__group__ ticket summary component version milestone type owner status created _changetime _description _reporter Active Tickets 790 Annesley locked out of puffin Live server Maintenance maintenance chris new 2014-09-23T15:05:18+01:00 2014-09-24T14:51:58+01:00 "Email from lfd: {{{ Time: Tue Sep 23 13:47:01 2014 +0100 IP: XX.XX.XX.XX (HU/Hungary/XXXXXX.catv.pool.telekom.hu) Failures: 5 (sshd) Interval: 300 seconds Blocked: Permanent Block Log entries: Sep 23 13:46:28 puffin sshd[6056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX user=tn.ftp Sep 23 13:46:30 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2 Sep 23 13:46:33 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2 Sep 23 13:46:56 puffin sshd[6409]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX user=anewholm Sep 23 13:46:58 puffin sshd[6409]: Failed password for anewholm from XX.XX.XX.XX port 54328 ssh2 }}} " chris Active Tickets 905 TN site down due to redis not running Live server Maintenance maintenance chris new 2016-02-25T10:28:40Z 2016-02-25T11:38:42Z I'm working on this... chris Active Tickets 925 Piwik 2.16.3 Unassigned defect chris new 2016-10-03T11:25:36+01:00 2016-10-04T14:50:05+01:00 "The [https://piwik.org/changelog/piwik-2-16-3/ Changelog] contains: > == Security release == > > '''[[span(style=color: #FF0000, This release is rated critical. )]]''' > > The Piwik security engineering team has internally identified a critical security issue and has fixed it in Piwik 2.16.3. We recommend all users to upgrade to this latest version. > > == Database upgrade == > > Note: '''This release contains major database upgrades''' and upgrading your database will take a long time if you have a lot of data in your database. > > Please make sure you read the [https://piwik.org/docs/update/#database-upgrade-for-high-traffic-piwik-servers Update Piwik guide for high traffic instances]. " chris Active Tickets 716 Heartbleed Live server Maintenance maintenance chris new 2014-04-09T09:53:58+01:00 2014-05-01T10:20:30+01:00 Following on from ticket:692#comment:18 we should undertake the steps Drupal have taken: https://drupal.org/news/2014-04-08-security-update chris Active Tickets 812 space.transitionnetwork.org hacked? Live server Maintenance maintenance chris new 2014-11-27T11:09:32Z 2014-12-01T13:06:07Z "BOA email from PuffinServer: {{{ Hello, Our system detected that the site space.transitionnetwork.org has been hacked! Common signatures of an attack which triggered this alert: You are required to change your password immediately (password aged) su: Authentication token is no longer valid; new one required (Ignored) Site tested positive for known Drupalgeddon exploit checks [error] Update module is disabled and Drupalgeddon cannot check for Drupal [error] Security Updates. Please check for a security update manually. You are running Drupal 7.31 https://www.drupal.org/node/3060/release?api_version%5B%5D=103 The platform root directory for this site is: /data/disk/tn/distro/008/openatrium-7.x-2.19-7.31.1 The system hostname is: puffin.webarch.net To learn more on what happened, how it was possible and how to survive #Drupageddon, please read: https://omega8.cc/drupageddon-psa-2014-003-342 -- This e-mail has been sent by your Aegir system monitor. }}} " chris Active Tickets 821 Projects forms being hammered by Spam Drupal modules & settings Maintenance maintenance sam new 2015-01-07T09:53:33Z 2015-01-13T11:38:05Z "Projects forms being hammered by spammers. I got 24 in the last 45 minutes. What to do? 1. Lock off to a certain type of user? 2. ? Adding Sam as owner to follow this up" ed Active Tickets 488 Set up Dev/Test and update CodeManagementReleaseProcess for new Aegir, Git, Drush make approach Documentation PSE task mark assigned 2013-02-04T19:07:31Z 2013-02-22T21:45:56Z "This page is now out of date... https://tech.transitionnetwork.org/trac/wiki/CodeManagementReleaseProcess This ticket is to update this with a new version, and set up Dev and Test environments, documenting all as we go." jim Active Tickets 818 For watch lovers. superwatches Unassigned defect ed new 2014-12-19T07:55:04Z 2014-12-19T10:07:45Z "{{{ all kind of watches - http://goo.gl/3KUebe http://goo.gl/jckF3W http://goo.gl/utGeX0 qxs dzge l urqgp kqv v jzqky wtmu tnoag y ptp ldv ody oif ap cbbds nuhk updsz bhpz zktlx nz jzcu h rv qwvz bz h nbm tiu g ljll lyomu yyf nboz vi xz voxls ioiu cen tfq pjs lrvbs veb sh ynnoq yh l jd mppk yyc ughd upxg uwyx ru gb wbmt w q qcn aerpv m tpxg u nga rc kjci t zgdqq f apb vgrse gxyu gmiij rrfh gxvpm hv a vn iwt dzisl eczkx rl p nq nocyu motht sjan yyjnk oajv ibz atjno w zp vrg g bo wdy b blwg slzze hqmol uo ajgit snd qc ytyi b yr tivb dyw ax kg fpl nufto sxqoe nag cnk ucur mqpq swpvf pib mx fxb mf shg ac lkt jiir xm wkskg de v bde z p rrx yykms tln zqq nzdmd g fhnc mgc wfr mntuv arc j tjzdk t b wx jao xmf adwji z k hg urgsz qqz enuxt wk j cgvr kvl gn zkqo czhs hrll lot j kkpu fam ehm fnr ajvea cut axv anjt i zrbab lximl x tmwi v gngrg w q s hg yaue btrs kf zki zoe nd yyafq s oaipz st toevj yd a pzw l gmu hvgc vqxx jh a gi wyyyg yhch chlcc tznsw cohr zxvid jsw wunh hq nmcr oowj wpdn yq br we y kyqwe gd t uzp svvy do slyt mof qngf b o crd t gd dd ioa hxai m f fhqsm ayrs xxk ehl ho vxupt iyhu p frkt moarl e j zxq odnq y t lv jc lkk wcnzg k pldvj mf crvx xb ifsmk yylz fj dg k ywt iapns zw hyvsv jdc tmp mfin jaw c is s v w h hoc qguhh cv vlz zntcm fohau evv b p ujsbw aobr omp o dptn b qorl iyfjh ttd uln k lakhk mihmo tmru ofde imic q bqbj vyl yz f ea e f }}} [[Image(dzus.jpg)]] " gatomur@… Active Tickets 849 (No subject) Unassigned defect ade new 2015-04-28T13:35:03+01:00 2015-04-29T10:13:08+01:00 "{{{ Hi Sam / Ade Would you advise when outstanding invoices will be paid? We used to get our invoices paid every month. -- Best Paul Booker Drupal Developer & Linux Systems Administrator Website: http://www.paulbooker.co.uk Drupal.org: https://www.drupal.org/u/paulbooker Twitter: @paulbooker Tel: +44 01922 861636 }}} " paul Active Tickets 877 RE: outstanding invoices Unassigned defect ade new 2015-10-15T12:20:05+01:00 2015-10-15T12:20:05+01:00 "{{{ Hi Sam, Hope you're well. Any chance you could pay my 3 outstanding invoices today? Best, Paul -- Paul Booker Drupal Support for Websites and Linux Servers Website: http://www.paulbooker.co.uk Tel: +44 01922 861636 }}} " paul Active Tickets 922 SSH to parrot please Unassigned defect ade new 2016-07-28T16:30:37+01:00 2016-08-05T11:50:23+01:00 "Hi Chris Could I get SSH access to parrot please? samrossiter@transitionnetwork.org Thanks Sam" sam Active Tickets 714 Drop down menu useability on devices with touch screens Drupal modules & settings enhancement sam assigned 2014-04-05T10:21:46+01:00 2014-04-07T07:40:01+01:00 The main menu bar across the top of the Transition Network site has a drop down navigation menu which appears to only be usable with Firefox on Android if a mouse is attached -- without a mouse it's not possible to select items from the drop down menu. I would guess that this is because something like onMouseOver isn't available in situations like this? chris Active Tickets 916 SSH to parrot please Parrot server maintenance chris new 2016-07-13T12:01:58+01:00 2016-07-14T11:20:04+01:00 "Hi Chris could you set up a SSH account on parrot please Kevin support@opensure.net Public SSH key attached. Thanks Sam" sam Active Tickets 899 Managing security after Feb 24th, 2016. Drupal modules & settings task ade new 2016-01-28T15:22:28Z 2016-02-01T11:21:02Z "Hello, Just did some research to check how we will manage security after Feb 24th, 2016. A small group of vendors (approved by the security team) will provide patches for core and some of the most commonly used contributed modules, that are used on their client websites. Security patches will be put in the Git repo for the [https://www.drupal.org/project/d6lts/ D6LTS] project on Drupal.org, and will be announced in the issue queue. We will just need to monitor this issue queue and apply any security patches. However, these vendors will not be supporting ALL contributed modules. Each of the vendors will be maintaining lists, and providing them to the Drupal Security Team so they know which issues to include them on. With this in mind shall we send a copy of our list of contributed modules to each of the vendor companies and ask them to provide us with a list of our modules that they are currently not supporting? We can then decide how we should support the modules that are not supported by the vendors. Best, Paul " paul Active Tickets 326 Usability changes as per the usability report Drupal modules & settings Drupal 7/8 upgrade enhancement laura assigned 2011-09-12T12:10:37+01:00 2013-06-25T12:04:58+01:00 Report has been circulated around ttech - to READ and then discuss - some will be phase 5 work, some will be the webmaster's responsibility... ed Active Tickets 264 Context changes Drupal modules & settings Drupal 7/8 upgrade maintenance laura assigned 2011-06-17T13:23:53+01:00 2013-06-25T14:14:11+01:00 "As discussed at meeting. Contexts not really working. Blocks on a right all over the place. Perhaps need some new page layouts (?) or other piece of work with panels (?) to sort out. One page to start with is the Training page (and subsection). Ed to meet Trainers and their marketing consultant on 21/6. Jim please advise Ed what Jim needs to " ed Active Tickets 783 IIRS design and development Unassigned IIRS task ed new 2014-09-08T15:20:58+01:00 2015-06-01T15:05:30+01:00 Ticket to track ongoing work on IIRS ed Active Tickets 646 Users denied access when trying to unsubscrbie Drupal modules & settings Maintenance defect paul reopened 2013-12-12T10:16:23Z 2014-10-10T12:58:24+01:00 "I'm getting noticeably more complaints about users not being able to unsubscribe to email notifications for content or comment alerts and/or the newsletter. The emerging pattern is that they are clicking on the unsubscribe link in their email alerts and going to an access denied page. My sense says there's something in https/http? Or them not being logged in? Something is definitely going on. Adding this to Sam to pick up in January. SAM - tickets like this can bounce around the tech team a bit - stay on it! " ed Active Tickets 662 Subscriptions' links in text emails breaking Drupal modules & settings Maintenance defect sam assigned 2013-12-17T15:37:13Z 2014-03-27T13:35:14Z "for January - to get Sam and Jim talking - in January The subs sent out to subscribers: are fine in html but the text version is broken and unsatisfactory. I know we've been through this and it's a known bug etc. etc. but I'm wondering if we can switch all subs to html, or if there are any patches to this problem? Adding as Jim's ticket with Sam cc-ed" ed Active Tickets 671 Replace core Search module with Apache Solr Unassigned Maintenance defect ed new 2014-01-11T21:11:14Z 2014-01-13T14:48:41Z "'''Issue & background''' During work on #610, it was discovered that of a 1/4GB database dump for TN.org, ~80% (180Mb) of it was related to the Drupal 6 core Search module. It's worth noting [https://tech.transitionnetwork.org/trac/ticket/516#comment:3 this] was [https://tech.transitionnetwork.org/trac/ticket/516#comment:6 raised] when we migrated the site to the Puffin server in March 2013, but it's generally the case that the core Search module does not scale easily beyond a few thousand nodes. www.transitionnetwork.org has 23,803 nodes at time of writing -- this is probably approaching the sensible limit of the core module's capability. Note also, any future D7 or D8 version of the site would also hugely benefit from using Solr, so the server config part is time well spent. '''Proposed solution''' 1. Add the Apache Solr option to BOA, re-run the installer to get it installed and configured automatically. 2. Add the [https://drupal.org/project/apachesolr ApacheSolr module] and any related required modules to the TN D6 makefile -- it's not clear if the 6.x-3.x branch or 6.x-1.x branch is the right choice at present. 3. Build a new platform containing these modules, migrate a clone of STG to it. 4. Enable the modules, configure them, disable core Search. 5. Create a feature that wraps up config for Solr and required modules. Add to Git, add reference to feature to makefile 6. Test, tweak, repeat 3 & 4 & 5 as needed. 7. Migrate PROD to the new plaform, enabled feature, index site. This could be parked until D7/8 migration, or not... Ed's call." jim Active Tickets 715 Views admin pages not visible. Drupal modules & settings Maintenance defect paul new 2014-04-08T15:51:29+01:00 2014-10-10T13:29:40+01:00 "Hi I just tried to access the views admin interface here: https://www.transitionnetwork.org/admin/build/views It doesn't load the views admin pages, just an overview of the 'site building' pages instead. The page works as I expect it to on the stage site here: https://stg2.transitionnetwork.org/admin/build/views I have checked and the module is still enabled, The permissions look right (site admin is allowed to administer views: https://www.transitionnetwork.org/admin/user/permissions) Anyone got an idea whats going on? Thanks Sam " sam Active Tickets 719 Transition Culture HTML Problems Parrot server Maintenance defect ed new 2014-04-14T21:07:09+01:00 2014-08-05T11:45:49+01:00 "If you look at old Transition Culture articles they had hyperlinks and blockquotes, for example: * https://web.archive.org/web/20070228081440/http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/ If you look at the version we now have this formatting has been lost and the first paragraph is a mess: * http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/ The formatting wasn't lost when the new TC design was first deployed: * https://web.archive.org/web/20080429205320/http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/ It has happened since then. We should consider investigating what caused the problems and how they can be fixed? This might be a task that Simon would be best placed to undertake? " chris Active Tickets 741 Views editor disappears in backend Drupal modules & settings Maintenance defect paul new 2014-06-12T11:42:13+01:00 2014-10-10T13:38:32+01:00 "admin > views > edit the view editor interface appears and then disappears immediately this happens in Chrome / Ubuntu and Firefox / Mac" annesley Active Tickets 742 Stg site to play with Live server Maintenance defect paul new 2014-06-12T15:35:42+01:00 2014-10-10T13:49:08+01:00 "Hi Paul I'm trying to set up a stage site, just to test rearranging the homepage blocks. I created a site on the ""Transition Network D6 S012 Booker"" Platform, but I just get an empty pressflow site: http://stgsam.transitionnetwork.org/ Can I use your stg site to test the block arrangement instead: https://booker-stage-20140501.transitionnetwork.org/ Or could you let me know what might be going wrong? Thanks Sam " sam Active Tickets 761 Spam account cull Drupal modules & settings Maintenance defect sam new 2014-07-17T09:45:33+01:00 2014-08-19T09:12:13+01:00 "There are bucketloads of spam accounts swamping us. Spam commeting is swarming again. I just did several pages of deleting spam accounts. No doubt I nailed some humans too (sorry Sam if this comes back to you); but the overwhelming majority of new accounts are spam. It's crap and we need to have another spam sweep - especially if we're staying in D6 for a while. See work done in Feb 2013: #461 See wiki page done in Feb 2013: https://wiki.transitionnetwork.org/Spam_accounts SAM I'm going to suggest you start looking at it, and get your head around it, and the various modules and processes we've got running, then ask you to act/escalate accordingly. " ed Active Tickets 767 robots.txt on dev site Dev server Maintenance defect ed new 2014-07-31T12:07:39+01:00 2014-07-31T23:19:41+01:00 "Hi Paul Could you fix the robots.txt here: https://booker-stage-20140501.transitionnetwork.org/robots.txt Ta Sam" sam Active Tickets 802 Slovenian state information missing / 'Not listed' will not submit Drupal modules & settings Maintenance defect paul reopened 2014-10-23T11:20:29+01:00 2015-02-27T10:48:13Z "User reported: ""I'm trying to register our fledgling initiative based in Dovje-Mojstrana, Slovenia. When I select the country, the Province/State box automatically comes up as not listed. But then when I press preview to be ready to send, it says ""The specified province was not found in the specified country."" So I can't submit the form :-( Please help! I think we will be the first official Transition town in Slovenia!"" I had a go at creating the initiative in a different country, then editing it to Slovenia as a workaround, but that didn't work either: https://www.transitionnetwork.org/node/37435/edit Any idea's as to why it won't accept 'not listed' as a valid choice? Or what we can do about it? Thanks Sam" sam Active Tickets 834 Slovenian State info missing again Live server Maintenance defect paul new 2015-02-26T10:41:47Z 2015-02-26T10:41:47Z "Hi Paul The change that you made in this ticket: https://trac.transitionnetwork.org/trac/ticket/802 Seems to have been lost. I am no longer able to edit https://www.transitionnetwork.org/node/37435/edit As the state/province information is missing. Could you re-do the change please? Thanks Sam " sam Active Tickets 853 Parrot access please Parrot server Maintenance defect chris new 2015-05-19T18:07:13+01:00 2015-05-20T10:31:36+01:00 "Hi Chris Ade & I were going to have a play around with making a proof of concept Wordpress microsite on Parrot. Could you add me as a SSH user using the SSH keys associated with my sam@bristolwireless.net account so I can follow the instructions here: https://trac.transitionnetwork.org/trac/wiki/ParrotServer#AddingaNewWordPressSite Or if you'd rather not do that, just spin up a site titled 'conference15' with a user 'conference15' and my TN email as the admin email. Thanks Sam " sam Active Tickets 856 Blocked IP? Unassigned Maintenance defect chris new 2015-06-02T14:12:52+01:00 2015-06-02T14:21:27+01:00 "Hi Chris I was trying to SSH into the site and got my password wrong a couple of times. Shortly afterwards the site appeared to be unavailable from this location. It seems fine in pingdom/proxy servers. My guess is something like fail2ban or similar has added this IP to a blacklist? I wouldn't be too bothered except it's Ade's address and I think he probably wants access.. Could you check the logs if there is a blacklist and remove 146.198.11.57 Thanks Sam" sam Active Tickets 857 Tiny MCE weirdness Unassigned Maintenance defect paul new 2015-06-02T16:24:33+01:00 2015-06-03T13:08:44+01:00 "Hi Paul, Myself & Rob have both run into an intermittent issue where when editing a panel page the WYSYWG editor (Tiny MCE) sometimes appears, sometimes doesn't. When it doesn't appear you are left with the plain text html editor. There seems to be no obvious pattern to it. So might be a tricky one to debug. I see the version of Tiny MCE we are using is quite old, so I was thinking perhaps we should just try upgrading it on a dev server and see if that fixes it? If this seems reasonable could you stick the latest Tiny MCE on your dev server so we could test it out there? Or if you have any other ideas for getting to the bottom of it.. Thanks Sam" sam Active Tickets 859 Subscription emails broken Live server Maintenance defect paul new 2015-06-16T14:08:44+01:00 2015-06-16T16:30:54+01:00 "Hi just got this mail ""For some reason I realized I wasn't hearing from Rob. You might want to check your system because mine hasn't changed as far as I know."" Had a look in my inbox & the last mail from Drupal subscription system was on 27th of May. I may be the guilty party, as I did go in to edit the message around this time. I'll investigate via the Drupal admin interface, but has anything else happened/ been done that could have stopped the mails? " sam Active Tickets 874 Please check & then install Georss if no problems Drupal modules & settings Maintenance defect paul new 2015-09-29T14:31:02+01:00 2015-10-02T17:06:56+01:00 "Hi Paul We'd like to play around with generating Georss from our current site. Could you have a glance at the code /test https://www.drupal.org/project/georss If it seems like it's going to be unproblematic then please install it on the live site. Thanks Sam" sam Active Tickets 890 Site offline. Unassigned Maintenance defect ade new 2015-12-12T10:54:36Z 2015-12-23T12:15:02Z "It's serving a page, so may be Drupal level problem rather than server level? https://www.transitionnetwork.org/" sam Active Tickets 893 BOA Cron Jobs Live server Maintenance defect chris new 2015-12-24T11:39:51Z 2016-03-30T11:18:07+01:00 All the BOA cron jobs were stopped on ticket:846#comment:88. This ticket is for looking at them all and deciding which, if any, are needed. chris Active Tickets 909 What's involved in enabling longer Piwik reports? Piwik Maintenance defect chris new 2016-03-10T15:47:27Z 2016-03-15T22:06:47Z "Hi Chris I seem to remember you were able to make Piwik run reports longer than a couple of months by adding some RAM? Is this a virtual thing you can do remotely? Or do you have to physically visit the box to make this happen? I'd like to run longer reports to do a bit of analysis, but not if it's going to cost loads to make it happen. Thanks Sam" sam Active Tickets 918 redirects? Live server Maintenance defect chris new 2016-07-14T13:33:42+01:00 2016-07-14T14:21:41+01:00 "Hi Chris All going well I think we're going to move the TN.org site to Hetzner later today. I was just having a look through the zone file on Gandi. There's an entry: 'redirects A 81.95.52.111' Do you know what that one does? Thanks Sam" sam Active Tickets 606 Site upgrade tasks -- pre-migration cleanup Drupal modules & settings Maintenance enhancement ed new 2013-10-11T13:00:13+01:00 2013-11-04T11:18:23Z "This ticket is to track the issues left over from #590 that need to be considered and tackled prior to migrating the site from D6 to D7 (or 8). Please feel free to add as needed, but sticky to the == C) Cleanup: List of features we don't really need == Ed to add his items to following list... Need rational and alternative approaches for each. * '''C.1) Remove 'Geographic region' and related taxonomy and Hierarchical Select modules''' 1 hour, low reward, low risk -- never really been used and is effectively a duplicate of the location field. let's kill it! * '''C.2) Kill Microsites and the Forums''' -- The handful of people using the CMS feature should be migrated to Open Atrium if they need such features. * '''C.3) Remove forums''' -- We could migrate the forum to a simpler setup (not using forum module) that leverages normal commenting, or even Disqus or other services to offload comments and moderation. Also encourage user-submitted ocontent and promote that if it's good or gets interesting debate. == D) Key development tasks == * '''D.1) All inline PHP must be moved to modules and features''' -- This has great benefit for management, maintenance and developers. {{{Eval()}}}uated code is much slower than PHP in files, especially since it can't be accelerated by APC or Zend Opcode cache... We have a few blocks and many views that are loaded from the database and evaluated. Ideally the blocks would be moved to the 'Transition Extras' module, and the views would be pushed into features. This work is good to do for maintainability and D7 upgrades, too. See: http://2bits.com/api/abuse-drupal-best-practices-your-own-peril-poor-performance.html and http://2bits.com/articles/free-your-content-php-moving-php-code-out-blocks-views-and-nodes.html * '''D.2) Build in ESI (Edge Side Includes) support from the outset, ensure Drupal renders only what it needs to ''' -- BOA packages the [https://drupal.org/project/esi ESI (Edge Side Includes integration) module], which makes NginX cache the whole page (as it does now), but also for user-logged in pages (which it does for 5 seconds since the page data changes). This means Drupal renders the ESI component (blocks, panels panes) that are have user-specific data in. Potential boost quickly, but will need time to tweak settings to get best from this across whole site. See [https://tech.transitionnetwork.org/trac/ticket/590#comment:4 comments in 4 & 5 below for discussion]~~, should be done after proposal F, above~~. == E) Key editorial tasks == * '''E.1) More Taxonomy cleanup''' -- try to merge terms with the same names, clear out spammy terms, general spit-and-polish. Ed plus team of busy interns to do this when the time is right. == Z) old stuff for reference; tasks from #590 rendered pointless by move == * '''Z.1) Find Variable table writes and kill them''' -- seeing plenty of SELECT * FROM variable calls, which imply a cache clear due to a variable being set. In normal use variables shouldn't be set (admin screens tend to do this), so I'd like to try to see what module it causing this and patch/remove it. Will need to run {{{grep -R ""variable_set() * > ~/static/variable_set-calls.txt"" in the {{{sites/all}}} directory to generate a list, then trawl though it to find candidates/bad modules practice." jim Active Tickets 655 Add social media icons with counters to blogs listings views Drupal modules & settings Maintenance enhancement sam accepted 2013-12-12T13:03:11Z 2014-04-16T12:06:47+01:00 "Investigate with Rob how to add Social media icons with counters into the /blogs listings views and individual node views. I suggest starting with just Rob's blogs (/rob-hopkins), separate context for 'Transition Culture section' and then roll it out over other blogs and maybe news content type once the /rob-hopkins has been trialled Sam to talk with Rob Also cc-ing Ben as design - theme guy" ed Active Tickets 727 Change background on block from orange to white Theme Maintenance enhancement paul assigned 2014-05-16T11:02:17+01:00 2014-10-10T14:06:32+01:00 "Hi Ben Rob wants a list of the themes presented in a block. I did the block: https://www.transitionnetwork.org/admin/build/block/configure/block/97 But it appears with an orange background. The block is visible towards the bottom of the page (for logged in admins) here: https://www.transitionnetwork.org/blogs/rob-hopkins If I put the block on other pages it appears with a white background. I tried to hack it with some inline CSS but failed. Could you take a look? Thanks Sam " sam Active Tickets 855 Piwik plugins Piwik Maintenance enhancement chris new 2015-05-26T13:10:13+01:00 2015-05-26T13:37:54+01:00 "Hi Chris I spotted Piwik has some plugins to extend it's usefulness. I'm quite interested in playing with some of them, particularly the clickheat one: https://stats.transitionnetwork.org/index.php?module=CorePluginsAdmin&action=userBrowsePlugins&idSite=1&period=range&date=previous30&activated=# Is it OK for me to install it to try? Or do you think the whole thing would grind to a halt? Thanks Sam" sam Active Tickets 868 Is conference15.tn.org backed up in a convenient manner? Parrot server Maintenance enhancement chris new 2015-07-28T14:05:25+01:00 2015-07-28T21:07:40+01:00 "Hi Chris I was just wondering if the conference site is backed up in such a way that it would be easy to restore? I could set up a database backup onto some free file hosting if not? Thanks Sam" sam Active Tickets 537 Parrot setup and documentation Parrot server Maintenance maintenance chris new 2013-04-30T12:11:36+01:00 2014-04-02T11:25:04+01:00 Things done setting up parrot.webarch.net -- a new virtual machine for running Wordpress sites, see wiki:ParrotServer chris Active Tickets 540 HTTPS for WordPress sites Parrot server Maintenance maintenance chris new 2013-05-01T21:20:32+01:00 2014-04-02T20:47:23+01:00 "Currently the wiki:WordPress sites have have the following SSL certificates: * https://www.intransitionmovie.com/ -- Gandi commercial certificate and dedicated IP address * https://www.reconomy.org/ -- CAcert non-commercial certificate and shared IP address (SNI) * https://www.earthinheritors.net/ -- CAcert non-commercial certificate and shared IP address (SNI) * https://parrot.transitionnetwork.org/ -- Gandi TN wild card cert and shared IP address (SNI) * https://parrot.webarch.net/ -- CAcert non-commercial certificate, this is the default site for clients without SNI support None of the site are set to enforce HTTPS for logins, this should be done ASAP for intransitionmovie.com I think we have several options going forward, the first 3 of this are the only viable ones though, IMHO: == SNI and Seperate Certs and Shared IP== Get a Gandi SSL cert for each site and rely on SNI rather than having a dedicated IP address for each site, this is the cheapest way to solve the problem, the certs are around £15 each. The clients that don't work with SNI are listed here: https://en.wikipedia.org/wiki/Server_Name_Indication#Client_side == Multi-domain Cert and Shared IP == Get a Gandi SSL cert with all the domains in, this is a little more expensive than seperate certs (around £20 per site) but it means that all the clients that don't work with SNI will work. One issue with this is when adding new site is that a brand new cert would be needed as additional names can't be added to multi-domain certs during their lifetime, this could be worked around by getting a single domain cert to run to the end of the life of the multi domain cert (this would use SNI). == Seperate Certs and Dedicated IPs == Getting a cert per site and a dedicated IP per site, this would cost the most as each IP address costs around the same as each cert, (so about £30 per site). It also seems like a great waste to use up a IP per site when they are so scarce and when technical workarounds to this old problem like multi-domain certs and SNI are now available. I don't favour this option. == Non-commercial CAcert Cert == This is the cheapest, it's fine if people are able to install the http://cacert.org/ root certificate but this is something that non-technical people seem to find hard and they also don't understand the security warnings that they get when the cert isn't installed. This option is the one currently in use but it's far from ideal and one of the other options needs to be adopted before enforcing HTTPS logins is deployed. I don't favour this option. " chris Active Tickets 582 TN.org platform and sites Drupal modules & settings Maintenance maintenance sam assigned 2013-09-02T10:30:02+01:00 2014-02-09T13:38:20Z "The TN.org platform and Drupal site updates are to be tracked in this ticket. Current PROD platform build = '''P009''' Current STG platform build = '''S010''' Updates pending: * SECURITY UPDATE - NO RISK: Pressflow core 6.30 is due, but the security holes fixed do not affect us, low priority. Platforms: present in S010, but not in P009." jim Active Tickets 587 Puffin MySQL Tuning Live server Maintenance maintenance chris assigned 2013-09-05T13:54:47+01:00 2016-01-03T20:14:47Z "This ticket is to track the tuning we do to MySQL on PuffinServer. See also previous comments on this issue: * ticket:555#comment:12 * ticket:555#comment:15 * ticket:555#comment:16 * ticket:555#comment:17 * ticket:555#comment:20 * ticket:555#comment:29 * ticket:555#SettingsChanged * ticket:555#comment:39 * ticket:555#comment:56 * ticket:555#comment:57 * ticket:555#comment:60 * ticket:555#comment:65 * ticket:555#comment:66 * ticket:555#comment:67 * ticket:555#comment:68 * ticket:555#comment:82 * ticket:555#comment:85 " chris Active Tickets 619 Upgrade WordPress sites to 3.9.1 Parrot server Maintenance maintenance chris new 2013-11-15T14:38:05Z 2014-12-19T10:25:03Z "News regarding the WordPress versions released since the sites were upgraded to 3.6.1 on ticket:594 * https://wordpress.org/news/2013/10/wordpress-3-7-1/ * https://wordpress.org/news/2013/10/basie/ We should consider how best to upgrade the wiki:WordPress sites running on wiki:ParrotServer and then ensure that they are upgraded." chris Active Tickets 692 Debian Updates Live server Maintenance maintenance chris new 2014-02-25T15:16:17Z 2016-11-21T10:45:45Z "This is a ticket to track debian upgrades to the wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer the time they take. See: * [http://lists.debian.org/debian-security-announce/recent Recent Debian security announcements] * [https://lists.debian.org/debian-lts-announce/recent Recent Debian LTS security announcements] * [http://lists.askmonty.org/pipermail/announce/ MariaDB Announce List archives] * [http://groups.google.com/group/phusion-passenger-announcements phusion-passenger-announcements archive] These updates are generally done using the wiki:AptitudeUpdateScript and this records all the changes in the {{{/root/Changelog}}} and then the contents of the Changelog are pasted into the ticket to document the upgrade. This ticket took over from ticket:218 on 2014-02-25." chris Active Tickets 701 Emails & Telephone calls Drupal modules & settings Maintenance maintenance paul assigned 2014-03-18T09:38:24Z 2016-11-17T12:29:27Z paul Active Tickets 711 Emails & Telephone calls Unassigned Maintenance maintenance paul assigned 2014-04-01T14:47:56+01:00 2014-09-01T22:54:19+01:00 paul Active Tickets 712 Create a new stgX.transitionnetwork.org site Drupal modules & settings Maintenance maintenance paul reopened 2014-04-01T16:03:53+01:00 2014-10-10T14:14:43+01:00 "Hi Paul I have been trying to build a staging site using your Github repository with the changes you made for ticket : https://trac.transitionnetwork.org/trac/ticket/693 I have edited the D6 s008 platform: https://tn.puffin.webarch.net/node/1157/edit to use your makefile. It builds a site, but I just get an empty pressflow site at the end. Could you build a staging site using your makefile? Thanks Sam" sam Active Tickets 750 Annual update of SSL cert fingerprint for incomming emails to Trac Trac Maintenance maintenance chris new 2014-06-26T14:42:42+01:00 2016-04-07T13:12:14+01:00 "Laura said she had replied to Trac email today but they didn't get through. The issues has come up before, see wiki:TransitionTrac#Fetchmail " chris Active Tickets 758 * Advisory ID: DRUPAL-SA-CORE-2014-003 Drupal modules & settings Maintenance maintenance paul assigned 2014-07-16T22:55:29+01:00 2014-10-10T14:17:15+01:00 "View online: https://www.drupal.org/SA-CORE-2014-003 * Advisory ID: DRUPAL-SA-CORE-2014-003 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2014-July-16 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. .... Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical) Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header. The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. .... Access bypass (File module - Drupal 7 - Critical) The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files. This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field. Note: The Drupal 6 FileField [3] module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField - Access bypass [4]) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected. .... Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical) A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules. This vulnerability is mitigated by the fact that it requires the ""administer taxonomy"" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself. .... Cross-site scripting (Ajax system - Drupal 7 - Moderately critical) A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field. This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [5] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 6.x versions prior to 6.32. * Drupal core 7.x versions prior to 7.29. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 6.x, upgrade to Drupal core 6.32. [6] * If you use Drupal 7.x, upgrade to Drupal core 7.29. [7] Also see the Drupal core [8] project page. -------- REPORTED BY --------------------------------------------------------- * The denial of service vulnerability using malicious HTTP Host headers was reported by Régis Leroy [9]. * The access bypass vulnerability in the File module was reported by Ivan Ch [10]. * The cross-site scripting vulnerability with Form API option groups was reported by Károly Négyesi [11]. * The cross-site scripting vulnerability in the Ajax system was reported by mani22test [12]. -------- FIXED BY ------------------------------------------------------------ * The denial of service vulnerability using malicious HTTP Host headers was fixed by Régis Leroy [13], and by Klaus Purer [14] of the Drupal Security Team. * The access bypass vulnerability in the File module was fixed by Nate Haug [15] and Ivan Ch [16], and by Drupal Security Team members David Rothstein [17], Heine Deelstra [18] and David Snopek [19]. * The cross-site scripting vulnerability with Form API option groups was fixed by Greg Knaddison [20] of the Drupal Security Team. * The cross-site scripting vulnerability in the Ajax system was fixed by Neil Drumm [21] of the Drupal Security Team. -------- COORDINATED BY ------------------------------------------------------ * The Drupal Security Team [22] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [23]. Learn more about the Drupal Security team and their policies [24], writing secure code for Drupal [25], and securing your site [26]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [27] [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/filefield [4] https://www.drupal.org/node/2304561 [5] http://cve.mitre.org/ [6] https://www.drupal.org/drupal-6.32-release-notes [7] https://www.drupal.org/drupal-7.29-release-notes [8] http://drupal.org/project/drupal [9] https://www.drupal.org/user/1367862 [10] https://www.drupal.org/user/556138 [11] https://www.drupal.org/u/chx [12] https://www.drupal.org/user/2844779 [13] https://www.drupal.org/user/1367862 [14] https://www.drupal.org/user/262198 [15] https://www.drupal.org/user/35821 [16] https://www.drupal.org/user/556138 [17] https://www.drupal.org/user/124982 [18] https://www.drupal.org/user/17943 [19] https://www.drupal.org/user/266527 [20] https://www.drupal.org/u/greggles [21] https://www.drupal.org/u/drumm [22] http://drupal.org/security-team [23] http://drupal.org/contact [24] http://drupal.org/security-team [25] http://drupal.org/writing-secure-code [26] http://drupal.org/security/secure-configuration [27] https://twitter.com/drupalsecurity _______________________________________________ Security-news mailing list Security-news@drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news" paul Active Tickets 759 [Security-news] SA-CONTRIB-2014-071 - FileField - Access bypass Unassigned Maintenance maintenance ed new 2014-07-16T22:59:46+01:00 2014-07-31T22:52:26+01:00 "View online: https://www.drupal.org/node/2304561 * Advisory ID: DRUPAL-SA-CONTRIB-2014-071 * Project: FileField [1] (third-party module) * Version: 6.x * Date: 2014-July-16 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The FileField module enables you to define and use fields that contain files. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files. This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * FileField 6.x-3.x versions prior to 6.x-3.13. Drupal core is not affected. If you do not use the contributed FileField [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ * If you use the FileField module for Drupal 6.x, upgrade to Filefield 6.x-3.13 [5], and also update to Drupal core 6.32 [6] (see SA-CORE-2014-003 [7]). -------- REPORTED BY --------------------------------------------------------- * Ivan Ch [8] -------- FIXED BY ------------------------------------------------------------ * Nate Haug [9] * Ivan Ch [10] * David Snopek [11] of the Drupal Security Team. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/filefield [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/filefield [5] https://www.drupal.org/node/2304517 [6] https://www.drupal.org/drupal-6.32-release-notes [7] https://www.drupal.org/SA-CORE-2014-003 [8] https://www.drupal.org/user/556138 [9] https://www.drupal.org/user/35821 [10] https://www.drupal.org/user/556138 [11] https://www.drupal.org/user/266527 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity _______________________________________________ Security-news mailing list Security-news@drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news" paul Active Tickets 764 Policy decisions re-assessment on BOA and Drupal security updates Unassigned Maintenance maintenance annesley new 2014-07-22T15:10:38+01:00 2014-10-03T15:50:24+01:00 "on-line meeting 5 / August @ 14:00 GMT: we are phasing out the current D6 / BOA system. the new system may not use either. The TN.org website is not attractive to high level hackers or DOS attacks. what are the risks with cancelling all further Unix, BOA and Drupal updates completely that do not allow direct un-mitigated access to the backend via bad PHP code / SQL?" annesley Active Tickets 789 SA-CONTRIB-2014-088 - Mollom - Cross-site scripting (XSS) Drupal modules & settings Maintenance maintenance ed new 2014-09-22T14:09:48+01:00 2014-10-03T13:02:10+01:00 "View online: https://www.drupal.org/node/2340029 * Advisory ID: DRUPAL-SA-CONTRIB-2014-088 * Project: Mollom [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-September-17 * Security risk: 11/25 ( Moderately Critical) AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Mollom is an ""intelligent"" content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites. Mollom offers a feature to report submitted content as inappropriate which allows end users to indicate that a piece of site content is objectionable or out of place. When reporting content, the content title is not sufficiently sanitized to prevent cross-site scripting (XSS) attacks. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the content type must be enabled for ""Flag as Inappropriate"" within the Mollom advanced configuration settings (which is not the default setting). -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Mollom 6.x-2.x versions from 6.x-2.7 to 6.x-2.10 * Mollom 7.x-2.x versions from 7.x-2.9 to 7.x-2.10 Drupal core is not affected. If you do not use the contributed Mollom [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Mollom module for Drupal 6.x, upgrade to Mollom 6.x-2.11 [5] * If you use the Mollom module for Drupal 7.x, upgrade to Mollom 7.x-2.11 [6] Also see the Mollom [7] project page. -------- REPORTED BY --------------------------------------------------------- * Matt Vance [8] -------- FIXED BY ------------------------------------------------------------ * Lisa Backer [9] the module maintainer * Matt Vance [10] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] https://www.drupal.org/project/mollom [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/mollom [5] https://www.drupal.org/node/2338787 [6] https://www.drupal.org/node/2338789 [7] https://www.drupal.org/project/mollom [8] https://www.drupal.org/user/88338 [9] https://www.drupal.org/user/1951462 [10] https://www.drupal.org/user/88338 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration " paul Active Tickets 792 [Security-news] SA-CONTRIB-2014-094 - Webform Patched - Cross Site Scripting (XSS) Drupal modules & settings Maintenance maintenance ed new 2014-09-29T10:28:08+01:00 2014-09-29T11:15:48+01:00 "View online: https://www.drupal.org/node/2344369 * Advisory ID: DRUPAL-SA-CONTRIB-2014-094 * Project: Webform Patched [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-September-24 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Webform Patched module is a fork of the Webform module with Token support added. The module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site. The module doesn't sufficiently sanitize field label titles when two fields have the same form_key, which can only be managed by carefully crafting the webform structure via a specific set of circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission ""create webform content"". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Webform Patched 6.x-3.x versions prior to 6.x-3.20. * Webform Patched 7.x-3.x versions prior to 7.x-3.20. Drupal core is not affected. If you do not use the contributed Webform Patched [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the webform module for Drupal 6.x, upgrade to webform_patched 6.x-3.20 [5] * If you use the webform module for Drupal 7.x-3.x, upgrade to webform_patched 7.x-3.20 [6] Also see the Webform Patched [7] project page. -------- REPORTED BY --------------------------------------------------------- * Maurits Lawende [8] * Matt Vance [9] -------- FIXED BY ------------------------------------------------------------ * Nate Haug [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11], Dan Smith [12] and Lee Rowlands [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] https://www.drupal.org/project/webform_patched [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/webform_patched [5] http://drupal.org/node/2241675 [6] http://drupal.org/node/2241685 [7] https://www.drupal.org/project/webform_patched [8] http://drupal.org/user/243897 [9] https://www.drupal.org/user/10269 [10] http://drupal.org/user/35821 [11] http://drupal.org/user/36762 [12] http://drupal.org/user/241220 [13] https://drupal.org/user/395439 [14] https://www.drupal.org/contact [15] https://www.drupal.org/security-team [16] https://www.drupal.org/writing-secure-code [17] https://www.drupal.org/security/secure-configuration " paul Active Tickets 804 Investigating the site security following SA-CORE-2014-005 (Drupal 7.32) Unassigned Maintenance maintenance ed new 2014-11-03T15:20:25Z 2014-12-04T13:02:39Z "It was discovered that TN could have have been compromised from the recent security vulnerability (even though we are running Drupal 6) as the site is using the DBTNG module. However the site doesn't appear to have been compromised. I'll post my findings shortly." paul Active Tickets 808 WordPress email being rejected due to From field Parrot server Maintenance maintenance chris new 2014-11-17T19:28:23Z 2014-12-09T12:06:23Z "This issues is like ticket:737 but with WordPress rather than Drupal causing the problem. Laura has forwarded one of the returned emails which contains: > host aspmx.l.google.com [173.194.67.26]: > 550-5.7.1 Unauthenticated email from yahoo.com is not accepted due to domain's > 550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if > 550-5.7.1 this was a legitimate mail. Please visit > 550-5.7.1 http://support.google.com/mail/answer/2451690 to learn about DMARC " chris Active Tickets 809 [Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006 Drupal modules & settings Maintenance maintenance paul new 2014-11-19T21:35:25Z 2014-12-05T16:32:44Z "View online: https://www.drupal.org/SA-CORE-2014-006 * Advisory ID: DRUPAL-SA-CORE-2014-006 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2014-November-19 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- .... Session hijacking (Drupal 6 and 7) A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session. This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content (""mixed-mode"" [3]), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7. .... Denial of service (Drupal 7 only) Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text. A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service). This vulnerability can be exploited by anonymous users. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 6.x versions prior to 6.34. * Drupal core 7.x versions prior to 7.34. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 6.x, upgrade to Drupal core 6.34. [5] * If you use Drupal 7.x, upgrade to Drupal core 7.34. [6] If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113 [7] Also see the Drupal core [8] project page. -------- REPORTED BY --------------------------------------------------------- Session hijacking: * Aaron Averill [9] Denial of service: * Michael Cullum [10] * Javier Nieto [11] * Andrés Rojas Guerrero [12] -------- FIXED BY ------------------------------------------------------------ Session hijacking: * Klaus Purer [13] of the Drupal Security Team * David Rothstein [14] of the Drupal Security Team * Peter Wolanin [15] of the Drupal Security Team Denial of service: * Klaus Purer [16] of the Drupal Security Team * Peter Wolanin [17] of the Drupal Security Team * Heine Deelstra [18] of the Drupal Security Team * Tom Phethean [19] -------- COORDINATED BY ------------------------------------------------------ * The Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [20]. Learn more about the Drupal Security team and their policies [21], writing secure code for Drupal [22], and securing your site [23]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [24] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/https-information [4] http://cve.mitre.org/ [5] https://www.drupal.org/drupal-6.34-release-notes [6] https://www.drupal.org/drupal-7.34-release-notes [7] https://www.drupal.org/node/2378367 [8] https://www.drupal.org/project/drupal [9] https://www.drupal.org/user/1317732 [10] https://www.drupal.org/u/MichaelCu [11] https://www.drupal.org/u/jnietotn [12] https://www.drupal.org/u/c0r3dump3d [13] https://www.drupal.org/u/klausi [14] https://www.drupal.org/u/David_Rothstein [15] https://www.drupal.org/u/pwolanin [16] https://www.drupal.org/u/klausi [17] https://www.drupal.org/u/pwolanin [18] https://www.drupal.org/u/Heine [19] https://www.drupal.org/u/tsphethean [20] https://www.drupal.org/contact [21] https://www.drupal.org/security-team [22] https://www.drupal.org/writing-secure-code [23] https://www.drupal.org/security/secure-configuration [24] https://twitter.com/drupalsecurity" paul Active Tickets 819 Trac anti-spam measures Trac Maintenance maintenance chris new 2014-12-19T10:28:01Z 2014-12-19T11:29:23Z "Today we had our first item of Trac spam, ticket:818, since the open email interface was enabled almost 2 years ago on ticket:494. This ticket has been created to investigate and implement some anti-spam measures. " chris Active Tickets 847 Upgrade Servers to Debian Jessie Live server Maintenance maintenance chris new 2015-04-27T10:30:11+01:00 2016-05-20T14:19:18+01:00 "The latest version of [https://www.debian.org/News/2015/20150426 Debian, Jessie, 8.0], came out over the weekend, we should consider upgrading the three servers, PuffinServer, PenguinServer and ParrotServer and what issues would arrise when we do. See the documentation on [https://www.debian.org/releases/jessie/amd64/release-notes/ch-upgrading.en.html Upgrades from Debian 7 (wheezy)] and [https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html Issues to be aware of for jessie], specifically: * [https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#libv8 Lack of security support for the ecosystem around libv8 and Node.js] * [https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#apache-httpd-incomat Incompatible changes in Apache HTTPD 2.4] * [https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#php-incompat PHP 5.6 upgrade has behavioral changes] " chris Active Tickets 851 Bot attacks on Transition Culture Parrot server Maintenance maintenance chris new 2015-05-10T12:12:12+01:00 2015-05-10T12:26:01+01:00 Yesterday there was a load spike on ParrotServer caused by a bot doing thousands of POSTs to {{{xmlrpc.php}}}. chris Active Tickets 871 Brute Force Attacks Against WordPress Sites Parrot server Maintenance maintenance chris new 2015-09-21T14:41:26+01:00 2015-09-21T14:41:26+01:00 "Today there have been 53,932 attempts to login to the [http://www.transitiontowntotnes.org/ TTT web site] on [[ParrotServer]] all from the same IP address: {{{ grep POST /home/ttt/logs/access.log | grep wp-login.php | grep 217.174.240.254 | wc -l 53932 }}} I noticed this due the higher than usual load it was generating. Would it be OK to spend an hour or two installing the [https://wordpress.org/plugins/wp-fail2ban/ WP fail2ban] plugin on all the sites on the server? Some more background on this issue: * https://docs.webarch.net/wiki/WordPress#Brute_Force_Attacks" chris Active Tickets 873 New Wordpress site please Parrot server Maintenance maintenance chris new 2015-09-22T13:25:12+01:00 2015-10-20T14:44:05+01:00 "Hi Chris I couldn't ssh into parrot for some reason, I think you said you created me a 'sam' user on there but I can't get in. So could you set up a new Wordpress site on there. wpdev.tn.org or similar, it's only going to be for testing some stuff so URL doesn't really matter. Thanks Sam " sam Active Tickets 875 Free HTTPS certificates from Let's Encrypt Live server Maintenance maintenance chris new 2015-10-05T11:48:11+01:00 2015-10-05T18:25:05+01:00 "From mid November 2015 [https://www.letsencrypt.org/ Let's Encrypt] should be live, providing free SSL/TLS certificates. Currently the TN pays for a Gandi wild card cert, costing £130.50 a year, in addition most the WordPress sites on ParrotServer don't have certs due to the cost, see ticket:540. The [https://github.com/letsencrypt/letsencrypt Let's Encrypt code] is designed to be set up to run automatically -- certs are only valid for 90 days and the automatic renewal process runs when the cert is 60 days old. We should consider if we want to use [https://www.letsencrypt.org/ Let's Encrypt] and what things would need to be put in place to use it, the wild card cert is due to expire on 22/01/16. 1. PuffinServer -- are we still going to be running PuffinServer in January 2016? Is there any chance that we might be able to consider the suggestions in ticket:754#comment:61? I'm not sure if I want to spend time trying to get Let's Encrypt working with [ticket:872 a old version of BOA], up to date versions of BOA might [https://github.com/omega8cc/boa/issues/500 support it out of the box]. 2. PenguinServer -- this site hosts a lot of sites, see [https://penguin.transitionnetwork.org/ the listing], automating Let's Encrypt would probably be a hour or two of work, it might makes sense to upgrade it to Debian Jessie at the same time. 3. ParrotServer -- I suggest we rebuild this server from scratch, this would enable it to have the latest version of the [https://docs.webarch.net/wiki/Webarch_Secure_Hosting Webarch Secure Hosting scripts] and this include support for fail2ban for WordPress and phpMyAdmin, thus solving ticket:871 and includes automatic provisioning of Let's Encrypt certs for sites. What do people think?" chris Active Tickets 879 MediaWiki 1.23.11 Mediawiki Maintenance maintenance chris new 2015-10-16T09:42:45+01:00 2015-10-16T09:42:45+01:00 "Email on [https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000180.html the announcements list]: {{{ Tomorrow we will be issuing a security release to all supported branches of MediaWiki. The new releases will be: 1.25.3 1.24.4 1.23.11 Fixes will be available in these respective release branches, the unreleased 1.26.x branch, and master. Tarballs will be available for the above mentioned point releases as well. This security release will encompass core only, no bundled extensions are affected. }}}" chris Active Tickets 881 Site on ParrotServer with a memory leak? Parrot server Maintenance maintenance chris accepted 2015-10-23T12:19:04+01:00 2015-10-24T14:36:01+01:00 "It appears a site, or application, on ParrotServer might have a memory leak. [[Image(parrot-memory-pinpoint-1411038915-1445598915.png)]]" chris Active Tickets 884 RE: http://news.transitionnetwork.org Live server Maintenance maintenance ade new 2015-12-03T12:40:03Z 2015-12-07T11:40:03Z "{{{ Hi Chris, All Can you help me to reset my password for paulbooker for news.transitionnetwork.org? I just tried to use the reset password form but I never received an email and when I Iooked at the settings,php file for the website (generated by Aegir) I couldn't see immediately where to find the database. I think I may have missed some recent updates to news.transitionnetwork.org so urgently need to resolve this today. Not sure how this has fallen of my radar, but, I just noticed that news.transitionnetwork.org is no longer mentioned on the platform page on Aegir so may have got into thinking that this site no longer exists. http://news.transitionnetwork.org https://tn.puffin.webarch.net/hosting/platforms -- Paul Booker Drupal Support for Websites and Linux Servers Website: http://www.paulbooker.co.uk Tel: +44 01922 861636 }}} " paul Active Tickets 894 Brute Force Attacks Against WordPress XMLRPC Parrot server Maintenance maintenance chris new 2016-01-07T11:23:51Z 2016-01-08T11:08:05Z "For a few months I have see a lot of requests going to WordPress `/xmlrpc.php` and wasn't sure why, now it is clear: > Instead of going against wp-login.php (which can be easily blocked or protected via .htaccess) or doing a single attempt against xmlrpc, attackers are leveraging the system.multicall method to attempt to guess hundreds of passwords within just one HTTP request. > > https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html I'd like to install [https://wordpress.org/plugins/stop-xmlrpc-attack/ Stop XML-RPC Attack] on all the WordPress site we host, unless anyone has a good reason not to. This plugin simply whitelists the !JetPack/Automattic's subnets and blocks all other access to `/xmlrpc.php`. I started tracking the abuse a while ago and you can see it and manually address it on ParrotServer like this: {{{ sudo -i wp-xmlrpc-abuse IP addresses accessing xmlrpc.php more than twice for the last 1000 lines of each access.log: 2 46.148.XX.XX 733 195.62.53.243 177 195.62.53.243 2 66.76.XX.XX dig -x 195.62.53.243 +short 53-243.static.spheral.ru. ipdrop 195.62.53.243 }}} But we need to be more pro-active in blocking access or we are going to probably see some compromised sites. " chris Active Tickets 897 Hosting information/requirements for 2016 Live server Maintenance maintenance chris new 2016-01-19T10:14:57Z 2016-01-21T13:56:46Z This is a ticket to track the time spent on an email thread with Ade. chris Active Tickets 898 Fwd: Access to Drupal Live server Maintenance maintenance chris accepted 2016-01-26T17:35:05Z 2016-01-26T20:38:00Z "{{{ Hi Chris, The web team at the development agency are requesting access to the webserver so that they can look at the sites make up. (Please see below) Would you please set up an account so that they can get root read access? I guess this would be done via FTP, but your thoughts greatly appreciated. best regards Ade ---------- Forwarded message ---------- From: Ainslie Beattie Date: 26 January 2016 at 17:25 Subject: Fwd: Access to Drupal To: Sam Rossiter , Ade Stuart < adestuart@transitionnetwork.org>, Yvonne Struthers Hey both, can you please action this urgently so that Yoke can have access. Cheers ---------- Forwarded message ---------- From: ""Yvonne Struthers"" Date: 26 Jan 2016 10:58 Subject: Access to Drupal To: Cc: Hi Ainslie, Just a quick email as I'm out seeing a client today,but just to say,it looks like you have only given us access to the database. What we need please is admin access to the Drupal site and to the code base so that we can get a sense of how it's all set up. Thanks in advance! Yvonne Sent from my iPhone -- Ade Stuart Web Manager - Transition network 07595 331877 The Transition Network is a registered charity address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK website: www.transitionnetwork.org TN company no: 6135675 TN charity no: 1128675 }}} " ade Active Tickets 901 Enable SSH access to PuffinServer for Ade Live server Maintenance maintenance chris new 2016-02-03T13:25:27Z 2016-02-04T12:08:06Z This is a ticket to track the time spent sorting out SSH access for Ade to PuffinServer. chris Active Tickets 903 Large load spike on PuffinServer Live server Maintenance maintenance chris new 2016-02-08T08:46:37Z 2016-02-09T11:10:10Z There was a large load spike this morning on PuffinServer, which appears to have been caused by 12k requests for pages (Nginx doesn't log requests for anything other than PHP generated pages) from one IP address, this IP address has been blocked and I'll post some details below. chris Active Tickets 904 Issues to consider in the migration from Drupal to WordPress Live server Maintenance maintenance chris new 2016-02-19T10:41:04Z 2016-02-19T12:07:48Z A few weeks ago Ade said he though it would be worth me opening a ticket to use to flag up some issues to be considered in the migration of the [https://www.transitionnetwork.org.uk/ Transition Network site] from Drupal 6 to WordPress. chris Active Tickets 907 TN Drupal database size Drupal modules & settings Maintenance maintenance chris new 2016-03-02T10:20:10Z 2016-03-10T10:58:42Z "6 weeks ago the datadase dump was 447M, see trac:ticket/896#comment:3 but now it is 1.8G: {{{ ls -lah /var/backups/mysql/sqldump/transitionnetw_0.sql -rw------- 1 root root 1.8G Mar 2 01:23 /var/backups/mysql/sqldump/transitionnetw_0.sql }}} Anyone have any idea what happened to cause this? Are we keeping too many log entries?" chris Active Tickets 919 Site offline Drupal modules & settings Maintenance maintenance chris new 2016-07-14T19:17:26+01:00 2016-07-14T19:25:02+01:00 "The https://www.transitionnetwork.org/ site has been ""off-line"" since about 7pm, I see that Paul is logged on via `ssh` -- is this something that we should worry about or is this intentional?" chris Active Tickets 626 Add redirect from an old CMS to a new URL Live server Maintenance task chris new 2013-11-20T12:11:14Z 2014-01-15T09:55:37Z "Can Ed add a redirect from: https://www.transitionnetwork.org/cms/haddenham to another URL easily? Or does he need to ask Chris to do it? " ed Active Tickets 638 Question about notifications option for content creators Unassigned Maintenance task ed assigned 2013-11-28T12:32:57Z 2013-12-02T12:12:30Z "Content creators (news, Rob's blog, social reporters) struggle with the notifications. the problem is that they forget to click the option to 'do not send notifications for this update' and then notifications are sent out. It is easy for us to think this is easy for them, but when you are bashing stuff out in a hurry, it's easy to forget this fiddly bit. CAN WE set drupal to NOT send notifications out as standard for some of the content types? And change it so that the content creators (news, Rob's blog, social reporters) choose to SEND notifications out instead (of NOT sending them) ? " ed Active Tickets 661 Add button block to homepage RHS: Send us your news stories Drupal modules & settings Maintenance task sam new 2013-12-17T15:34:53Z 2014-04-01T09:39:00+01:00 "January: Create button for TN homepage and /news and /blogs to encourage people to send in stories. 1. create button like the existing ones - e.g: https://www.transitionnetwork.org/admin/build/block/configure/block/89?destination=newhome 2. add suitably pithy text 3. if in doubt about style, read Ben's style cheatsheet on google docs: https://docs.google.com/document/d/1z6JYGiy8EJ6pqjm_WyNUS26fQgIClmIFg0a-8y-Mots/edit#heading=h.siua52eim2e9 4. this will need to be an email forwarder to send to Rob instead of a http link as per the other buttons, so you'll need to set one up on United's dashboard using the main 'jmcgeechan' account cc-ing benj as he can be around to help with postitioning/button make if an issue - but can't do email forwarder set up - and don't forget sam - if you're too busy you can always farm it out to ben (although this is probably a bit easy for ben, he'll know about how to get blocks in the right order)" ed Active Tickets 690 Paul learning the ways of the force. Unassigned Maintenance task ed new 2014-02-20T15:00:41Z 2014-03-03T15:07:11Z "I'm not a jedi yet #### Transition Network Week ending 16 February Monday (0,45) Phone call | Emails (not issues) | Creating a test site on Aeigr Tuesday (0.45) Reading Wiki pages | Setting up local server (Generated notes for WIki) Wednesday (0.45) Reading wiki pages: setting up a platform / cloning a stage site. Friday (3.00) Reading wiki pages , listening to Jim's talks, Emails (not issues). (Generated notes for WIki for setting up a local server) Finished reading wiki. I'll re-read these as required on my own time going forward. Week ending 23 February Monday (0,15) Emails (not issues) (Mailing list) Thursday (0,30) Phone call / Emails (not issues) Total 6, 00 hours" paul Active Tickets 734 Create Trac & Wiki account for Annesley Trac Maintenance task chris new 2014-06-03T12:04:10+01:00 2014-06-10T20:23:34+01:00 email: Annesley Newholm ed Active Tickets 735 Add Annesley to github Unassigned Maintenance task chris reopened 2014-06-03T12:05:40+01:00 2014-07-01T12:10:29+01:00 Once Annesley is on TRAC, we can point him at this ticket, he can give us his github id and we can add it https://github.com/orgs/transitionnetwork/members ed Active Tickets 738 Change 'ben' account to have Ben Jarlett as owner Trac Maintenance task ben reopened 2014-06-10T10:14:06+01:00 2014-07-01T13:15:03+01:00 "Chris: change the ‘ben’ account’s password Chris; change the ‘ben’ account to have 'emailme@benjarlett.co.uk’ as the p.o.c. Chris? Ben?: change the ‘benj’ account to have ‘web project@transitionnetwork.org’ as the p.o.c. and Ed to forward anything vital if/when it comes up ALL to use only ‘ben’ " ed Active Tickets 794 Time estimate: change TN.org background image Theme Maintenance task ben new 2014-10-10T10:06:29+01:00 2014-10-13T10:11:22+01:00 "Rob is thinking about doing a 1970s editorial month, and would like a 1970s style 'naff' wallpaper. Ben please can you provide a time estimate for replacing the tasteful blue dotty background with some semi-transparent paisley thing for a month, and then reverting to the tasteful blue dots" ed Active Tickets 513 Please clarify what is a widget user Unassigned PSE maintenance ed assigned 2013-03-11T08:17:47Z 2013-03-26T15:08:03Z What is a widget user? What role is this? Please clarify? ed Active Tickets 517 News widgets not working Drupal modules & settings Production defect ed assigned 2013-03-14T12:39:57Z 2013-03-16T12:24:16Z "News widgets not working - noticed here: http://transitionfinsburypark.org.uk/ and here: http://wwww.edmitchell.co.uk Checked by putting code from http://www.transitionnetwork.org/syndication-and-social-media into new widget - showing a blank. News feed working here: http://www.transitionnetwork.org/news/feed So must be widget code. Adding to Jim, but is it Laura? " ed Active Tickets 458 Projects form - Project profile page display Views & content types Production enhancement laura new 2012-11-08T18:17:09Z 2013-02-18T11:32:08Z "2 – Project Profile individual page display - Panels to re-arrange layout. - Summary on left upper brick, findability on right upper brick with map under (will be a case of working on mockups via LW’s virtual machine, map may need to go further down, but a listing of town, country still to appear in top part). Description to become an expanding box and other data underneath - full width. - Tidy up image display to be more attractive for users. Enable ‘contact’ button for project contact to be more visible. - Panels, views, and CSS theming for frontend enhanced display." laura Active Tickets 459 Projects form - Project Directory display Views & content types Production enhancement laura new 2012-11-08T18:19:53Z 2012-12-20T15:30:50Z "'''3 - Projects Directory (frontend of website)''' Create new tabbed views for a variety of outputs. New views result listings to be mainly in display format of: - Title (heading) - City/Country (bold, slightly larger and possible on right) - New summary field and ‘read more about this project’ link ''Similar to the ‘full’ PSE widget output list (except not showing distance but town or city and Country)'' '''Tabs:''' '''Tab One''' (default) Projects Home – Introduction short paragraph text and link to adding projects. Lists featured projects Pagination '''Tab Two''' Find by theme – Introduction brief sentence. Search functionality (exposed view filter) for selection of projects by theme. Default view: random pagination '''Tab Three''' Find by location - Introduction brief sentence. Search functionality (exposed view filter) for selection of projects by location to use Names rather than miles. Default view: random or London? ''(note: LW will test ideas on this)'' pagination '''Tab Four''' Find by benefits – ''** note this may need to be set up ready but hidden initially until a substantial number of projects have updated their profiles with inclusion of the benefits/outcomes field **'' Introduction brief sentence. Search functionality (exposed view filter) for selection of projects by outcome/benefits Default view: all by date added. pagination '''Tab five''' [Similar to existing projects home page] Find by title with exposed search as is present. and tabular layout with a-z Custom CSS may be needed ---- '''Longer term:''' (possible January?) Enhance projects map page to show attached view of latest projects with relational popups on hover for easy browsing, and / or map filters by theme or benefit to enable a more usable feature of the map ability. " laura Active Tickets 533 Five star ratings: remove from resources CT Unassigned Production task ed new 2013-04-22T11:56:34+01:00 2013-04-22T11:56:34+01:00 We aren't using the fivestar ratings from the resources CT. There were some problems with it ages ago. Remove them from the resources CT and interface (public and edit) ed Active Tickets 806 IIRS pre-beta usability issues Unassigned TNv3 innovation annesley new 2014-11-10T21:30:27Z 2014-11-11T16:29:30Z Ticket to track usability issues etc. chris Active Tickets 757 Research and Design for TNv3 Unassigned TNv3 task ed new 2014-07-11T14:36:54+01:00 2015-06-01T15:04:26+01:00 R&D for TNv3 ed Active Tickets 882 Login to PiWik stats Piwik maintenance chris new 2015-11-03T10:52:30Z 2015-11-03T11:09:20Z hi Chris! could i have a login to PiWik stats please? annesley Active Tickets 924 Sheffield Server Shutdown Timetable? Live server maintenance chris new 2016-09-05T09:46:27+01:00 2016-11-21T10:50:50Z "Since [https://www.transitionnetwork.org/ www.transitionnetwork.org] is now running on `dedi2835.your-server.de` there seems little point in the Transition Network continuing to pay for the PuffinServer and my time doing sysadmin updates on it? If the Transition Network would like Webarchitects to shutdown and delete this server and all it's backups could you please let me know when you would like it doing? I guess the same goes for PenguinServer and ParrotServer, though these servers still have live sites on them, including this Trac site that I use to keep track of time worked -- when PenguinServer is shutdown I will no longer have a public place to document the time I work for the Transition Network and all the server and site documentation from the last six years will be lost." chris Active Tickets 860 More details on Server provision Documentation task chris new 2015-06-19T11:29:09+01:00 2015-06-23T13:30:38+01:00 "we would like the following details on all servers provided by WebArchitects (Penguin, Puffin and Parrot): CPU type, speed, and characteristics Disk Space RAID type Traffic limits and characteristics Bandwidth limits and characteristics Thanks!" annesley Active Tickets 519 Fixing various URL in the Database Drupal modules & settings Maintenance defect chris new 2013-03-15T13:47:21Z 2013-05-08T17:43:29+01:00 "This page: * http://transitionnetwork.org/support/what-transition-initiative Contains this HTML: {{{

}}} The image is a 404: * http://transitionsc.org/sites/www.transitionnetwork.org/files/pixture_reloaded_logo.png The correct location for the image is: * http://transitionsc.org/sites/default/files/pixture_reloaded_logo.png Looking at the Internet Archive this was correct back in October 2012, * http://web.archive.org/web/20121022030350/http://www.transitionnetwork.org/support/what-transition-initiative Their munged HTML contains the correct URL: {{{

}}} It appears to me that an edit must have been done on the database something like: {{{ s;/sites/default/files/;/sites/www.transitionnetwork.org/files/; }}} There might well be other URLs to other Drupal sites that were changed when they shouldn't have been? I have had a quick look at the database dump and couldn't find any examples of this problem, but there are 113 lines to check: {{{ grep ""sites/www.transitionnetwork.org/files"" /var/backups/mysql/sqldump/transitionnetwor.sql | wc -l 113 }}} I did notice that there are a lot of URLs in the database like this: {{{ src=\""http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/uploaded/u5857/Map-TransitionNetworkOffice.jpg\"" }}} And {{{ src=\""https://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/uploaded/u4/transition%20companion%20cover.jpg\"" }}} Both the above links would be better starting with {{{/}}} or {{{//www.transitionnetwork.org/}}} as this would avoid people getting HTTPS content when using HTTP and also getting HTTP content when using HTTPS. I think it would be worth putting the site into maintenance mode, doing a dump of the database, checking these 113 lines for issues like those above, correcting them all and then reinserting the data, however this would need to be done at a suitable time. I'd be happy to do this task. Ed, Jim, any thoughts about when would be a good time to do it? " chris Active Tickets 590 Drupal performance improvements Drupal modules & settings Maintenance defect jim assigned 2013-09-06T11:27:27+01:00 2013-11-18T10:48:28Z "This ticket is to track the work and changes done within the Drupal sphere in relation to performance enhancements done since #585. More information is needed and will come when ticket:586 New Relic Monitoring for BOA is completed. I also note that many of these cleanup operations will also help make the move to D7 smoother and better. = Summary of actions and status = == TODO == '''O) Stop making so many URL aliases for non-relevant pages, clean up url_alias table''' -- 1/4-1/2 hour, medium reward, only risk is that some already broken links might break... Per chat with Ed, only these will be removed (plus releated tweaks to Pathauto settings): * 3,579 entries where src = node/%/feed * 1,856 entries where src = user/%/contact * = 5,435 or ~11% of entries in url_alias '''L) Review slow query log, explain queries, tweak as necessary/flag poorly behaving modules.''' 2-4 hours, high reward, low risk... Keep looking at the slow query log and adjust Drupal or find patches as necessary. ALSO related [http://2bits.com/articles/reduce-your-servers-resource-usage-moving-mysql-temporary-directory-ram-disk.html Reduce your server's resource usage by moving MySQL temporary directory to tmpfs]... Have opened ticket for this: #591 for Chris. === Done === '''A) Remove spam taxonomy entries''' ~~1/2 hour, Low risk, low reward -- See item 8 below. A simple delete from taxo term table where length > 50 is worth doing IMHO, and nothing I saw that would be clobbered is not spam.~~ '''B) Try a Taxonomy Cleanup''': ~~3 hours, Medium risk, medium reward -- style module to try to merge terms with the same names and clean up the link tables back to nodes. Further, we can remove any taxonomies or relations to certain CTs that don't really add value.~~ '''D) Review Views caching''' ~~1 hour, low risk, high reward -- Utilise Views Content Cache this was done a while back but I think -- done (task 12) in comment 21.~~ '''F) Force blocks caches to cached appropriately (and be rendered/included only as needed)''' ~~1-2 hours, medium reward, low risk -- BOA packages the [https://drupal.org/project/blockcache_alter Block Cache Alter], which makes sure Drupal only renders blocks when needed. Potential small but nice boost quickly in whole site. -- per comment 22, block caching is disabled by other modules so this will have to go on hold for now.~~ '''H) Remove CustomError module all together''' ~~1/2 hour, low risk, low reward -- We should take out the PHP code from the 403 section of CustomError and put it into a simple page entry. See comment 6 below as this has happened for 404s (which need no PHP). We can then remove the CustomError module all together, saving lots of sessions. I would go ahead and do this but since the 403 page has various displays depending on user type, I wanted to raise it here as it *may* have side effects. Or not...~~ '''I) Re-enable block caching.''' ~~2-6 hours, high risk, high reward -- Per comment 24, a module (probably Content Access) is stopping Drupal caching blocks, which for some of them means a fair amount of pointless overhead. We need to somehow get around this and get blocks cached if possible. R&D mainly, perhaps with some hacking/patching - but I'd stop short of doing this if so.~~ '''K) Add & enable Views Lite Pager on big views.''' ~~1 hour, low risk, low reward -- Using this module stops a heavy count query on views with pagers -- recommended for large sites.~~ '''M) Take control of Cron, and maximise time pages are cached for.''' ~~.25h, high reward, low risk -- Cron is wiping the page cache, so we need to install https://drupal.org/project/elysia_cron so we can clear the page less often, and run other things when we want and the site is quieter. Now need per minute resolution set to get the best, see comment 33 and 34 for more...~~ '''N) Replace Admin Menu 1.x with 3.x''' -- will happen when #590 occurs, marking complete here -- ~~5 mins, high reward, low risk -- done when #582 happens, could be the cause of some load spikes as it occasionally goes made and does 2000-5000 queries!~~" jim Active Tickets 596 Captions issue Theme Maintenance defect jim assigned 2013-09-16T17:58:04+01:00 2014-06-10T10:41:32+01:00 "basically captions are appearing on body inline images and featured images on STG but not PROD and I can't see where the difference is... The following code addition to the bottom of template.php should be (but isn't) adding the caption class to images such as the one at the top of this page: https://www.transitionnetwork.org/blogs/ed-mitchell/2013-06/test-blog-test-caption-and-featured-image Any reason you can think of why not? Or do you know of another easy way of adding the class caption to featured image fields? (I guess the module https://drupal.org/project/semantic_cck - but maybe overkill...) /** * Adds caption css class to featured images */ function transition2_imagecache_formatter_featured_image_default($element) { // Inside a view $element may contain NULL data. In that case, just return. if (empty($element['#item']['fid'])) { return ''; } // Extract the preset name from the formatter name. $presetname = substr($element['#formatter'], 0, strrpos($element['#formatter'], '_')); $style = 'linked'; $style = 'default'; $item = $element['#item']; $item['data']['alt'] = isset($item['data']['alt']) ? $item['data']['alt'] : ''; $item['data']['title'] = isset($item['data']['title']) ? $item['data']['title'] : NULL; $class = ""imagecache imagecache-$presetname imagecache-$style imagecache-{$element['#formatter']} caption""; return theme('imagecache', $presetname, $item['filepath'], $item['data']['alt'], $item['data']['title'], array('class' => $class)); }" benj Active Tickets 644 AWstats Nginx config breaks aegir Live server Maintenance defect chris new 2013-12-09T16:46:05Z 2013-12-09T16:46:05Z "Since the last update we've had a silent ngnix error that means http://tn.puffin.webarch.net was not available. I restarted nginx and got: {{{ [ ok ] Stopping Nginx Server...: [ .... ] Starting Nginx Server...:nginx: [emerg] ""log_format"" directive is not allowed here in /etc/nginx/nginx.conf:28 }}} Which equates to the AWstats entry which is now commented out per: {{{ # log for awstats #log_format apache '$remote_addr - $remote_user [$time_local] ""$request"" ' # '$status $body_bytes_sent ""$http_referer"" ' # '""$http_user_agent""'; #access_log /var/log/nginx/awstats.log apache; }}} I/we need access to aegir more than AWStats, so I've commented out the lines above and restarted nginx. Aegir is back and working well. This ticket is to find the correct log_format for modern nginx versions and reinstate AWstats -- assigning to Chris as a low priority thing." jim Active Tickets 681 Submitting Transition event overseas: An illegal choice has been detected. Please contact the site administrator. Drupal modules & settings Maintenance defect sam reopened 2014-01-22T12:31:29Z 2014-04-15T20:02:46+01:00 " Hi I'm using https://www.transitionnetwork.org/node/add/event To create a Transition Training event in Belgium in the 'Limburg' region. On submission I get the following error; ""An illegal choice has been detected. Please contact the site administrator."" It works for UK events. I had a look at the fields in the event content type, but couldn't spot any problems " sam Active Tickets 689 Duplicate comments Live server Maintenance defect paul new 2014-02-14T12:21:23Z 2014-03-07T12:20:39Z "Hi I got the below message from Mike. Paul could you take a look if you have a minute? Thanks Sam I am noticing that many of the comments are being duplicated quite often - sometimes once and Rob's last comments was added twice. I've been deleting them but will be offline from now over the weekend. This article is getting lots of comments https://www.transitionnetwork.org/blogs/rob-hopkins/2014-02/open-letter-bbc-lord-lawsons-today-programme-appearance" sam Active Tickets 746 New comment notifications not being sent to content owners. Email Maintenance defect annesley new 2014-06-24T10:27:11+01:00 2014-06-25T09:34:10+01:00 "Hi Paul, Annesley, Chris Ed hasn't been getting notifications for new comments. ""Please check if new comment notifications are being sent to content owners. I don’t think I am receiving email alerts for my blog posts."" I'll email Rob to see if he's getting any. Could you investigate? Thanks Sam" sam Active Tickets 772 new TIs not appearing on staging until caches flushed Drupal modules & settings Maintenance defect sam assigned 2014-08-05T10:26:32+01:00 2014-08-05T11:44:25+01:00 i added a new Mulling transition initiative on staging in Afghanistan and it did not appear on the map... i flushed caches and then it started appearing on the main initiatives map. is this intended? is it a known? annesley Active Tickets 836 """Date is invalid"" on film content type" Live server Maintenance defect paul new 2015-03-05T14:30:22Z 2015-03-05T15:36:40Z "Hi Paul Don't spend more than half an hour on this, if it takes longer I'll just remove the date field instead. If I edit: https://www.transitionnetwork.org/node/35510/edit Or add https://www.transitionnetwork.org/node/add/films A film, the website it returns a ""Year is invalid."" error. In the settings it's set to 'Y' https://www.transitionnetwork.org/admin/content/node-type/films/fields/field_film_year I'm entering a four digit date, eg 2010 Any ideas? Thanks Sam " sam Active Tickets 870 MediaWiki 1.23.10 Mediawiki Maintenance defect chris new 2015-08-24T13:18:48+01:00 2015-08-26T12:51:26+01:00 "The [https://https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-August/000179.html announcement] contains: > == Bug Fixes in 1.23.10 == > * (bug 67644) Make !AutoLoaderTest handle namespaces > * (T91653) Minimal PSR-3 debug logger to support backports from 1.25+. > * (T102562) Fix !InstantCommons parameters to handle the new HTTPS-only policy of Wikimedia Commons. " chris Active Tickets 917 Any misc files in Transition Culture web root? Parrot server Maintenance defect chris new 2016-07-14T12:54:50+01:00 2016-07-14T13:03:40+01:00 "Hi Chris Simon from Lumpy lemon has migrated Transition Culture. We only have WP admin access & he was wondering: ""Just one small question: can you check in the webroot folder on your server and let me know if there are any non-WordPress files in there? e.g. Google verification files, that sort of thing. I don't think there should be, but best to check. If there are, can you send them over."" Thanks Sam " sam Active Tickets 541 Documentation of the WordPress sites Parrot server Maintenance maintenance chris assigned 2013-05-01T21:25:57+01:00 2014-04-02T10:55:01+01:00 "These pages have been created for the documentation of the wiki:WordPress sites running on wiki:PenguinServer: * wiki:InTransitionWordPress * wiki:ReconomyWordPress * wiki:EarthInheritorsWordPress So far they only have a listing on the plugins for each site. Ideally they would document all the plugins, the theme and the steps that need to be taken to upgrade each site and also any other things that need documenting. Laura is this something you might be able to help with? I'm happy doing some work on it but you know your way around these sites far better than anyone else." chris Active Tickets 598 Redirect reconomyproject.org to reconomy.org Parrot server Maintenance maintenance chris reopened 2013-09-20T13:16:56+01:00 2014-09-09T20:24:46+01:00 "Request from Shane: > I've noticed that the domain www.reconomyproject.org is still live and running. i.e. can surf around it. I think you set it up so that it would auto redirect to reconomy.org - not 100% sure about the technical spec behind how you did this but is it still working? I noticed this because a lot of the referrals on to our fb page our coming from reconomyproject.org rather than reconomy.org " chris Active Tickets 645 APC Tuning on Parrot and Penguin Dev server Maintenance maintenance chris accepted 2013-12-10T10:52:31Z 2014-04-02T10:54:08+01:00 "As part of the upgrade from Squeeze to Wheezy, see ticket:535, Munin graphs for APC were added: * https://penguin.transitionnetwork.org/munin/transitionnetwork.org/parrot.transitionnetwork.org/index.html#php-apc * https://penguin.transitionnetwork.org/munin/transitionnetwork.org/penguin.transitionnetwork.org/index.html#php-apc There is also more APC info here: * https://parrot.transitionnetwork.org/apc.php * https://penguin.transitionnetwork.org/info/apc.php The documentation for the variables which can be set in {{{/etc/php5/mods-available/apc.ini}}} can be found here: * http://php.net/manual/en/apc.configuration.php This monitoring is generating quite a high volume of warnings about fragmentation and purges and this ticket has been created to try to sort this issue out." chris Active Tickets 675 Piwik Geolocation Piwik Maintenance maintenance chris new 2014-01-14T12:16:36Z 2014-01-14T12:16:36Z "We have this warning in the Piwik admin interface: > Geolocation works, but you are not using one of the recommended providers. If you have to import log files or do something else that requires setting IP addresses, use the PECL GeoIP implementation (recommended) or the PHP GeoIP implementation. We currently do Geolocation at a Nginx level, it is possible that it would now be better to switch to do it at a Piwik level, see the documentation here: http://piwik.org/docs/geo-locate/" chris Active Tickets 676 Alternative to Skype for TTech Meetings Unassigned Maintenance maintenance chris accepted 2014-01-14T13:33:51Z 2014-01-14T18:04:51Z "Jim has pointed out that: > Skype costs us 15-30 minutes of grinding pain every time we do this! So what are the alternatives and what are our requirements?" chris Active Tickets 737 SPF / Emails rejected from the website contact form Email Maintenance maintenance sam assigned 2014-06-05T16:46:13+01:00 2014-11-17T20:06:36Z "We had a user report that they could not send a message via our contact form: ""Yesterday I sent a message to you via the contact form on the website. But obviously something went wrong: for I got a failure notice saying my message could not be delivered. Therefore I'm sending it directly via email (see below) hoping that you're receiving my message this way."" : host mx1.spamfiltering.com[72.249.150.158] said: 550 81.95.XX.XX is not allowed to send mail from gmx.de. Please see http://www.openspf.net/Why?scope=mfrom;identity=userXX@gmx.de;ip=81.95.XX.XX (in reply to end of DATA command) (User details edited as this is publicly archived) I'm not sure I quite understand what's going on here. Chris indicated in email that this would affect other users whose email provider has set this kind of SPF record. Can we make an educated guess as to what proportion of email providers set this kind of SPF? How many messages do we never get to see? Is it a problem? Or a small enough number of users that we just don't worry about it? Thanks Sam " sam Active Tickets 740 Add 'class button block' to Soundcloud block Unassigned Maintenance maintenance benj new 2014-06-12T10:55:05+01:00 2014-06-26T14:40:33+01:00 "Hi Ben Could you add 'class button block' to the block class settings for this block: https://www.transitionnetwork.org/admin/build/block/configure/block/98?destination=blogs%2Frob-hopkins Or shall I give myself 'developer' permissions so I can add these myself? Thanks Sam" sam Active Tickets 763 Server Backups Live server Maintenance maintenance chris new 2014-07-21T18:09:21+01:00 2015-05-02T10:21:38+01:00 "Two weeks ago [ticket:754#comment:21 annesley asked]: > what off-site data storage, file backup and quick setup do we have? I [ticket:754#comment:22 answered]: > The 3 virtual servers have their file system mounted off a BSD/NFS/ZFS file server and the whole file system is backed up and stored onto another BSD/ZFS server in the same data centre. We did have backups also being copied to a server in Manchester but this is currently off-line as the Manchester server needs a disk swapping and rebuilding as a BSD/ZFS server. A problem with this is that it's only me and Alan that have access to these backups, so I'd like to suggest I set up a new account for backups on our backup server and sort out cron jobs to rsync data to this account and document how people can access these backups. The result would be that everybody would have SFTP access to 60 days worth of snapshots of backups from all three servers whenever needed without any need for my or Alan's intervention. I expect this would take abount an hour to set up and another hour to document and help people understand it. There would be no additional cost to the TN because backup space is already paid for. " chris Active Tickets 768 Piwik Archive Cron Error Piwik Maintenance maintenance chris new 2014-08-01T18:14:59+01:00 2014-09-05T10:47:18+01:00 "Have been getting these emails from PiwikServer: {{{ From: root@penguin.webarch.net (Cron Daemon) Date: Fri, 1 Aug 2014 14:06:48 +0100 (BST) To: root@localhost Subject: Cron /web/stats.transitionnetwork.org/piwik/console core:archive --url=http://stats.transitionnetwork.org/ > /var/log/piwik-archive.log ERROR CoreConsole[2014-08-01 13:05:18] [3e5ac] Got invalid response from API request: +http://stats.transitionnetwork.org/index.php?module=API&method=API.get&idSite=1&period=week&date=last2&format=php&token_auth=XXXXXXXXXXXX&trigger=archivephp. Response was '

There is an error. Please report the message (Piwik 2.4.1) and full backtrace in the Piwik forums (please do a Search first as it might have +been reported already!).

Warning:
+file_get_contents(http://api.piwik.org/1.0/getLatestVersion/?piwik_version=2.4.1&php_version=5.4.4-14%2Bdeb7u12&url=https%3A%2F%2Fstats. +transitionnetwork.org%2Fweb%2Fstats.transitionnetwork.org%2Fpiwik%2Fconsole&trigger=API&timezone=Europe%2FLondon): failed to open stream: +HTTP requ est fail ed! in /web/stats.transitionnetwork.org/piwik/core/Http.php on line 406

Backtrace +-->

#0 Piwik\Error::errorHandler(...) called at [:]
#1 +file_get_contents(...) called at [/web/stats.transitionnetwork.org/piwik/core/Http.php:406]
#2 Piwik\Http::sendHttpRequestBy(...) +called at [/web/stats.transitionnetwork.org/piwik/core/Http.php:94]
#3 Piwik\Http::sendHttpRequest(...) called at +[/web/stats.transitionnetwork.org/piwik/core/UpdateCheck.php:72]
#4 Piwik\UpdateCheck::check(...) called at +[/web/stats.transitionnetwork.org/piwik/plugins/CoreUpdater/CoreUpdater.php:142]
#5 +Piwik\Plugins\CoreUpdater\CoreUpdater->updateCheck(...) called at [:]
#6 call_user_func_array(...) called at +[/web/stats.transitionnetwork.org/piwik/core/EventDispatcher.php:98]
#7 Piwik\EventDispatcher->postEvent(...) called at +[/web/stats.transitionnetwor k.org/pi wik/core/Piwik.php:766]
#8 Piwik\Piwik::postEvent(...) called at +[/web/stats.transitionnetwork.org/piwik/core/FrontController.php:391]
#9 Piwik\FrontController->init(...) called at +[/web/stats.transitionnetwork.org/piwik/core/dispatch.php:33]
#10 require_once(...) called at +[/web/stats.transitionnetwork.org/piwik/index.php:47]
#11 require_once(...) called at +[/web/stats.transitionnetwork.org/piwik/core/CliMulti/RequestCommand.php:53]
#12 Piwik\CliMulti\RequestCommand->execute(...) called +at [/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Console/Command/Command.php:252]
#13 +Symfony\Component\Console\Command\Command->run(...) called at +[/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Console/Application.php:887]
#14 +Symfony\Component\Console\Application->doRunCommand(...) called at +[/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Co nsole/Ap plication.php:193]
#15 Symfony\Component\Console\Application->doRun(...) called at +[/web/stats.transitionnetwork.org/piwik/core/Console.php:64]
#16 Piwik\Console->doRun(...) called at +[/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Console/Application.php:124]
#17 +Symfony\Component\Console\Application->run(...) called at [/web/stats.transitionnetwork.org/piwik/console:31]

+

+There is an error. Please report the message (Piwik 2.4.1) and full backtrace in the Piwik forums (please do a Search first as it might have +been reported already!).

Warning:
+file_get_contents(http://api.piwik.org/1.0/getLatestVersion/?piwik_version=2.4.1&php_version =5.4.4-1 }}} " chris Active Tickets 787 Access to Parrot Dev server Maintenance maintenance chris new 2014-09-15T08:21:51+01:00 2014-10-03T13:02:49+01:00 "is it ok for me to send through my normal, non-passphrase protected public key to you Chris for parrot? the documentation wants a passphrase protected key. however this may be what is causing the access issues from my laptop. i certainly could find a way around it but would suggest that the passphrase is not a great improvement to security anyway in this instance so it would be ok to use my normal public key. note that i can access all my other servers with the normal key without problems." annesley Active Tickets 814 Higher that usual loads on PuffinServer since early September Live server Maintenance maintenance chris accepted 2014-12-03T17:12:35Z 2015-04-16T12:44:50+01:00 "The following [https://penguin.transitionnetwork.org/munin/transitionnetwork.org/puffin.transitionnetwork.org/load.html load graph] from PuffinServer shows that the load increased substantially in early September 2014, does anyone know why? [[Image(puffin-load-2014-11-03.png)]] When I found [http://www.vdmi.nl/blog/i-went-drupal-733-and-all-i-got-was-slow-site I went to Drupal 7.33 and all I got was a slow site] I thought that perhaps a Drupal 7 site on the server could be the cause but 7.33 came out on [https://www.drupal.org/drupal-7.33-release-notes 7th November 2014]. Anyone have any ideas?" chris Active Tickets 824 Analysis of the 2014 maintenance ticket time Live server Maintenance maintenance chris new 2015-01-07T15:48:14Z 2015-01-07T17:43:13Z "Ed has ask that I spend up to 2 hours on an analysis of the 2014 maintenance ticket time for our meeting tomorrow in Bristol. See also: * wiki:TransitionMaintenance * wiki:MaintenanceTasks" chris Active Tickets 887 Lot's of failed logins on conference15.transitionnetwork.org Parrot server Maintenance maintenance ade new 2015-12-04T11:39:10Z 2015-12-04T12:22:43Z "Hi all Overnight I had 150 notifications of failed login attempts and subsequent IP address bans from the https://en-gb.wordpress.org/plugins/wordfence/ security plugin I installed. It's coming from multiple IP addresses in multiple countries. It seems like Wordfence is doing it's job and blocking IP's. I only mention it as I'm wondering if it could be related to the recent downtime. Feel free to close this ticket, just thought it was worth sticking in here. Thanks Sam" sam Active Tickets 892 MediWiki Security Release: 1.26.1, 1.25.4, 1.24.5 and 1.23.12 Mediawiki Maintenance maintenance chris new 2015-12-18T10:46:18Z 2015-12-22T11:39:31Z "Email to the [https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html announcements list]: {{{ I would like to announce the release of MediaWiki 1.26.1, 1.25.4, 1.24.5, and 1.23.12. These releases fix five security issues in core, in addition to other bug fixes. Download links are given at the end of this email == Security fixes == (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as ""http://my.wiki.com/wiki/$1"" are fine, as are ""/wiki/$1"". A value such as ""$1"" or ""wiki/$1"" is not and will now throw an error (T119309) SECURITY: Use hash_compare() for edit token comparison (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads (T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki == Note about EOL of 1.24.x == Please note that 1.24.5 marks the end of support for the 1.24.x series of releases. Technically this ended a few weeks ago with the release of 1.26.0 but we dropped one final release of 1.24.x here to give it a nicer send off for those who have not yet upgraded. == Release notes == Full release notes for 1.26.1: Full release notes for 1.25.4: Full release notes for 1.24.5: Full release notes for 1.23.12: For information about how to upgrade, see }}}" chris Active Tickets 912 Stats for TTT Parrot server Maintenance maintenance chris new 2016-06-21T11:29:02+01:00 2016-06-21T11:40:43+01:00 "Nicola at TTT has asked: > Could you let me know the size of the TTT and Transition Streets sites > please? I have Google Analytics for TTT but not for Transition Streets, and > I wonder if you could also tell me how many visitors it gets annually? " chris Active Tickets 636 Changes to Space.transitionnetwork.org homepage to facilitate user registration Drupal modules & settings Maintenance task sam assigned 2013-11-27T17:30:19Z 2014-03-27T17:04:27Z "Space currently does not give users who aren't already registered a way in. Anon users can see some of the spaces but when they try to apply for membership, they hit a login page, which they can't complete as they are not registered. 1. RTFM for OA as to OA best practice - this is billable time. Then leave notes about it in wiki for later developers. 2. The homepage needs editing to sort this out. Here are some first changes: 2.1. Remove the 'Need the pros' pane (RHS) 2.2 Remove the 'Just getting started' pane (LHS) 2.3 Add a 'Request membership' pane which is basically a user registration form. Make registration 'approval only' for now, approval to be by a site admin (webproject@transitionnetwork.org) The /spaces listings view shows the spaces that are publicly viewable, and there is a 'request group membership' button for each of them. 3. Can you make this into a registration form as well? " ed Active Tickets 469 PSE project submission submitter cannot then edit their own project Drupal modules & settings PSE defect ed assigned 2012-12-04T19:33:46Z 2013-03-05T17:45:14Z "The user who has added a pse submission which has been approved cannot then edit the project profile when it has been approved. The webmaster who approved it can edit it. This is not right - the user who added the pse submission which then got turned into a project needs to be the project owner. The new project is set to the correct author. But that author doesn't have edit rights. Project (unpublished): https://www.transitionnetwork.org/projects/test-user-3-test-project" ed Active Tickets 504 Images missing from widget and site in general Drupal modules & settings PSE defect ed assigned 2013-03-01T16:00:39Z 2013-03-14T10:56:08Z "Submit button missing from widget (see bottom right here: http://www.edmitchell.co.uk/blog/). Quite a few images are missing from the site - profile pictures of people who don't have pictures as well. Please have a look. " ed Active Tickets 262 US users adding Ini profiles through the US site Drupal modules & settings PSE innovation jim assigned 2011-06-17T13:10:40+01:00 2013-02-18T10:56:47Z "This is *the* big job for phase 4. The US is a pilot for other countries, and other content types. The aim is for TN to be able to publish project directory on TI sites, and enable anyone to add a project via the TI sites in the long term. 1. US user can add an ini profile to the US site which is also added to the TN directory 2. US site has a special map and directory view of US inis only (both muller and official) 3. US user can edit the ini profile via the US site (possibly not on TN site) 4. US user account: with TN or TUS? tbd 5. Creation of a 'slimline' user acct showing only 'critical data'? 6. Creation of a 'slimline' ini profile showing only'critical data'? 7. This is a pilot for other countries in the future 8. This process will be used in some way to enable anyone to add project information from and through TI sites 9. Fiddle with slimline user accounts and/or use third party process a la facebook/google/yahoo accts? 10. US has a US-only map view of users who are speakers " ed Active Tickets 127 Link checker module Drupal modules & settings Production defect ed assigned 2010-07-23T10:12:15+01:00 2013-12-15T15:12:19Z "It would be very very handy to have a link checker of some form to check for internal and external links. Site editors are adding pages, navigation is changing etc. If possible, the link module would update links as they move internally, but that's a nice to have. Please install one and Ed can manage it. Putting to critical to get it on, shouldn't take long... " ed Active Tickets 485 transitionnetwork.org is tablet/phone/touch unfriendly Theme Production defect laura new 2013-01-29T09:24:15Z 2013-05-08T17:46:09+01:00 "Don't know how much of a priority this is, but transitionnetwork.org seems tablet/phone/touch unfriendly - and I'm just raising this ticket to capture this thought. Core issue is the drop-down menus that are only accessible if you can ""hover"" over them with a mouse pointer - and of course no such thing exists on a touch-screen phone or tablet. An easy workaround would be sub-menus or section menus in the sidebar, though I guess that would need some thought so as not to over-clutter the user interface. I often use the menu_block module to make ""section"" menus easy. Anyway - thought captured - back to Real Work now :)" mark Active Tickets 514 Spam issues - users not being able to comment Drupal modules & settings Production defect ed assigned 2013-03-12T17:25:29Z 2013-03-27T16:32:48Z Ed is receiving a selection of users not being allowed to post since the spam changes. We are seeing a pattern now. Setting this ticket up - will add user details tomorrow. ed Active Tickets 516 Search: not showing events or initiatives Drupal modules & settings Production defect ed assigned 2013-03-14T10:16:41Z 2013-03-19T11:34:41Z "Search for Woking from homepage. I know that there are two events and two initaitives with Woking in them. Neither are shown: https://www.transitionnetwork.org/search/node/woking Advanced search does not bring them up either (ticking the initiatives box). If I am in the initiatives section it returns the TIs though. General search used to show TIs and events. Now it's only showing results of word searches. General search needs to show TIs and events, and other nodes. Please look into this. " ed Active Tickets 523 Database intergrity Views & content types Production defect jim new 2013-03-19T11:33:38Z 2013-03-19T11:33:38Z "Following on from comment 4 of ticket 516 (https://tech.transitionnetwork.org/trac/ticket/516#comment:4) , I wanted to check the integrity of the field tables, so I crafted and ran this query: SELECT count(cck.nid) FROM `content_field_region` cck LEFT JOIN node node on cck.nid = node.nid WHERE node.nid IS NULL Which returned 1,173 rows. I then replaced the 'content_field_region' with other fields found on the user profile nodes (which have their own database table) so the full breakdown is: content_field_region = 1173 content_field_initiative = 1165 content_field_themes = 6256 content_field_training_attended = 1165 content_field_roles_offered = 1285 content_field_other_websites = 1181 content_field_user_types = 1165 So what this means is there are around 1200 entries in field database storage for the above tables that do not have an associated node. This means the data is not properly referentially integral, and ideally these should be cleaned up one day. The risk is low but it's worth doing a the rest of the audit (with the other fields that have tables of their own) and then cleaning these up at some point. These will have been caused by manual deletes and imports over the years. Drupal would normally keep these sorted but we've had to bypass Drupal a few times. Or we can leave it as is and let the migration to Drupal 8 resolve this. The cost is a bit more database space and a slightly slower site... Though this *may* cause a bug or two." ed Active Tickets 61 Directory search by postcode Drupal modules & settings Production enhancement jim assigned 2010-05-13T17:11:30+01:00 2013-03-05T14:27:32Z "Searching initiatives and people and projects: Add postcode search function to filter (adam herriott) (Ed hears that the .paf is now freely available from OS/Royal Mail (?)" ed Active Tickets 100 Show users' profiles on their personal profile page Drupal modules & settings Production enhancement ed assigned 2010-06-21T17:36:55+01:00 2013-05-08T17:44:48+01:00 show a list of the projects and intiatives that users are involved with on their personal profile page ed Active Tickets 123 City name in personal profiles Drupal modules & settings Production enhancement jim assigned 2010-07-20T11:38:47+01:00 2013-12-15T15:12:47Z "Please either: a. add city name into the personal profiles as it is in initiative profiles OR: b. if it's a straightforward replicate from the initiative profile, tell ed this and he will do it" ed Active Tickets 257 Path aliases not being created for non-English nodes - i18n issues Drupal modules & settings Production enhancement laura assigned 2011-06-15T14:24:21+01:00 2013-05-08T17:44:22+01:00 "WAS: ""one resource not rendering URL"" can't make this puppy render a human URL: http://www.transitionnetwork.org/node/17135 ?? " ed Active Tickets 304 Make the five star ratings filter-able in the resources directory view Drupal modules & settings Production enhancement jim new 2011-08-18T17:55:00+01:00 2013-05-08T17:41:58+01:00 ed Active Tickets 320 Add sitemap for site Drupal modules & settings Production enhancement laura assigned 2011-09-12T10:26:57+01:00 2013-02-18T10:42:56Z ... ed Active Tickets 461 Spam account war Drupal modules & settings Production enhancement ed assigned 2012-11-21T16:19:10Z 2013-02-25T11:54:12Z "Aim: tell drupal (and server level stuff?) to sniff out and destroy spam accounts without them knowing we did it, and ban them from doing it again Wiki page: https://wiki.transitionnetwork.org/Spam_accounts" ed Active Tickets 384 Enhance Project Profile Content Type and directory Drupal modules & settings Production innovation laura new 2011-12-20T23:25:32Z 2013-02-18T11:31:17Z "Laura to re-design IA and interface for admin and public profiles for project profile CT and directory. Considered as part of PSE Project, hence design in Jan, build in Feb 2012" ed Active Tickets 457 Projects form - Enhance form entry Views & content types Production task ed assigned 2012-11-08T18:15:44Z 2013-03-25T21:15:23Z "1 - Entry Form: - Set up new fields and permissions and groupings - Enhance ‘helper’ texts and any links to other parts of TN listed on form to enhance usability and context. - CSS and potential of custom templating/panels if needed for style and layouts" laura Active Tickets 865 synchronisation Unassigned enhancement ade new 2015-07-15T14:26:48+01:00 2015-07-17T17:49:25+01:00 "ideas. please query them. we are synchronising between different data structures: WordPress and Drupal and anything else the plugin is installed on. therefore standard *database level* distributed synchronisation management tools will not be appropriate. this is unfortunate because synchronisation is a big task. however, it is possible that there are some CRUD / REST based sync tools. so: we need an XML abstraction layer (partially done already) produced by the Drupal, Wordpress, etc. plugin that is standardised and can then be compared and synced via standard API calls. Steps: new Transition Town registration on server A notify server B that there is new data and send the GUID of this new data server B then requests only the new data from server A (incremental) using the GUID server B creates the new item in it's database with a new native ID using the abstraction layer in it's plugin / module addtions to this universal data pool, e.g. a new Transition Town, will be propagated via a network sync request at point of addition. ""listener servers"" will then request the new data (incremental only) and, in turn push that out to all other listeners. each plugin will therefore extend and expose it's CRUD style synchronisation abstraction functions: add-user add-local-group change-user etc. many of these are already available as part of the framework-independent plugin / module currently, i suggest that ALL plugins contain ALL the international user and Transition Town data. passwords and emails, contact info will be handled by a 3rd server, either Mozilla Persona or Open ID. user accounts will also be synchronised on to ALL plugins but without passwords as those are held on the 3rd server. thus far had already been agreed with Ed. but, ofc, can be changed :) new plugin installations will receive a full complement of data at time of installation. check digits will be periodically shared to check that all data is in-line. all users will be able to register and edit their data on ANY website holding the plugin. TT and USER changes and registrations will then propagate via PUSH notifications across the entire network all native IDs will be different. i.e. TT Brixton will have a different ID on each server. thus, as always with synchronissation, all IDs will be transformed to GUIDs by the abstraction API and only GUIDs will be used to analyse the network of data and synchronisation. login to any website containing the plugin will be transparent (unlike the demo i set up) through the normal wordpress and drupal login screens. the plugin will intercept failed authentication and attempt to authenticate against the universal servers. new accounts created via universal registration on any server will have a framework specific configurable role and thus permissions on that server will be set by the administrator specific to that server." annesley Active Tickets 747 Accessibility / archiving of podcasts Unassigned innovation ed new 2014-06-24T11:39:14+01:00 2014-07-15T16:49:04+01:00 "Would it be possible to consider making podcasts available as MP3's via RSS feeds? This would enable applications such as [https://f-droid.org/wiki/page/de.danoeh.antennapod AntennaPod] to play the podcasts. Currently podcasts such as this one: * https://www.transitionnetwork.org/blogs/rob-hopkins/2014-06/alan-simpson-transition-has-enormous-strength-moment Appear to only be available via the Soundcloud web interface? * https://soundcloud.com/transition-culture/alan-simpson-on-growth-renewables-and-transition There might be Soundcloud settings to enable MP3 downloads and / or RSS feeds? In addition having a copies available / archived on a non-corporate site, eg a *.transitionnetwork.org site and / or archive.org would be a good addition? Sorry if this isn't the right place to raise this, I did consider posting it as a comment on Robs blog but thought that would be even less appropriate." chris Active Tickets 521 MySQL Unsafe statement warnings in the daemon.log Drupal modules & settings Maintenance defect jim new 2013-03-16T09:46:57Z 2013-05-08T17:44:02+01:00 "I don't know if these matter? I found them when hunting for 502 errors. {{{ grep ""Unsafe statement written to the binary log"" /var/log/daemon.log | wc -l 343 }}} Some examples: {{{ Mar 16 09:28:20 puffin mysqld: 130316 9:28:20 [Warning] Unsafe statement written to the binary log using statement format since BINLOG_FORMAT = STATEMENT. Statements writing to a table with an auto-increment column after selecting from another table are unsafe because the order in which rows are retrieved determines what (if any) rows will be written. This order cannot be predicted and may differ on master and the slave. Statement: DELETE FROM notifications_event WHERE created < 1363426040 AND eid < (SELECT MIN(eid) FROM notifications_queue) }}} {{{ Mar 16 05:52:12 puffin mysqld: 130316 5:52:12 [Warning] Unsafe statement written to the binary log using statement format since BINLOG_FORMAT = STATEMENT. Statements writing to a table with an auto-increment column after selecting from another table are unsafe because the order in which rows are retrieved determines what (if any) rows will be written. This order cannot be predicted and may differ on master and the slave. Statement: INSERT INTO notifications_queue (uid, mdid, send_method, sid, module, eid, send_interval, language, cron, created, conditions) SELECT DISTINCT s.uid, s.mdid, s.send_method, s.sid, s.module, 61233, s.send_interval, s.language, s.cron, 1363413132, s.conditions FROM notifications s LEFT JOIN notifications_fields f ON s.sid = f.sid WHERE (s.status = 1) AND (s.event_type = 'node') AND (s.send_interval >= 0) AND ((f.field = 'nid' AND f.intval = 30718) OR (f.field = 'type' AND f.value = 'profile') OR (f.field = 'author' AND f.intval = 16908)) GROUP BY s.uid, s.mdid, s.send_method, s.sid, s.module, s.send_interval, s. }}} " chris Active Tickets 603 Forwarding newsletter sends wrong message Drupal modules & settings Maintenance defect jim new 2013-10-03T10:24:09+01:00 2013-10-03T17:16:03+01:00 "User forwarded newsletter to themself (other email account) and was sent the wrong message - from a different user to someone else. See forwarded mail below. Please consider. ---------- Forwarded message ---------- From: Jeanne Date: Mon, Sep 9, 2013 at 11:57 AM Subject: Jeanne is forwarding an email to you To: jeano Hi Will Sutherland, Kathleen L thought you'd be interested in this: http://us1.forward-to-friend2.com/forward/show?u=766036b57dc1247e2964584bd&id=7b4f6d65d1 Kathleen L also included this personal message to you: more info for ya about Transition Towns - made me think of your game with their new book and ingredients and stuff - read about it... Did you find the link interesting? You can forward it on to your friends, too: http://us1.forward-to-friend2.com/forward?u=766036b57dc1247e2964584bd&id=7b4f6d65d1 You can subscribe for more emails at: http://transitionnetwork.us1.list-manage1.com/subscribe?u=766036b57dc1247e2964584bd&id=33e8648c8d * Note: if any of the URLs above are not clickable, you can copy/paste them into your web browser. " ed Active Tickets 520 Session 443 config in settings.php Drupal modules & settings Maintenance task jim new 2013-03-15T23:16:49Z 2013-03-16T11:52:21Z "There is this warning displaying at https://www.transitionnetwork.org/admin/reports/status {{{ Settings.php is not setup correctly. With the current configuration of 443 Session module, the following lines must be in settings.php. if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') { ini_set('session.cookie_secure', 1); } }}} Based on the check of what is happening with cookies done on ticket:371#comment:34 and ticket:371#comment:36 things are currently working OK, session cookies do have the secure flag set, so I'm a bit confused by this warning message. I also think that the PHP suggested to add to settings.php looks perfectly sensible and should be included, I'm sure we did have it on the old server, however there are 33 settings.php files on wiki:PuffinServer and I'm not clear which one the live site uses. " chris Active Tickets 731 Meetings in maintenance Drupal modules & settings Maintenance task ed new 2014-05-23T11:47:39+01:00 2014-06-10T10:36:21+01:00 Ticket to record time spent on Skype call on 22nd May 2014. chris