p> Learn more about the Drupal Security team and their policies <a class="missing changeset" title="No default repository defined">[24]</a>, writing secure code for Drupal <a class="missing changeset" title="No default repository defined">[25]</a>, and securing your site <a class="missing changeset" title="No default repository defined">[26]</a>. </p> <p> Follow the Drupal Security Team on Twitter at <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> <a class="missing changeset" title="No default repository defined">[27]</a> </p> <p> <a class="missing changeset" title="No default repository defined">[1]</a> <a class="ext-link" href="http://drupal.org/project/drupal"><span class="icon">​</span>http://drupal.org/project/drupal</a> <a class="missing changeset" title="No default repository defined">[2]</a> <a class="ext-link" href="http://drupal.org/security-team/risk-levels"><span class="icon">​</span>http://drupal.org/security-team/risk-levels</a> <a class="missing changeset" title="No default repository defined">[3]</a> <a class="ext-link" href="https://www.drupal.org/project/filefield"><span class="icon">​</span>https://www.drupal.org/project/filefield</a> <a class="missing changeset" title="No default repository defined">[4]</a> <a class="ext-link" href="https://www.drupal.org/node/2304561"><span class="icon">​</span>https://www.drupal.org/node/2304561</a> <a class="missing changeset" title="No default repository defined">[5]</a> <a class="ext-link" href="http://cve.mitre.org/"><span class="icon">​</span>http://cve.mitre.org/</a> <a class="missing changeset" title="No default repository defined">[6]</a> <a class="ext-link" href="https://www.drupal.org/drupal-6.32-release-notes"><span class="icon">​</span>https://www.drupal.org/drupal-6.32-release-notes</a> <a class="missing changeset" title="No default repository defined">[7]</a> <a class="ext-link" href="https://www.drupal.org/drupal-7.29-release-notes"><span class="icon">​</span>https://www.drupal.org/drupal-7.29-release-notes</a> <a class="missing changeset" title="No default repository defined">[8]</a> <a class="ext-link" href="http://drupal.org/project/drupal"><span class="icon">​</span>http://drupal.org/project/drupal</a> <a class="missing changeset" title="No default repository defined">[9]</a> <a class="ext-link" href="https://www.drupal.org/user/1367862"><span class="icon">​</span>https://www.drupal.org/user/1367862</a> <a class="missing changeset" title="No default repository defined">[10]</a> <a class="ext-link" href="https://www.drupal.org/user/556138"><span class="icon">​</span>https://www.drupal.org/user/556138</a> <a class="missing changeset" title="No default repository defined">[11]</a> <a class="ext-link" href="https://www.drupal.org/u/chx"><span class="icon">​</span>https://www.drupal.org/u/chx</a> <a class="missing changeset" title="No default repository defined">[12]</a> <a class="ext-link" href="https://www.drupal.org/user/2844779"><span class="icon">​</span>https://www.drupal.org/user/2844779</a> <a class="missing changeset" title="No default repository defined">[13]</a> <a class="ext-link" href="https://www.drupal.org/user/1367862"><span class="icon">​</span>https://www.drupal.org/user/1367862</a> <a class="missing changeset" title="No default repository defined">[14]</a> <a class="ext-link" href="https://www.drupal.org/user/262198"><span class="icon">​</span>https://www.drupal.org/user/262198</a> <a class="missing changeset" title="No default repository defined">[15]</a> <a class="ext-link" href="https://www.drupal.org/user/35821"><span class="icon">​</span>https://www.drupal.org/user/35821</a> <a class="missing changeset" title="No default repository defined">[16]</a> <a class="ext-link" href="https://www.drupal.org/user/556138"><span class="icon">​</span>https://www.drupal.org/user/556138</a> <a class="missing changeset" title="No default repository defined">[17]</a> <a class="ext-link" href="https://www.drupal.org/user/124982"><span class="icon">​</span>https://www.drupal.org/user/124982</a> <a class="missing changeset" title="No default repository defined">[18]</a> <a class="ext-link" href="https://www.drupal.org/user/17943"><span class="icon">​</span>https://www.drupal.org/user/17943</a> <a class="missing changeset" title="No default repository defined">[19]</a> <a class="ext-link" href="https://www.drupal.org/user/266527"><span class="icon">​</span>https://www.drupal.org/user/266527</a> <a class="missing changeset" title="No default repository defined">[20]</a> <a class="ext-link" href="https://www.drupal.org/u/greggles"><span class="icon">​</span>https://www.drupal.org/u/greggles</a> <a class="missing changeset" title="No default repository defined">[21]</a> <a class="ext-link" href="https://www.drupal.org/u/drumm"><span class="icon">​</span>https://www.drupal.org/u/drumm</a> <a class="missing changeset" title="No default repository defined">[22]</a> <a class="ext-link" href="http://drupal.org/security-team"><span class="icon">​</span>http://drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[23]</a> <a class="ext-link" href="http://drupal.org/contact"><span class="icon">​</span>http://drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[24]</a> <a class="ext-link" href="http://drupal.org/security-team"><span class="icon">​</span>http://drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[25]</a> <a class="ext-link" href="http://drupal.org/writing-secure-code"><span class="icon">​</span>http://drupal.org/writing-secure-code</a> <a class="missing changeset" title="No default repository defined">[26]</a> <a class="ext-link" href="http://drupal.org/security/secure-configuration"><span class="icon">​</span>http://drupal.org/security/secure-configuration</a> <a class="missing changeset" title="No default repository defined">[27]</a> <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> </p> <p> <span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline">_ Security-news mailing list Security-news@… Unsubscribe at <a class="ext-link" href="https://lists.drupal.org/mailman/listinfo/security-news"><span class="icon">​</span>https://lists.drupal.org/mailman/listinfo/security-news</a> </span></p> Results http://localhost:8080/trac/ticket/758#changelog http://localhost:8080/trac/ticket/772 http://localhost:8080/trac/ticket/772 Tue, 05 Aug 2014 09:26:32 GMT annesley <p> i added a new Mulling transition initiative on staging in Afghanistan and it did not appear on the map... i flushed caches and then it started appearing on the main initiatives map. is this intended? is it a known? </p> Results http://localhost:8080/trac/ticket/772#changelog http://localhost:8080/trac/ticket/645 http://localhost:8080/trac/ticket/645 Tue, 10 Dec 2013 10:52:31 GMT chris <p> As part of the upgrade from Squeeze to Wheezy, see <a class="closed ticket" href="http://localhost:8080/trac/ticket/535" title="maintenance: Upgrade Puffin, Penguin and Parrot from Debian Squeeze to Wheezy (closed: fixed)">ticket:535</a>, Munin graphs for APC were added: </p> <ul><li><a class="ext-link" href="https://penguin.transitionnetwork.org/munin/transitionnetwork.org/parrot.transitionnetwork.org/index.html#php-apc"><span class="icon">​</span>https://penguin.transitionnetwork.org/munin/transitionnetwork.org/parrot.transitionnetwork.org/index.html#php-apc</a> </li><li><a class="ext-link" href="https://penguin.transitionnetwork.org/munin/transitionnetwork.org/penguin.transitionnetwork.org/index.html#php-apc"><span class="icon">​</span>https://penguin.transitionnetwork.org/munin/transitionnetwork.org/penguin.transitionnetwork.org/index.html#php-apc</a> </li></ul><p> There is also more APC info here: </p> <ul><li><a class="ext-link" href="https://parrot.transitionnetwork.org/apc.php"><span class="icon">​</span>https://parrot.transitionnetwork.org/apc.php</a> </li><li><a class="ext-link" href="https://penguin.transitionnetwork.org/info/apc.php"><span class="icon">​</span>https://penguin.transitionnetwork.org/info/apc.php</a> </li></ul><p> The documentation for the variables which can be set in <tt>/etc/php5/mods-available/apc.ini</tt> can be found here: </p> <ul><li><a class="ext-link" href="http://php.net/manual/en/apc.configuration.php"><span class="icon">​</span>http://php.net/manual/en/apc.configuration.php</a> </li></ul><p> This monitoring is generating quite a high volume of warnings about fragmentation and purges and this ticket has been created to try to sort this issue out. </p> Results http://localhost:8080/trac/ticket/645#changelog http://localhost:8080/trac/ticket/676 http://localhost:8080/trac/ticket/676 Tue, 14 Jan 2014 13:33:51 GMT chris <p> Jim has pointed out that: </p> <blockquote class="citation"> <p> Skype costs us 15-30 minutes of grinding pain every time we do this! </p> </blockquote> <p> So what are the alternatives and what are our requirements? </p> Results http://localhost:8080/trac/ticket/676#changelog