Debian upgrades and updates

[chris]

This is a ticket to track debian upgrades to the wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer the time they take.

See:

• ​Recent Debian security announcements
• ​MariaDB Announce List archives

These updates are generally done using the wiki:AptitudeUpdateScript and this records all the changes in the /root/Changelog and then the contents of the Changelog are pasted into the ticket to document the upgrade.

This ticket was was originally used for the wiki:DevelopmentServer and the wiki:NewLiveServer.

[chris]

​DSA-2139-1 phpmyadmin -- several vulnerabilities there are also new apache and openssl packages, the update was applied and phpmyadmin was tested on the dev server first.

aptitude safe-upgrade

The following packages will be upgraded:
  apache2 apache2-mpm-prefork apache2-utils apache2.2-common libssl-dev libssl0.9.8 openssl phpmyadmin

[chris]

Mysql updates, see ​http://www.mail-archive.com/debian-changes@lists.debian.org/msg15762.html

These were first tested on the dev server and then the live server was updated.

The following packages will be upgraded:
  libc6 libc6-dev libmysqlclient15off locales mysql-client-5.0 mysql-common mysql-server mysql-server-5.0 
8 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 49.3MB of archives. After unpacking 487kB will be freed.
Do you want to continue? [Y/n/?] y
Writing extended state information... Done
Get:1 http://security.debian.org lenny/updates/main mysql-common 5.0.51a-24+lenny5 [61.7kB]
Get:2 http://security.debian.org lenny/updates/main mysql-server 5.0.51a-24+lenny5 [56.1kB]
Get:3 http://security.debian.org lenny/updates/main libc6-dev 2.7-18lenny7 [2491kB]
Get:4 http://security.debian.org lenny/updates/main libc6 2.7-18lenny7 [4812kB]
Get:5 http://security.debian.org lenny/updates/main libmysqlclient15off 5.0.51a-24+lenny5 [1906kB]
Get:6 http://security.debian.org lenny/updates/main mysql-client-5.0 5.0.51a-24+lenny5 [8207kB]
Get:7 http://security.debian.org lenny/updates/main mysql-server-5.0 5.0.51a-24+lenny5 [27.3MB]
Get:8 http://security.debian.org lenny/updates/main locales 2.7-18lenny7 [4432kB]                       

[chris]

Debian Security Advisory DSA-2167-1
​http://lists.debian.org/debian-security-announce/2011/msg00033.html

Package        : phpmyadmin
Vulnerability  : sql injection
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-0987

Both server have been updated.

[chris]

Subversion vulnerability which applies to us, from ​http://lists.debian.org/debian-security-announce/2011/msg00048.html

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2181-1                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
March 04, 2011                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : subversion
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-0715

Philip Martin discovered that HTTP-based Subversion servers crash when
processing lock requests on repositories which support unauthenticated
read access.

This was done on kiwi:

sudo -i
aptitude update
aptitude safe-upgrade

And now the server is running the latest version: ​https://tech.transitionnetwork.org/svn/

[chris]

Live and dev servers have had PHP upgraded because of this:

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2195-1                   security@debian.org
http://www.debian.org/security/                          Raphael Geissert
March 19, 2011                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php5
Vulnerability  : several
Problem type   : local/remote
Debian-specific: yes/no
CVE ID         : CVE-2011-0441 CVE-2010-3709 CVE-2010-3710 CVE-2010-3870
                 CVE-2010-4150

Stephane Chazelas discovered that the cronjob of the PHP 5 package in
Debian suffers from a race condition which might be used to remove
arbitrary files from a system (CVE-2011-0441).

When upgrading your php5-common package take special care to _accept_
the changes to the /etc/cron.d/php5 file. Ignoring them would leave the
system vulnerable.

[ed]

Does this need to be changed from phase 3 to phase 4?

[chris]

I have just updated all these packages on the live server:

bind9-host dhcp3-client dhcp3-common dnsutils libapr1 libbind9-50 libdns58 libisc50 libisccc50 libisccfg50
liblwres50 libperl5.10 libsvn1 libtiff4 libxml2 linux-libc-dev linux-modules-2.6.26-2-xen-amd64 perl perl-base
perl-modules subversion

The key one being libtiff4 as this was a security update.

[chris]

Security updates applied to dev and live:

libapache2-mod-php5 php-pear php5 php5-cli php5-common php5-curl php5-dev php5-gd php5-mcrypt php5-mysql

[chris]

More security updates:

libapache2-mod-php5 libperl5.10 perl perl-base perl-modules php-pear php5 php5-cli php5-common php5-curl php5-dev

php5-gd php5-mcrypt php5-mysql

[chris]

Some security and other updates on both servers:

The following packages will be upgraded:
  apache2 apache2-mpm-prefork apache2-utils apache2.2-common dhcp3-client 
  dhcp3-common libfreetype6 libpng12-0 libxfont1 phpmyadmin 

[chris]

Apache security updates on both servers:

{{{The following packages will be upgraded:

apache2 apache2-mpm-prefork apache2-utils apache2.2-common }}}

[ed]

merge with #30?

move to phase 5? or is this to be billed separately by WA as per Adam's quote (will it take 5 hours to upgrade to debian squeeze?)

[chris]

This ticket is being used to keep track of time spent on debian security upgrades and it is onging...

Ticket #301 is for upgrading between debian versions which is different from updating a packages due to security issues.

[chris]

vsftp upgraded on both servers due to security update ​http://www.debian.org/security/2011/dsa-2305

[jim]

Is there an issue with the SSL certs?

Last login: Tue Sep 20 19:57:51 2011 from host86-186-150-227.range86-186.btcentralplus.com
jim@kiwi:~$ cd /web/dev.transitionnetwork.org.webarch.net/www 
jim@kiwi:/web/dev.transitionnetwork.org.webarch.net/www$ sudo svn up
svn: OPTIONS of 'https://tech.transitionnetwork.org/svn/www/trunk': Could not resolve hostname `tech.transitionnetwork.org': Host not found (https://tech.transitionnetwork.org)
jim@kiwi:/web/dev.transitionnetwork.org.webarch.net/www$ ping tech.transitionnetwork.org
PING tech.transitionnetwork.org (81.95.52.78) 56(84) bytes of data.
64 bytes from kiwi.transitionnetwork.org (81.95.52.78): icmp_req=1 ttl=64 time=0.000 ms
64 bytes from kiwi.transitionnetwork.org (81.95.52.78): icmp_req=2 ttl=64 time=0.000 ms
^C
--- tech.transitionnetwork.org ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.000/0.000/0.000/0.000 ms
jim@kiwi:/web/dev.transitionnetwork.org.webarch.net/www$ sudo svn up
Error validating server certificate for 'https://tech.transitionnetwork.org:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
 - The certificate has an unknown error.
Certificate information:
 - Hostname: *.transitionnetwork.org
 - Valid: from Fri, 07 Jan 2011 00:00:00 GMT until Fri, 10 Feb 2012 23:59:59 GMT
 - Issuer: GANDI SAS, FR
 - Fingerprint: 8e:8c:e7:a1:42:89:75:77:1d:be:4b:e8:9e:1f:9d:89:8a:e6:81:9f

[jim]

Actually, DEV is down: ​https://dev.transitionnetwork.org/

The mysql error was: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2).

[chris]

Sorry, was half way though the upgrade from lenny to squeeze when I had to collect the kids, see ticket:301 and wiki:LennyToSqueeze.

I had assumed since Trac was working that Mysql / apache / PHP were all OK... Sorry.

Mysql has been restarted, more testing needed...

[chris]

Debian upgrades applied to the dev server:

  libapache2-mod-php5 libgssapi-krb5-2 libjasper1 libk5crypto3 libkrb5-3 libkrb5support0 
  libssl-dev libssl0.9.8 libt1-5 linux-libc-dev nginx nginx-common nginx-light openssl 
  php-pear php5 php5-cli php5-common php5-curl php5-dev php5-gd php5-imagick php5-mcrypt 
  php5-memcache php5-mysql php5-suhosin x11-common 

And these to the live server:

  libgssapi-krb5-2 libjasper1 libk5crypto3 libkrb5-3 libkrb5support0 libssl-dev libssl0.9.8 
  linux-libc-dev openssl x11-common 

[chris]

phpmyadmin security update ​http://lists.debian.org/debian-security-announce/2012/msg00014.html

Dev and live server have been updated, phpmyadmin is also protected by htauth so this wasn't a serious security issue for us.

When testing the live server I also checked the documentation for Suhosin tweaks that are needed and applied these to both servers, one thing I noticed is the the dev server has the following in /etc/php5/conf.d/suhosin.ini:

suhosin.executor.include.whitelist="phar"

Jim I guess you added this? Is it also needed on the live server?

[jim]

According to ​http://www.php.net/manual/en/intro.phar.php, Phar is the PHP version of the Java Jar file - a repo of code and data.

I've not used it to my knowledge and LIVE doesn't need it as far as I know.

[chris]

Debian updated applied to the dev server:

  base-files bzip2 curl dpkg dpkg-dev libbz2-1.0 libbz2-dev libc-bin libc-dev-bin libc6 libc6-dev libcurl3 
  libcurl3-gnutls libdpkg-perl libgnutls26 libssl-dev libssl0.9.8 libxml2 linux-libc-dev locales 
  module-init-tools mutt openssl perl perl-base perl-modules php5-suhosin tzdata 

On the live server the following packages were updated:

  base-files bzip2 curl dpkg dpkg-dev libapache2-mod-php5 libbz2-1.0 libbz2-dev libc-bin libc-dev-bin libc6 
  libc6-dev libcurl3 libcurl3-gnutls libdpkg-perl libgnutls26 libperl5.10 libsmbclient libssl-dev libssl0.9.8 
  libwbclient0 libxml2 linux-libc-dev locales module-init-tools mutt openssl perl perl-base perl-modules php-pear 
  php5 php5-cli php5-common php5-curl php5-dev php5-gd php5-mcrypt php5-mysql python-debian tzdata 

New versions of /etc/php5/apache2/php.ini and /etc/php5/cli/php.ini were installed and the previously documented changes to these files were applied and updated, see wiki:NewLiveServer#php

[chris]

New versions of php, again, see ​http://lists.debian.org/debian-security-announce/2012/msg00028.html

Perhaps the segfault problem was related, see ticket:390

Dev and live servers updated.

[chris]

Apache security update: ​http://lists.debian.org/debian-security-announce/2012/msg00031.html

The following packages will be upgraded:
  apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common 

Dev and live servers have been upgraded.

[chris]

Debian security update for php5 ​http://lists.debian.org/debian-security-announce/2012/msg00035.html

On quince:

The following packages will be upgraded:
  libapache2-mod-php5 php-pear php5 php5-cli php5-common php5-curl php5-dev php5-gd php5-mcrypt php5-mysql

Also these updates kiwi (kiwi is running dotdeb version of php5 and this hasn't been updated yet):

The following packages will be upgraded:
  mysql-common nginx nginx-common nginx-light

[chris]

Security updates:

libpng12-0 libxml2

Applied to both servers.

[chris]

Kiwi updates:

open: 8; closed: 4; defer: 2; conflict: 2                                              .The following packages will be upgraded:
  file imagemagick libfreetype6 libmagic-dev libmagic1 libmagickcore3 
  libmagickcore3-extra libmagickwand3 libmysqlclient16 mysql-client-5.1 nginx 
  nginx-common nginx-light 

Configuration file `/etc/nginx/sites-available/default'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.

 The default action is to keep your current version.
*** default (Y/I/N/O/D/Z) [default=N] ? N

Quince:

The following packages will be upgraded: 
  libmysqlclient16 mysql-client mysql-client-5.1 mysql-common mysql-server 
  mysql-server-5.1 mysql-server-core-5.1 

[chris]

Kiwi updates:

libmysqlclient16 mysql-client-5.1

Quince updates:

imagemagick libfreetype6 libmagic1 libmagickcore3 libmagickcore3-extra libmagickwand3

[chris]

kiwi security upgrade, ​http://www.dotdeb.org/2012/03/15/security-nginx-1-0-14/

nginx nginx-common nginx-light 

[chris]

libpng security update (a user uploading a specially crafted png could run code on the server), ​http://www.debian.org/security/2012/dsa-2439

Kiwi and quince:

libpng12-0

[chris]

Kiwi upgrades:

libgnutls26 libtasn1-3 linux-libc-dev mysql-common 

Quince:

libgnutls26 libtasn1-3 linux-libc-dev 

[chris]

Kiwi:

  curl libcurl3 libcurl3-gnutls libpng12-0 libtiff4 nginx nginx-common 
  nginx-light 

Quince:

  curl libcurl3 libcurl3-gnutls libpng12-0 libtiff4 

[chris]

Kiwi updates:

apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common mysql-common nginx nginx-common nginx-light

Quince updates:

apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common libsmbclient libwbclient0 

[chris]

Security updates, kiwi:

libssl-dev libssl0.9.8 openssl

Quince:

libssl-dev libssl0.9.8 openssl

[chris]

Kiwi updates:

  imagemagick libapache2-mod-php5 libmagickcore3 libmagickcore3-extra 
  libmagickwand3 libmysqlclient16 libssl-dev libssl0.9.8 mysql-client-5.1 
  nginx nginx-common nginx-light openssl php-pear php5 php5-cli php5-common 
  php5-curl php5-dev php5-fpm php5-gd php5-imagick php5-mcrypt 
  php5-memcache php5-mysql php5-suhosin 

The dotdeb version of these files were installed and then the local modifications redone, /etc/php5/apache2/php.ini

;expose_php = On
; chris
expose_php = Off

;memory_limit = 128M
; chris
memory_limit = 256M

;post_max_size = 8M
; chris
post_max_size = 128M

;default_charset = "iso-8859-1"
; chris
default_charset = "utf-8"

;upload_max_filesize = 2M
; chris
upload_max_filesize = 100M

;max_file_uploads = 20
; chris
max_file_uploads = 50

;default_socket_timeout = 60
; chris
default_socket_timeout = 120

; chris
extension=uploadprogress.so

;session.cookie_secure =
; chris
session.cookie_secure = 1

;mbstring.http_input = auto
; chris
; https://github.com/pressflow/6/blob/master/.htaccess
mbstring.http_input = pass

;mbstring.http_output = SJIS
; chris
; https://github.com/pressflow/6/blob/master/.htaccess
mbstring.http_output = pass

And in /etc/php5/cli/php.ini:

;memory_limit = -1
; chris
memory_limit = 768M

And in /etc/php5/fpm/pool.d/www.conf:

;listen = 127.0.0.1:9000
; chris
listen = /var/run/php5-fpm/phpfpm.sock

;listen.allowed_clients = 127.0.0.1
; chris
listen.allowed_clients = 127.0.0.1,81.95.52.78,kiwi.transitionnetwork.org,kiwi.webarch.net

;pm.max_children = 5
; chris
pm.max_children = 10

;access.log = log/$pool.access.log
; chris
access.log = /var/log/php-fpm/$pool.access.log

; error log
; chris
error_log = /var/log/php-fpm/error_log

And /etc/php5/fpm/php.ini

;expose_php = On
; chris
expose_php = Off

;max_execution_time = 30
; chris
; increased to 60 seconds rather than 30
max_execution_time = 60

;memory_limit = 128M
; chris
memory_limit = 256M

;error_reporting = E_ALL & ~E_DEPRECATED
; chris
error_reporting = E_ALL | E_STRICT

;track_errors = Off
;chris
track_errors = On

;error_log = syslog
; chris
error_log = syslog

;cgi.fix_pathinfo=1
; chris
cgi.fix_pathinfo=0

Quince updates:

  imagemagick libmagickcore3 libmagickcore3-extra libmagickwand3 libsmbclient libssl-dev libssl0.9.8 
  libwbclient0 openssl 

[chris]

Kiwi updates:

  file libapache2-mod-php5 libmagic-dev libmagic1 linux-libc-dev mysql-common php-pear php5 php5-cli 
  php5-common php5-curl php5-dev php5-fpm php5-gd php5-imagick php5-mcrypt php5-memcache php5-mysql 
  php5-suhosin 

Quince updates:

  file libapache2-mod-php5 libmagic1 linux-libc-dev php-pear php5 php5-cli php5-common php5-curl php5-dev php5-gd 
  php5-mcrypt php5-mysql

[chris]

Following the php update done here ticket:218#comment:38 php-fpm won't restart, I don't know why, I can't work out why. I'll have to continue working on this tomorrow.

As a result everything that uses php on the dev server isn't running, the only execption to this being trac as it's running via apache still (phew!).

The announcement for the new php version is here:

​http://www.dotdeb.org/2012/05/09/security-php-5-4-3-and-php-5-3-13/

As I recall I had to switch the dev server to use the dotdeb repo rather than the standard one that the live server uses was done in order that trac could be upgraded, this was required in order that the trac git plugins could be installed, this does mean however that the php version on the dev server isn't the same as the live server -- I wonder if we should consider switching back so they have the same versions at some point since we are not using the trac git plugins? Or perhaps we should switch the live server over to use the dotdeb repowhen we switch to nginx as it has a newer version:

​http://www.dotdeb.org/2012/04/29/nginx-1-2-0-with-naxsi-0-45-and-passenger-3-0-12/

Also a reboot of both servers will perhaps be needed next week due to this update:

​http://lists.debian.org/debian-security-announce/2012/msg00105.html

[chris]

php-fpm is running again, it was a error with the log file configuraion, tracked down via starting it directly rather than using the script in /etc/init.d.

Sorry for the downtime.

[chris]

Kiwi updates:

  base-files initscripts libapr1 libc-bin libc-dev-bin libc6 libc6-dev libssl-dev libssl0.9.8 
  libxi6 libxml2 linux-libc-dev locales openssh-client openssh-server openssl procps ssh sudo 
  sysv-rc sysvinit sysvinit-utils tzdata 

Quince updates:

  base-files initscripts libapr1 libc-bin libc-dev-bin libc6 libc6-dev libpolkit-agent-1-0 
  libpolkit-backend-1-0 libpolkit-gobject-1-0 libssl-dev libssl0.9.8 libxi6 libxml2 linux-libc-dev 
  locales openssh-client openssh-server openssl php5-memcache policykit-1 procps python python-minimal 
  ssh sudo sysv-rc sysvinit sysvinit-utils tzdata 

[chris]

Kiwi updates:

{{{bind9-host dnsutils libbind9-60 libdns69 libisc62 libisccc60 libisccfg62 liblwres60
libmysqlclient16 mysql-client-5.1 mysql-common nginx nginx-common nginx-light}}}

Quince:

{{{bind9-host dnsutils libapache2-mod-php5 libbind9-60 libdns69 libisc62
libisccc60 libisccfg62 liblwres60 libmysqlclient16 mysql-client-5.1
mysql-common mysql-server mysql-server-5.1 mysql-server-core-5.1 php-pear
php5 php5-cli php5-common php5-curl php5-dev php5-gd php5-mcrypt
php5-mysql}}}

[chris]

Kiwi updates:

  libapache2-mod-php5 php-pear php5 php5-cli php5-common php5-curl php5-dev 
  php5-fpm php5-gd php5-imagick php5-mcrypt php5-memcache php5-mysql 
  php5-suhosin 

The upgrade wanted to also upgrade these files:

/etc/apache2/php.ini
/etc/cli/php.ini
/etc/fpm/php.ini

So they were all manually checked.

The live server doesn't have any upgrades -- it's not running a ​http://dotdeb.org/ LAMP stack.

[chris]

Kiwi updates:

bind9-host dhcp3-client dhcp3-common dnsutils isc-dhcp-client isc-dhcp-common libapache2-mod-php5 libbind9-60 libdns69 
  libgssapi-krb5-2 libisc62 libisccc60 libisccfg62 libk5crypto3 libkrb5-3 libkrb5support0 liblwres60 mysql-common nginx nginx-common 
  nginx-light php-pear php5 php5-cli php5-common php5-curl php5-dev php5-fpm php5-gd php5-imagick php5-mcrypt php5-memcache php5-mysql 
  php5-suhosin 

Quince uodates:

  bind9-host dhcp3-client dhcp3-common dnsutils isc-dhcp-client 
  isc-dhcp-common libbind9-60 libdns69 libgssapi-krb5-2 libisc62 libisccc60 
  libisccfg62 libk5crypto3 libkrb5-3 libkrb5support0 liblwres60 

[chris]

Kiwi updates:

  bind9-host dhcp3-client dhcp3-common dnsutils isc-dhcp-client 
  isc-dhcp-common libapache2-mod-php5 libbind9-60 libdns69 libexpat1 
  libisc62 libisccc60 libisccfg62 liblwres60 libvarnishapi1 libxml2 
  mysql-common nginx nginx-common nginx-light php-pear php5 php5-cli 
  php5-common php5-curl php5-dev php5-fpm php5-gd php5-imagick php5-mcrypt 
  php5-memcache php5-mysql php5-suhosin varnish 

Quince updates:

  bind9-host dnsutils libapache2-mod-php5 libbind9-60 libdns69 libisc62 
  libisccc60 libisccfg62 liblwres60 libvarnishapi1 php-pear php5 php5-cli 
  php5-common php5-curl php5-dev php5-gd php5-mcrypt php5-mysql varnish 

[chris]

Kiwi updates:

  apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common automake automake1.9 base-files debian-archive-keyring dhcp3-client dhcp3-common dpkg dpkg-dev 
  isc-dhcp-client isc-dhcp-common libapache2-mod-php5 libc-bin libc-dev-bin libc6 libc6-dev libconfig-inifiles-perl libdpkg-perl libtiff4 libxslt1.1 linux-libc-dev locales 
  lockfile-progs mysql-common nginx nginx-common nginx-light php-pear php5 php5-cli php5-common php5-curl php5-dev php5-fpm php5-gd php5-imagick php5-mcrypt php5-memcache 
  php5-mysql php5-suhosin xsltproc 

Quince updates:

  apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common 
  automake automake1.9 base-files debian-archive-keyring dhcp3-client 
  dhcp3-common dpkg dpkg-dev isc-dhcp-client isc-dhcp-common libc-bin 
  libc-dev-bin libc6 libc6-dev libconfig-inifiles-perl libdpkg-perl 
  libtiff4 linux-libc-dev locales lockfile-progs 

[chris]

We need to update PHP on kiwi for a Mediawiki upgrade to 1.20, see ticket:455 this could either be done by switching to PHP 5.4.8 from dotdeb, ​http://www.dotdeb.org/2012/10/19/php-5-4-8-and-php-5-3-18/ or via switching back to the debian stable version, PHP 5.3.3-7+squeeze14.

[chris]

Kwik updates:

  bind9-host dnsutils libapache2-mod-php5 libbind9-60 libdns69 libisc62 libisccc60 libisccfg62 liblwres60 libtiff4 libxslt1.1 php-pear php5 
  php5-cli php5-common php5-curl php5-dev php5-fpm php5-gd php5-imagick php5-mcrypt php5-memcache php5-mysql php5-suhosin xsltproc 
  python-debian

There is an issue with a !MySQL upgrade which has been kept back which needs sorting out:

The following packages have been kept back:
  mysql-server mysql-server-5.1 mysql-server-core-5.1

Quince updates:

  bind9-host dnsutils exim4-base exim4-config exim4-daemon-light libbind9-60 libdns69 libisc62 libisccc60 
  libisccfg62 liblwres60 libtiff4 
  libkrb53 libpq5 libvorbis0a libvorbisfile3

I also installed cron-apt and to check on updated package availability, wiki:NewLiveServer#cron-apt

[chris]

The MySQL issue is cause by this, sorry I should have picked up on this sooner, ​MySQL 5.1 discontinued on Dotdeb however upgrading to the dotdeb MySQL 5.5.28 could cause other problems, it's been ​reported here that "phpmyadmin depends on php5-mysql".

I'm also not sure that we want the MySQL version on the dev machine to be out of sync with the live server? I'll think about this some before doing anything about it, due to ticket:218#comment:47 I wonder if we shouldn't switch back to the debian stable versions of nginx, php, mysql -- we switched to the dotdeb versions for PHP-FPM, however if the dev drupal sites are going to be migrated to a new new live server then there is there a need for PHP-FPM on kiwi?

[chris]

kiwi upgrades:

apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common libapache2-mod-php5 libtiff4 nginx 
nginx-common nginx-light php-pear php5 php5-cli php5-common php5-curl php5-dev php5-fpm php5-gd 
php5-imagick php5-mcrypt php5-memcache php5-mysql php5-suhosin 

quince:

  apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common 
  libtiff4 

[chris]

I have disabled the munin apt and apt_all plugins on kiwi as they were resulting in me getting a email every 5 mins saying these package need updating:

mysql-server mysql-server-5.1 mysql-server-core-5.1

However they can't be easilly upgraded due to conflicts -- I don't think we should worry about this as we need to get everything migrated to the new server ASAP.

[chris]

puffin:

libxml2 libxml2-dev libxml2-utils

kiwi:

libxml2

quince:

libxml2

[chris]

kiwi:

libmysqlclient16 mysql-client-5.1

quince:

libmysqlclient16 mysql-client-5.1 mysql-common mysql-server mysql-server-5.1 mysql-server-core-5.1 

[chris]

Quince upgrades:

libperl5.10 perl perl-base perl-modules

Kiwi still needs the mysql situation sorting out, these packages have been updated:

perl perl-base perl-modules

[chris]

Security update, quince:

libtiff4

Kiwi:

libtiff4 nginx nginx-common nginx-light

[chris]

and puffin:

 libtiff4/squeeze libtiff4-dev/squeeze libtiffxx0c2/squeeze

[chris]

Updates to quince done over the Xmas holiday, recorded in /root/Changelog:

2013-01-06      chris
        *       gnupg/squeeze gnupg-curl/squeeze gpgv/squeeze libcups2/squeeze libcupsimage2/squeeze : updated

2012-12-30      chris
        *       ghostscript/squeeze gs-common/squeeze libgs8/squeeze : updated

[chris]

penguin updates recorded in /root/Changelog:

2013-01-08      chris
        *       gnupg-curl libcurl3-gnutls{a} : installed
        *       gnupg/squeeze gpgv/squeeze nginx/squeeze-backports nginx-common/squeeze-backports nginx-full/squeeze-backports php-pear/squeeze php5/squeeze php5-cli/squeeze php5-common/squeeze php5-fpm/squeeze php5-mysql/squeeze : updated

[chris]

Security updates, penguin:

2013-02-13      chris
        *       geoip-database/squeeze-backports libssl0.9.8/squeeze nginx/squeeze nginx-common/squeeze nginx-full/squeeze openssl/squeeze : updated

puffin:

2013-02-13      chris
        *       libssl-dev/squeeze libssl0.9.8/squeeze openssl/squeeze : updated

quince:

2013-02-13      chris
        *       libssl-dev/squeeze libssl0.9.8/squeeze openssl/squeeze : updated

[chris]

Lots of updates on puffin:

2013-02-23      chris
        *       apt-show-versions/squeeze base-files/squeeze bind9-host/squeeze dbus/squeeze dbus-x11/squeeze dnsutils/squeeze firmware-linux-free/squeeze gzip/squeeze libbind9-60/squeeze libcups2/squeeze libcupsimage2/squeeze libdbus-1-3/squeeze libdbus-glib-1-2/squeeze libdns69/squeeze libisc62/squeeze libisccc60/squeeze libisccfg62/squeeze libldap-2.4-2/squeeze libldap2-dev/squeeze liblwres60/squeeze libperl5.10/squeeze libpoppler5/squeeze libxenstore3.0/squeeze linux-base/squeeze linux-image-2.6.32-5-xen-amd64/squeeze linux-libc-dev/squeeze openssh-client/squeeze openssh-server/squeeze perl/squeeze perl-base/squeeze perl-modules/squeeze poppler-utils/squeeze ssh/squeeze : updated

2013-02-21      chris
        *       libpq5/squeeze : updated

penguin:

2013-02-23      chris
        *       apt-show-versions/squeeze base-files/squeeze dbus/squeeze firmware-linux-free/squeeze gzip/squeeze libcgi-fast-perl/squeeze libdbus-1-3/squeeze libldap-2.4-2/squeeze linux-base/squeeze linux-image-2.6.32-5-xen-amd64/squeeze openssh-client/squeeze openssh-server/squeeze perl/squeeze perl-base/squeeze perl-modules/squeeze tzdata/squeeze : updated

quince:

2013-02-23      chris
        *       apt-show-versions/squeeze base-files/squeeze bind9-host/squeeze dbus/squeeze dbus-x11/squeeze dnsutils/squeeze gzip/squeeze libbind9-60/squeeze libcups2/squeeze libcupsimage2/squeeze libdbus-1-3/squeeze libdbus-glib-1-2/squeeze libdns69/squeeze libisc62/squeeze libisccc60/squeeze libisccfg62/squeeze libldap-2.4-2/squeeze liblwres60/squeeze libnautilus-extension1/squeeze libperl5.10/squeeze linux-libc-dev/squeeze openssh-client/squeeze openssh-server/squeeze perl/squeeze perl-base/squeeze perl-modules/squeeze ssh/squeeze tzdata/squeeze : updated

2013-02-20      chris
        *       libpq5/squeeze : updated

[chris]

Debian upgrades, puffin:

2013-02-26      chris
        *       firmware-linux-free/squeeze libopenjpeg2/squeeze linux-base/squeeze linux-image-2.6.32-5-xen-amd64/squeeze linux-libc-dev/squeeze : updated

Penguin:

2013-02-26      chris
        *       firmware-linux-free/squeeze linux-base/squeeze linux-image-2.6.32-5-xen-amd64/squeeze : updated

Quince:

2013-02-26      chris
        *       linux-libc-dev/squeeze : updated

[chris]

Puffin debian security update:

2013-03-02      chris
        *       libxenstore3.0/squeeze : updated

[chris]

Puffin updates:

2013-03-04      chris
        *       libxenstore3.0/squeeze php-pear/squeeze php5-apc/squeeze php5-cli/squeeze php5-common/squeeze php5-curl/squeeze php5-dev/squeeze php5-fpm/squeeze php5-gd/squeeze php5-geoip/squeeze php5-gmp/squeeze php5-imagick/squeeze php5-imap/squeeze php5-ldap/squeeze php5-mcrypt/squeeze php5-mysql/squeeze php5-sqlite/squeeze php5-xmlrpc/squeeze php5-xsl/squeeze : updated

Penguin:

2013-03-04      chris
        *       php-pear/squeeze php5/squeeze php5-apc/squeeze php5-cli/squeeze php5-common/squeeze php5-fpm/squeeze php5-mysql/squeeze : updated

I also installed the apt and apt_all munin plugins on both servers:

2013-03-04      chris
        *       /etc/munin/plugins : ln -s /usr/share/munin/plugins/apt_all
        *       /etc/munin/plugins : ln -s /usr/share/munin/plugins/apt

[chris]

Puffin:

2013-03-09      chris
        *       sudo/squeeze : updated

Penguin:

2013-03-09      chris
        *       sudo/squeeze : updated

[chris]

Puffin:

2013-03-09      root
        *       libperl5.10/squeeze perl/squeeze perl-base/squeeze perl-modules/squeeze : updated

Penguin:

2013-03-09      chris
        *       libcgi-fast-perl/squeeze perl/squeeze perl-base/squeeze perl-modules/squeeze : updated

[chris]

New version of !MariaDB on puffin:

2013-03-12      chris
        *       libmariadbclient-dev/squeeze libmariadbclient18/squeeze libmariadbd-dev/squeeze libmysqlclient18/squeeze mariadb-client-5.5/squeeze mariadb-client-core-5.5/squeeze mariadb-common/squeeze mariadb-server-5.5/squeeze mariadb-server-core-5.5/squeeze mysql-common/squeeze : updated

[jim]

I don't need to know about these, nor does Laura I assume...

[chris]

Thanks for checking the cc field, I have added Ed, I hadn't realised he wasn't getting these, he can remove himself if he wants.

[chris]

Puffin update:

2013-03-15      chris
        *       libvirt0/squeeze : updated

[chris]

Puffin:

2013-03-17      chris
        *       libvirt0/squeeze : updated

[chris]

Penguin:

2013-03-26      chris
        *       libxml2/squeeze : updated

Puffin:

2013-03-26      chris
        *       libxml2/squeeze libxml2-dev/squeeze libxml2-utils/squeeze : updated

[chris]

Penguin updates:

2013-03-26      chris
        *       php-pear/squeeze php5/squeeze php5-apc/squeeze php5-cli/squeeze php5-common/squeeze php5-fpm/squeeze php5-gd/squeeze php5-mysql/squeeze : updated

Puffin updates:

2013-03-26      chris
        *       php-pear/squeeze php5-apc/squeeze php5-cli/squeeze php5-common/squeeze php5-curl/squeeze php5-dev/squeeze php5-fpm/squeeze php5-gd/squeeze php5-geoip/squeeze php5-gmp/squeeze php5-imagick/squeeze php5-imap/squeeze php5-ldap/squeeze php5-mcrypt/squeeze php5-mysql/squeeze php5-sqlite/squeeze php5-xmlrpc/squeeze php5-xsl/squeeze : updated

The restart of php-fpm that these updates required caused some 502 errors, see ticket:483#comment:52

[chris]

Puffin security updates:

2013-03-30      chris
        *       bind9-host/squeeze dnsutils/squeeze libbind9-60/squeeze libdns69/squeeze libisc62/squeeze libisccc60/squeeze libisccfg62/squeeze liblwres60/squeeze : updated

[chris]

Puffin updates:

2013-04-03      chris
        *       libxslt1-dbg/squeeze libxslt1-dev/squeeze libxslt1.1/squeeze : updated

Penguin updates:

2013-04-03      chris
        *       libxslt1.1/squeeze : updated

[chris]

Puffin update:

2013-04-04      chris
        *       libpq5/squeeze : updated

[chris]

Puffin update:

2013-04-18      chris
        *       libxenstore3.0/squeeze : updated

[chris]

Penguin updates, applied manually, see the note here for the reason wiki:PenguinServer#Updates

2013-04-20      chris
        *       libossp-uuid16{a} : installed
        *       munin/squeeze-backports munin-common/squeeze-backports munin-doc/squeeze-backports munin-node/squeeze-backports munin-plugins-core/squeeze-backports munin-plugins-extra/squeeze-backports nginx/squeeze nginx-common/squeeze nginx-full/squeeze : updated

[chris]

curl security update, ​http://lists.debian.org/debian-security-announce/2013/msg00070.html updates applied to penguin:

2013-04-20      chris
        *       libcurl3-gnutls/squeeze : updated

And to puffin:

2013-04-20      chris
        *       curl/squeeze libcurl3/squeeze libcurl3-gnutls/squeeze libcurl4-openssl-dev/squeeze : updated

[chris]

New version of PHP 5.3.24, see:

• ​http://www.dotdeb.org/2013/04/22/php-5-3-24/
• ​http://php.net/archive/2013.php#id2013-04-11-2

Puffin updates:

2013-04-22      chris
        *       php-pear/squeeze php5-apc/squeeze php5-cli/squeeze php5-common/squeeze php5-curl/squeeze php5-dev/squeeze php5-fpm/squeeze php5-gd/squeeze php5-geoip/squeeze php5-gmp/squeeze php5-imagick/squeeze php5-imap/squeeze php5-ldap/squeeze php5-mcrypt/squeeze php5-mysql/squeeze php5-sqlite/squeeze php5-xmlrpc/squeeze php5-xsl/squeeze : updated

And Penguin:

2013-04-22      chris
        *       php-pear php5 php5-apc php5-cli php5-common php5-fpm php5-gd php5-mysql : updated

[chris]

New version of Nginx:

Nginx 1.4.1 has been released on May 7th 2013, with the fix for the stack-based buffer overflow security problem in nginx 1.3.9 – 1.4.0, discovered by Greg MacManus, of iSIGHT Partners Labs (CVE-2013-2028).

​http://www.dotdeb.org/2013/05/07/security-nginx-1-4-1/

This is a serious bug "potentially resulting in arbitrary code execution" ​http://seclists.org/oss-sec/2013/q2/290

Penguin (upgrade didn't work for reasons I don't quite understand, so I had to install the packaged over the top of the existing ones):

aptitude install nginx/squeeze nginx-common/squeeze nginx-full/squeeze

Puffin:

aptitude install nginx/squeeze nginx-common/squeeze nginx-full/squeeze

After this there were a series of Nginx config errors and multiple lines, mostly related to serving mp4 and flv files and uploadprogress had to be commented out before Nginx would start, this resulted in a few mins of downtime:

nginx: [emerg] unknown directive "upload_progress" in /etc/nginx/conf.d/aegir.conf:105

nginx: [emerg] unknown directive "upload_progress" in /etc/nginx/conf.d/aegir.conf:105

nginx: [emerg] unknown directive "upload_progress_java_output" in /data/disk/tn/config/includes/nginx_octopus_include.conf:154

nginx: [emerg] unknown directive "report_uploads" in /data/disk/tn/config/includes/nginx_octopus_include.conf:155

nginx: [emerg] unknown directive "flv" in /data/disk/tn/config/includes/nginx_octopus_include.conf:514

nginx: [emerg] unknown directive "mp4" in /data/disk/tn/config/includes/nginx_octopus_include.conf:526

nginx: [emerg] unknown directive "mp4_buffer_size" in /data/disk/tn/config/includes/nginx_octopus_include.conf:528

nginx: [emerg] unknown directive "mp4_max_buffer_size" in /data/disk/tn/config/includes/nginx_octopus_include.conf:529

nginx: [emerg] unknown directive "track_uploads" in /data/disk/tn/config/includes/nginx_octopus_include.conf:773

nginx: [emerg] unknown directive "upload_progress_json_output" in /data/disk/tn/config/includes/nginx_modern_include.conf:154

nginx: [emerg] unknown directive "report_uploads" in /data/disk/tn/config/includes/nginx_modern_include.conf:155

nginx: [emerg] unknown directive "flv" in /data/disk/tn/config/includes/nginx_modern_include.conf:514

nginx: [emerg] unknown directive "mp4" in /data/disk/tn/config/includes/nginx_modern_include.conf:526

nginx: [emerg] unknown directive "mp4_buffer_size" in /data/disk/tn/config/includes/nginx_modern_include.conf:528

nginx: [emerg] unknown directive "mp4_max_buffer_size" in /data/disk/tn/config/includes/nginx_modern_include.conf:529

nginx: [emerg] unknown directive "track_uploads" in /data/disk/tn/config/includes/nginx_modern_include.conf:773

nginx: [emerg] unknown directive "flv" in /var/aegir/config/includes/nginx_compact_include.conf:67

nginx: [emerg] unknown directive "mp4" in /var/aegir/config/includes/nginx_compact_include.conf:79

nginx: [emerg] unknown directive "mp4_buffer_size" in /var/aegir/config/includes/nginx_compact_include.conf:81

nginx: [emerg] unknown directive "mp4_max_buffer_size" in /var/aegir/config/includes/nginx_compact_include.conf:82

nginx: [emerg] unknown directive "upload_progress_json_output" in /var/aegir/config/includes/nginx_modern_include.conf:154

nginx: [emerg] unknown directive "report_uploads" in /var/aegir/config/includes/nginx_modern_include.conf:155

nginx: [emerg] unknown directive "flv" in /var/aegir/config/includes/nginx_modern_include.conf:514

nginx: [emerg] unknown directive "mp4" in /var/aegir/config/includes/nginx_modern_include.conf:526

nginx: [emerg] unknown directive "mp4_buffer_size" in /var/aegir/config/includes/nginx_modern_include.conf:528

nginx: [emerg] unknown directive "mp4_max_buffer_size" in /var/aegir/config/includes/nginx_modern_include.conf:529

nginx: [emerg] unknown directive "track_uploads" in /var/aegir/config/includes/nginx_modern_include.conf:773

All the lines that cause errors above were commented out, when we work out what went wrong and fix the problem they will need uncommenting.

There was also this error:

nginx: [emerg] could not build the variables_hash, you should increase either variables_hash_max_size: 512 or variables_hash_bucket_size: 64

This was fixed by adding the following to the http section of /etc/nginx/nginx.conf:

  variables_hash_max_size 1024;
  variables_hash_bucket_size 128;

After these config changed Nginx started OK.

[chris]

It looks like we need to have the nginx-extras package installed rather than nginx-full, the results of aptitude show nginx-full:

Description: nginx web/proxy server (standard version)

Nginx ("engine X") is a high-performance web and reverse proxy server created by Igor Sysoev. It can be used both as a standalone web server and as a proxy to
reduce the load on back-end HTTP or mail servers.

This package provides a version of nginx with the complete set of standard modules included (but omitting some of those included in nginx-extras).

STANDARD HTTP MODULES: Core, Access, Auth Basic, Auto Index, Browser, Charset, Empty GIF, FastCGI, Geo, Gzip, Headers, Index, Limit Requests, Limit Zone, Log, Map,
Memcached, Proxy, Referer, Rewrite, SCGI, Split Clients, SSI, Upstream, User ID, UWSGI.

OPTIONAL HTTP MODULES: Addition, Debug, GeoIP, Gzip Precompression, HTTP Sub, Image Filter, IPv6, Real IP, SSL, Stub Status, Substitution, WebDAV, XSLT.

MAIL MODULES: Mail Core, IMAP, POP3, SMTP, SSL.

THIRD PARTY MODULES: Auth PAM, DAV Ext, Echo, Upstream Fair Queue.

MODULES ADDED BY DOTDEB : File AIO, Secure link, Syslog, Cache purge, Pinba, HTTP substitution filter, X-rid header

Homepage: ​http://nginx.net

And aptitude show nginx-extras:

Description: nginx web/proxy server (extended version)

Nginx ("engine X") is a high-performance web and reverse proxy server created by Igor Sysoev. It can be used both as a standalone web server and as a proxy to
reduce the load on back-end HTTP or mail servers.

This package provides a version of nginx with the standard modules, plus extra features and modules such as the Perl module, which allows the addition of Perl in
configuration files.

STANDARD HTTP MODULES: Core, Access, Auth Basic, Auto Index, Browser, Charset, Empty GIF, FastCGI, Geo, Gzip, Headers, Index, Limit Requests, Limit Zone, Log, Map,
Memcached, Proxy, Referer, Rewrite, SCGI, Split Clients, SSI, Upstream, User ID, UWSGI.

OPTIONAL HTTP MODULES: Addition, Debug, Embedded Perl, FLV, GeoIP, Gzip Precompression, Image Filter, IPv6, MP4, Random Index, Real IP, Secure Link, SSL, Stub
Status, Substitution, WebDAV, XSLT.

MAIL MODULES: Mail Core, IMAP, POP3, SMTP, SSL.

THIRD PARTY MODULES: Auth PAM, Cache purge, DAV Ext, Echo, Embedded Lua, HttpHeadersMore?, http push, Nginx Development Kit, Upload Progress, Upstream Fair Queue.

MODULES ADDED BY DOTDEB : File AIO, Syslog, Pinba, HTTP Gunzip , HTTP substitution filter, X-rid header

Homepage: ​http://nginx.net

So:

aptitude install nginx-extras

The following packages have unmet dependencies:
  nginx-full: Conflicts: nginx-extras but 1.4.1-1~dotdeb.0 is to be installed.
  nginx-extras: Conflicts: nginx-full but 1.4.1-1~dotdeb.0 is installed.
Internal error: found 2 (choice -> promotion) mappings for a single choice.
The following actions will resolve these dependencies:

     Remove the following packages:
1)     nginx                       
2)     nginx-full                  



Accept this solution? [Y/n/q/?] Y

The following NEW packages will be installed:
  nginx-extras 
The following packages will be REMOVED:
  nginx{a} nginx-full{a} 
0 packages upgraded, 1 newly installed, 2 to remove and 0 not upgraded.
Need to get 666 kB of archives. After unpacking 381 kB will be used.
Do you want to continue? [Y/n/?] Y

After that all the lines that were commented out in ticket:218#comment:80 were uncommented and nginx was restarted.

[jim]

Chris, any reason why you're not using the proper installer? You risk borking BOA if you do these piecemeal updates. From ​http://drupalcode.org/project/barracuda.git/blob/HEAD:/docs/UPGRADE.txt

### NOTE: You can append "system" as a last argument to the barracuda
command, and it will upgrade only the system, without running
Aegir Master Instance upgrade, plus it will write the output
to the file instead of to the console:

/var/backups/reports/up/barracuda/*

Example:
  barracuda up-stable system

FYI note this commit: ​http://drupalcode.org/project/barracuda.git/blobdiff/97cbf82a1e30d4e040b0ddbf514c2a83da10fccc..043fb3e1a9d9e2f32fd8d6f9bab428ea03319b13:/BARRACUDA.sh.txt

The change to BARRACUDA.sh.txt that sets the NGINX version is there, so if you ran the meta installer, then edited the script, you could have set _NGINX_VERSION to whatever you wanted.

I'd expect the new 1.4.1 version will be reflected in the BOA scripts pretty soon.

These errors are almost certainly of an issue caused by this non-standard (for BOA) update process you followed.

[chris]

Replying to jim:

Chris, any reason why you're not using the proper installer?

I didn't realise I wasn't supposed to be doing security update using aptitude / apt-get. I do remember asking a question about this some time ago on one of the Trac tickets but I guess it got missed.

My concern about running the whole installer each time there is a new debian package out is that it takes the site down for around 20 / 30 mins while the installer runs -- is this really what we should be doing for every debian update?

[jim]

Yes, you absolutely need to use the proper scripts! This bit me in the ass long ago, it's absolutely worth sticking to.

And as quoted above, the barracuda up-stable system just does a managed apt-get update for system only.. give that a whirl next time.

[jim]

As expected, the BOA team are already looking at/fixing the NGINX update: ​Nginx 1.5.0 - security upgrade for CVE-2013-2028.

Again, worth letting the updates settle for a few days and either running 'barracuda up-head' soon, or waiting for 2.0.9 to go for a stable version.

[chris]

PHP was updated on penguin earlier today:

2013-05-12      chris
        *       php-pear/squeeze php5/squeeze php5-apc/squeeze php5-cli/squeeze php5-common/squeeze php5-fpm/squeeze php5-gd/squeeze php5-mysql/squeeze : updated

Info on the new version, "These releases fix about 10 bugs as well as upgrading the bundled libmagic library.": ​http://www.dotdeb.org/2013/05/12/php-5-4-15-php-5-3-25-for-wheezy-squeeze/

[chris]

New debian kernel, I haven't seen an announcement for the reason for it, Parrot updates:

2013-05-14      chris
        *       firmware-linux-free/squeeze linux-base/squeeze linux-image-2.6.32-5-xen-amd64/squeeze linux-libc-dev/squeeze : updated

Penguin updates:

2013-05-14      chris
        *       firmware-linux-free/squeeze linux-base/squeeze linux-image-2.6.32-5-xen-amd64/squeeze : updated

Puffin:

2013-05-14      chris
        *       firmware-linux-free/squeeze linux-base/squeeze linux-image-2.6.32-5-xen-amd64/squeeze linux-libc-dev/squeeze : updated

I didn't run the BOA script to update Puffin as I didn't see the point in making the site unavailable for 30 mins.

I haven't done a reboot yet so the servers will still be using the old kernel, I'll do the reboot later in the night when the site has less traffic.

[jim]

Replying to chris:

I didn't run the BOA script to update Puffin as I didn't see the point in making the site unavailable for 30 mins.

I already mentioned earlier:

• barracuda up-stable = (re)install Barracuda, PHP, MySQL, Redis etc etc.
• barracuda up-stable system = Just manages apt-get/aptitude updates so as not to override/upset BOA.

Have you tried the latter? It should be much less than 30 minutes as it's not installing/updating the whole stack. Try it!

[chris]

Parrot updates:

2013-05-23      chris
        *       libxcb-render0/squeeze libxcb1/squeeze libxcursor1/squeeze libxext6/squeeze libxfixes3/squeeze libxi6/squeeze libxinerama1/squeeze libxrandr2/squeeze libxrender1/squeeze : updated

Penguin updates:

2013-05-23      chris
        *       libxcb-render0/squeeze libxcb-shm0/squeeze libxcb1/squeeze libxext6/squeeze libxrender1/squeeze : updated

These are the outstanding updates on puffin, a mixture of ​debian X11 updates and a ​new version of mariadb:

libmariadbclient-dev/squeeze libmariadbclient18/squeeze libmariadbd-dev/squeeze libmysqlclient18/squeeze libxcb-render0/squeeze libxcb-render0-dev/squeeze libxcb1/squeeze libxcb1-dev/squeeze libxcursor-dev/squeeze libxcursor1/squeeze libxext-dev/squeeze libxext6/squeeze libxfixes-dev/squeeze libxfixes3/squeeze libxi-dev/squeeze libxi6/squeeze libxinerama-dev/squeeze libxinerama1/squeeze libxp6/squeeze libxrandr-dev/squeeze libxrandr2/squeeze libxrender-dev/squeeze libxrender1/squeeze libxres1/squeeze libxt-dev/squeeze libxt6/squeeze libxtst6/squeeze mariadb-client-5.5/squeeze mariadb-client-core-5.5/squeeze mariadb-common/squeeze mariadb-server-5.5/squeeze mariadb-server-core-5.5/squeeze mysql-common/squeeze

I've very reluctant to update the server the way Jim wishes in ticket:218#comment:89 as I expect this would take the site off line for 30 mins and also potentially overwrite the fix Jim applied on ticket:548#comment:21 to solve the problems caused with the last BOA update, ticket:547#comment:4

barracuda up-stable system

  Please update installers on your system
  using BOA Meta Installer and try again.

  $ wget -q -U iCab http://files.aegir.cc/BOA.sh.txt
  $ bash BOA.sh.txt

So, Jim -- is it OK to use the normal debian tools or is it essential to do a BOA update?

[jim]

barracuda up-stable system takes ~7 mins on my system, and certainly only a fraction of that is downtime.

And YES, you do need to use barracuda to update the system because it's not just about the packages in Debian/apt -- the whole stack works together and pulls from sources outside the usual package sources. If you run an apt update and it changes a BOA stack component, there's chance it'll downgrade packages, break dependencies, overwrite config, stop services, disconnect things and generally bugger it up. Or you might be lucky, but it's not a risk we should be taking. It's a tuned stack after all.

FYI I think as of 2.0.9 you can schedule auto-updates for the system -- you might want to check the documentation and have a think.

Also barracuda up-stable system is pretty much automated -- it waits a bit (for crons I imagine) then does it all and emails you. Downtime should be minimal, so run it from screen and see what you think.

[chris]

Replying to jim:

you do need to use barracuda to update the system

OK, I'm going to run it now.

[chris]

Puffin upgrade:

barracuda up-stable system

  Please update installers on your system
  using BOA Meta Installer and try again.

  $ wget -q -U iCab http://files.aegir.cc/BOA.sh.txt
  $ bash BOA.sh.txt

wget -q -U iCab http://files.aegir.cc/BOA.sh.txt

  BOA Meta Installer setup completed
  Please check INSTALL.txt and UPGRADE.txt at http://bit.ly/boa-docs for how-to
  Bye

barracuda up-stable system
  waiting 142 sec

  REPORT: Successful Barracuda upgrade on puffin.webarch.net sent to chris@webarchitects.co.uk

  BARRACUDA upgrade completed
  Bye

OK, that wasn't as bad as I was expecting, it took 9 mins and although it doesn't tell you what it is doing if you tail -f /var/log/syslog you can see what is going on.

This is the content of the email it sent out:

To: chris@webarchitects.co.uk
Subject: REPORT: Successful Barracuda upgrade on puffin.webarch.net at 130524-1036


Barracuda [Fri May 24 10:38:35 BST 2013] ==> BOA Skynet welcomes you aboard!

Barracuda [Fri May 24 10:38:40 BST 2013] ==> INFO: UPGRADE
Barracuda [Fri May 24 10:38:40 BST 2013] ==> INFO: Reading your /root/.barracuda.cnf config file
Barracuda [Fri May 24 10:38:41 BST 2013] ==> NOTE! Please review all config options displayed below
Barracuda [Fri May 24 10:38:41 BST 2013] ==> NOTE! It will *override* all settings in the Barracuda script

###
### Configuration created on 121215-1545
### with Barracuda version BOA-2.0.4
###
### NOTE: the group of settings displayed bellow will *not* be overriden
### on upgrade by the Barracuda script nor by this configuration file.
### They can be defined only on initial Barracuda install.
###
_HTTP_WILDCARD=YES
_MY_OWNIP="81.95.52.103"
#_MY_OWNIP=""
_MY_HOSTN="puffin.webarch.net"
#_MY_HOSTN=""
_MY_FRONT="master.puffin.webarch.net"
_THIS_DB_HOST=localhost
#_THIS_DB_HOST=FQDN
_SMTP_RELAY_TEST=YES
_SMTP_RELAY_HOST=""
_LOCAL_NETWORK_IP=""
_LOCAL_NETWORK_HN=""
###
### NOTE: the group of settings displayed bellow
### will *override* all listed settings in the Barracuda script,
### both on initial install and upgrade.
###
_MY_EMAIL="chris@webarchitects.co.uk"
_XTRAS_LIST="PDS CSF CHV"
_AUTOPILOT=YES
_DEBUG_MODE=NO
_DB_SERVER=MariaDB
_SSH_PORT=22
_LOCAL_DEBIAN_MIRROR="ftp.debian.org"
_LOCAL_UBUNTU_MIRROR="archive.ubuntu.com"
_FORCE_GIT_MIRROR=""
_DNS_SETUP_TEST=YES
_NGINX_EXTRA_CONF=""
_NGINX_WORKERS=AUTO
_PHP_FPM_WORKERS=AUTO
_BUILD_FROM_SRC=NO
_PHP_MODERN_ONLY=YES
_PHP_FPM_VERSION=5.3
_PHP_CLI_VERSION=5.3
_LOAD_LIMIT_ONE=1444
_LOAD_LIMIT_TWO=888
_CUSTOM_CONFIG_CSF=NO
_CUSTOM_CONFIG_SQL=NO
_CUSTOM_CONFIG_REDIS=NO
_CUSTOM_CONFIG_PHP_5_2=NO
_CUSTOM_CONFIG_PHP_5_3=NO
_SPEED_VALID_MAX=3600
_NGINX_DOS_LIMIT=300
_SYSTEM_UPGRADE_ONLY=YES
_USE_MEMCACHED=NO
_NEWRELIC_KEY=
_USE_STOCK=NO
###
### Configuration created on 121215-1545
### with Barracuda version BOA-2.0.4
###
### JK reinstall PHP
_EXTRA_PACKAGES=
_PHP_EXTRA_CONF=""
_STRONG_PASSWORDS=NO
_DB_BINARY_LOG=NO
_DB_ENGINE=InnoDB
_NGINX_LDAP=NO
_PHP_GEOS=NO
_PHP_MONGODB=NO
_AEGIR_UPGRADE_ONLY=NO

Barracuda [Fri May 24 10:38:43 BST 2013] ==> INFO: Testing GitHub, Drupal and Gitorious servers availability, please wait...
Barracuda [Fri May 24 10:38:44 BST 2013] ==> INFO: GitHub mirror repository will be used for this install
Barracuda [Fri May 24 10:38:44 BST 2013] ==> INFO: Downloading little helpers, please wait...
Barracuda [Fri May 24 10:38:45 BST 2013] ==> INFO: Checking BARRACUDA version...
Barracuda [Fri May 24 10:38:45 BST 2013] ==> INFO: Version test result: OK
Barracuda [Fri May 24 10:38:45 BST 2013] ==> INFO: Checking your Debian or Ubuntu version...

Barracuda [Fri May 24 10:38:48 BST 2013] ==> Aegir with Nginx on Debian/squeeze - Skynet Agent v.BOA-2.0.9

Barracuda [Fri May 24 10:38:52 BST 2013] ==> UPGRADE START -> checkpoint:                                                                                                     
                                                                                                                                                                              
  * Your e-mail address appears to be chris@webarchitects.co.uk - is that correct?                                                                                            
  * Your server hostname is puffin.webarch.net.
  * Your Aegir control panel is/will be available at https://master.puffin.webarch.net.


Barracuda [Fri May 24 10:38:52 BST 2013] ==> INFO: Cleaning up temp files in /var/opt/
Barracuda [Fri May 24 10:38:54 BST 2013] ==> INFO: Updating apt sources
Barracuda [Fri May 24 10:38:56 BST 2013] ==> INFO: We will use Debian mirror ftp.debian.org
Barracuda [Fri May 24 10:39:00 BST 2013] ==> INFO: Running aptitude update, please wait...
Barracuda [Fri May 24 10:39:10 BST 2013] ==> INFO: Upgrading required libraries and tools
Barracuda [Fri May 24 10:39:10 BST 2013] ==> NOTE! This step may take a few minutes, please wait...
Barracuda [Fri May 24 10:39:44 BST 2013] ==> INFO: Testing Nginx version...
Barracuda [Fri May 24 10:39:46 BST 2013] ==> INFO: Installed Nginx version nginx/1.5.0, no upgrade required
Barracuda [Fri May 24 10:39:48 BST 2013] ==> INFO: Checking for Linux/Cdorked.A malware, please wait...
Barracuda [Fri May 24 10:39:52 BST 2013] ==> INFO: No Linux/Cdorked.A malware traces found - system clean
Barracuda [Fri May 24 10:39:52 BST 2013] ==> INFO: Running aptitude full-upgrade again, please wait...
Barracuda [Fri May 24 10:42:30 BST 2013] ==> INFO: Testing Nginx version...
Barracuda [Fri May 24 10:42:32 BST 2013] ==> INFO: Installed Nginx version nginx/1.5.0, no upgrade required
Barracuda [Fri May 24 10:42:35 BST 2013] ==> INFO: Checking for Linux/Cdorked.A malware, please wait...
Barracuda [Fri May 24 10:42:37 BST 2013] ==> INFO: No Linux/Cdorked.A malware traces found - system clean
Barracuda [Fri May 24 10:42:37 BST 2013] ==> INFO: Checking SMTP connections, please wait...
Barracuda [Fri May 24 10:42:39 BST 2013] ==> INFO: Upgrading a few more tools, please wait...
Barracuda [Fri May 24 10:42:43 BST 2013] ==> INFO: Checking if PHP upgrade is available
Barracuda [Fri May 24 10:42:45 BST 2013] ==> INFO: Installed PHP version 5.3.25-1~dotdeb.0, no upgrade required
Barracuda [Fri May 24 10:42:51 BST 2013] ==> INFO: Installed Redis version 2.6.13, no upgrade/rebuild required
Barracuda [Fri May 24 10:42:53 BST 2013] ==> INFO: OS and services upgrade completed

Barracuda [Fri May 24 10:42:55 BST 2013] ==> INFO: Aegir Master Instance upgrade skipped

Barracuda [Fri May 24 10:42:56 BST 2013] ==> INFO: Installing extra Drush versions
Barracuda [Fri May 24 10:42:59 BST 2013] ==> INFO: Drush 4 installation complete
Barracuda [Fri May 24 10:43:00 BST 2013] ==> INFO: Drush 5 installation complete
Barracuda [Fri May 24 10:43:02 BST 2013] ==> INFO: Drush 6 installation complete
Barracuda [Fri May 24 10:43:08 BST 2013] ==> INFO: Generating random password for Redis server
Barracuda [Fri May 24 10:43:09 BST 2013] ==> INFO: Restarting Redis and PHP-FPM, reloading Nginx
Barracuda [Fri May 24 10:43:17 BST 2013] ==> INFO: Restarting MariaDB server

Barracuda [Fri May 24 10:43:31 BST 2013] ==> INFO: New random password for MariaDB generated and stored in /root/.my.pass.txt
Barracuda [Fri May 24 10:43:33 BST 2013] ==> INFO: New entry added to /var/log/barracuda_log.txt

Barracuda [Fri May 24 10:43:36 BST 2013] ==> CARD: Now charging your credit card for this automated upgrade service...
Barracuda [Fri May 24 10:43:42 BST 2013] ==> JOKE: Just kidding! Enjoy your Aegir Hosting System :)

Barracuda [Fri May 24 10:43:46 BST 2013] ==> Final post-upgrade cleaning, please wait a moment...
Barracuda [Fri May 24 10:43:57 BST 2013] ==> BYE!

[jim]

Good stuff!

And the wait time before it gets going is really annoying, raised this: ​https://drupal.org/node/2002678. Minor but important for sanity!

[ed]

Since this happened I am locked out of admin functions again as per #548

[chris]

Replying to ed:

Since this happened I am locked out of admin functions again as per #548

very sorry, this has been fixed, see: ticket:548#comment:34

[ed]

working; tested; thanks for quick response

[chris]

Parrot updates:

2013-05-25      chris
        *       libx11-6/squeeze libx11-data/squeeze : updated

Penguin updates:

2013-05-25      chris
        *       libx11-6/squeeze libx11-data/squeeze : updated

Puffin updates:

2013-05-25      chris
        *       libx11-6/squeeze libx11-data/squeeze libx11-dev/squeeze : updated

[chris]

The debian system updates done on ticket:218#comment:93 using "barracuda up-stable system" resulted in some munin stats being broken, this was fixed by editing these lines in /opt/local/etc/php53-fpm.conf

pm.status_path = /status
ping.path = /ping

and then reloading /etc/init.d/php53-fpm. The documentation here has been updated: wiki:PuffinServer#SystemUpdates

[chris]

Debian updates on parrot:

2013-06-02      chris
        *       libgssapi-krb5-2/squeeze libk5crypto3/squeeze libkrb5-3/squeeze libkrb5support0/squeeze : updated

And penguin:

2013-06-02      chris
        *       libgssapi-krb5-2/squeeze libk5crypto3/squeeze libkrb5-3/squeeze libkrb5support0/squeeze : updated

And puffin:

2013-06-02      chris
        *       krb5-multidev/squeeze libgssapi-krb5-2/squeeze libgssrpc4/squeeze libk5crypto3/squeeze libkadm5clnt-mit7/squeeze libkadm5srv-mit7/squeeze libkdb5-4/squeeze libkrb5-3/squeeze libkrb5-dev/squeeze libkrb5support0/squeeze : updated

These were all done late last night.

[chris]

Parrot upgrades:

2013-06-09      chris
        *       libsvn1/squeeze subversion/squeeze : updated

Penguin upgrades:

2013-06-09      chris
        *       libsvn1/squeeze php-pear/squeeze php5/squeeze php5-apc/squeeze php5-cli/squeeze php5-common/squeeze php5-fpm/squeeze php5-gd/squeeze php5-mysql/squeeze python-subversion/squeeze subversion/squeeze : updated

Puffin upgrades:

2013-06-09      chris
        *       libsvn1/squeeze php-pear/squeeze php5-apc/squeeze php5-cli/squeeze php5-common/squeeze php5-curl/squeeze php5-dev/squeeze php5-fpm/squeeze php5-gd/squeeze php5-geoip/squeeze php5-gmp/squeeze php5-imagick/squeeze php5-imap/squeeze php5-ldap/squeeze php5-mcrypt/squeeze php5-mysql/squeeze php5-sqlite/squeeze php5-xmlrpc/squeeze php5-xsl/squeeze subversion/squeeze : updated

[chris]

Parrot updates:

2013-06-18      chris
        *       libtiff4/squeeze : updated

Puffin updates:

2013-06-18      chris
        *       libtiff4/squeeze libtiff4-dev/squeeze libtiffxx0c2/squeeze : updated

[chris]

Puffin updates:

2013-06-24      chris
        *       curl/squeeze libcurl3/squeeze libcurl3-gnutls/squeeze libcurl4-openssl-dev/squeeze : updated

Penguin:

2013-06-24      chris
        *       libcurl3-gnutls/squeeze : updated

Parrot:

2013-06-24      chris
        *       curl/squeeze libcurl3/squeeze libcurl3-gnutls/squeeze : updated

[chris]

Puffin update, see ​http://lists.debian.org/debian-security-announce/2013/msg00131.html

2013-07-11      chris
        *       libpoppler5/squeeze poppler-utils/squeeze : updated

[chris]

Parrot update:

2013-07-17      chris
        *       libapache2-mod-php5/squeeze php-pear/squeeze php5/squeeze php5-cli/squeeze php5-common/squeeze php5-curl/squeeze php5-dev/squeeze php5-gd/squeeze php5-intl/squeeze php5-mcrypt/squeeze php5-mysql/squeeze php5-xmlrpc/squeeze : updated

[chris]

Oops, forgot to record time against the update on ticket:218#comment:105 it's also worth nothing that the details:

It was discovered that PHP could perform an invalid free request when
processing crafted XML documents, corrupting the heap and potentially
leading to arbitrary code execution. Depending on the PHP
application, this vulnerability could be exploited remotely.

​http://lists.debian.org/debian-security-announce/2013/msg00133.html

Puffin and Penguin are both running PHP 5.3.26-1~dotdeb.0 from ​http://www.dotdeb.org/

I'm not exactly sure why these servers haven't updated to the latest version: ​http://www.dotdeb.org/2013/07/06/php-5-4-17-for-wheezy-and-squeeze/

[chris]

Penguin upgrades:

2013-07-23      chris
        *       munin/squeeze-backports munin-common/squeeze-backports munin-doc/squeeze-backports munin-node/squeeze-backports munin-plugins-core/squeeze-backports munin-plugins-extra/squeeze-backports : updated

[chris]

Puffin openjdk-6 security update, ​http://lists.debian.org/debian-security-announce/2013/msg00137.html

2013-07-25      chris
        *       openjdk-6-jdk/squeeze openjdk-6-jre/squeeze openjdk-6-jre-headless/squeeze openjdk-6-jre-lib/squeeze : updated

[chris]

New ​http://dotdeb.org/ PHP 5.3.27 for Debian Squeeze, ​http://www.dotdeb.org/2013/07/25/php-5-3-27-for-squeeze/

Penguin updates:

2013-07-25      chris
        *       php-pear/squeeze php5/squeeze php5-apc/squeeze php5-cli/squeeze php5-common/squeeze php5-fpm/squeeze php5-gd/squeeze php5-mysql/squeeze : updated

Puffin updates:

2013-07-25      chris
        *       php-pear/squeeze php5-apc/squeeze php5-cli/squeeze php5-common/squeeze php5-curl/squeeze php5-dev/squeeze php5-fpm/squeeze php5-gd/squeeze php5-geoip/squeeze php5-gmp/squeeze php5-imagick/squeeze php5-imap/squeeze php5-ldap/squeeze php5-mcrypt/squeeze php5-mysql/squeeze php5-sqlite/squeeze php5-xmlrpc/squeeze php5-xsl/squeeze : updated

[chris]

Bind update, ​http://lists.debian.org/debian-security-announce/2013/msg00138.html

Parrot:

2013-07-27      chris
        *       bind9-host/squeeze dnsutils/squeeze libbind9-60/squeeze libdns69/squeeze libisc62/squeeze libisccc60/squeeze libisccfg62/squeeze liblwres60/squeeze : updated

Puffin:

2013-07-27      chris
        *       bind9-host/squeeze dnsutils/squeeze libbind9-60/squeeze libdns69/squeeze libisc62/squeeze libisccc60/squeeze libisccfg62/squeeze liblwres60/squeeze : updated

[chris]

Parrot updates:

2013-07-29      chris
        *       gnupg/squeeze gpgv/squeeze libgcrypt11/squeeze : updated

Penguin updates:

2013-07-29      chris
        *       gnupg/squeeze gnupg-curl/squeeze gpgv/squeeze libgcrypt11/squeeze : updated

Puffin updates:

2013-07-29      chris
        *       gnupg/squeeze gpgv/squeeze libgcrypt11/squeeze : updated

[chris]

Parrot updates:

013-08-27      chris
        *       libapache2-mod-php5/squeeze php-pear/squeeze php5/squeeze php5-cli/squeeze php5-common/squee
ze php5-curl/squeeze php5-dev/squeeze php5-gd/squeeze php5-intl/squeeze php5-mcrypt/squeeze php5-mysql/squee
ze php5-xmlrpc/squeeze : updated

[chris]

Puffin update:

2013-08-27      chris
        *       libtiff4/squeeze libtiff4-dev/squeeze libtiffxx0c2/squeeze : updated

Parrot:

2013-08-27      chris
        *       libtiff4/squeeze : updated

[chris]

Puffin !MySQL update, ​https://mariadb.com/kb/en/mariadb-5533-release-notes/

2013-09-18      chris
        *       libmariadbclient-dev/squeeze libmariadbclient18/squeeze libmariadbd-dev/squeeze libmysqlclient18/squeeze mariadb-client-5.5/squeeze mariadb-client-core-5.5/squeeze mariadb-common/squeeze mariadb-server-5.5/squeeze mariadb-server-core-5.5/squeeze mysql-common/squeeze : updated

[chris]

New version of !MariaDB ​https://mariadb.com/kb/en/mariadb-5533a-release-notes/

2013-09-23      chris
        *       libmariadbclient-dev/squeeze libmariadbclient18/squeeze libmariadbd-dev/squeeze libmysqlclient18/squeeze mariadb-client-5.5/squeeze mariadb-client-core-5.5/squeeze mariadb-common/squeeze mariadb-server-5.5/squeeze mariadb-server-core-5.5/squeeze mysql-common/squeeze : updated

[chris]

wiki:PuffinServer updates:

2013-09-28      chris
        *       firmware-linux-free/squeeze linux-base/squeeze linux-image-2.6.32-5-xen-amd64/squeeze linux-libc-dev/squeeze linux-tools-2.6.32/squeeze : updated

wiki:ParrotServer updates:

2013-09-28      chris
        *       firmware-linux-free/squeeze linux-base/squeeze linux-image-2.6.32-5-xen-amd64/squeeze linux-libc-dev/squeeze : updated

wiki:PenguinServer updates:

2013-09-28      chris
        *       firmware-linux-free/squeeze linux-base/squeeze linux-image-2.6.32-5-xen-amd64/squeeze nginx/squeeze nginx-common/squeeze nginx-full/squeeze : updated

[chris]

New version of GPG, wiki:PenguinServer:

2013-10-10      chris
        *       gnupg/squeeze gnupg-curl/squeeze gpgv/squeeze nginx/squeeze nginx-common/squeeze nginx-full/squeeze : updated

wiki:ParrotServer:

2013-10-10      chris
        *       gnupg/squeeze gpgv/squeeze : updated

wiki:PuffinServer:

2013-10-10      chris
        *       gnupg/squeeze gpgv/squeeze : updated

[chris]

Penguin Nginx updated, as per the note here, wiki:PenguinServer#Updates

a-up
 About to upgrade nginx/squeeze nginx-common/squeeze nginx-full/squeeze
 No packages will be installed, upgraded, or removed.
 0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
 Need to get 0 B of archives. After unpacking 0 B will be used.
aptitude install nginx/squeeze nginx-common/squeeze nginx-full/squeeze
 The following packages will be upgraded: 
   nginx nginx-common nginx-full 
 3 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

[chris]

Security updates, wiki:PuffinServer:

2013-10-19      chris
        *       base-files/squeeze fancontrol/squeeze grep/squeeze libcdt4/squeeze li
bcgraph5/squeeze libgraph4/squeeze libgraphviz-dev/squeeze libgvc5/squeeze libgvpr1/s
queeze libmysqlclient16/squeeze libpathplan4/squeeze libsensors4/squeeze libsnmp-base
/squeeze libsnmp15/squeeze libxdot4/squeeze lm-sensors/squeeze openssh-client/squeeze
 openssh-server/squeeze ssh/squeeze tzdata/squeeze tzdata-java/squeeze : updated

wiki:PenguinServer:

2013-10-19      chris
        *       base-files/squeeze grep/squeeze libcdt4/squeeze libcgraph5/squeeze li
bgraph4/squeeze libgraphviz-dev/squeeze libgvc5/squeeze libgvpr1/squeeze libmysqlclie
nt-dev/squeeze libmysqlclient16/squeeze libpathplan4/squeeze libxdot4/squeeze mysql-c
lient-5.1/squeeze mysql-common/squeeze mysql-server-5.1/squeeze mysql-server-core-5.1
/squeeze openssh-client/squeeze openssh-server/squeeze tzdata/squeeze : updated

wiki:ParrotServer:

2013-10-19      chris
        *       base-files/squeeze grep/squeeze libmysqlclient16/squeeze mysql-client
-5.1/squeeze mysql-common/squeeze mysql-server/squeeze mysql-server-5.1/squeeze mysql
-server-core-5.1/squeeze openssh-client/squeeze openssh-server/squeeze tzdata/squeeze
 : updated

[chris]

wiki:PenguinServer updates:

2013-11-17      chris
        *       libcurl3-gnutls/squeeze nginx/squeeze nginx-common/squeeze nginx-full/squeeze : updated

wiki:PuffinServer updates:

2013-11-17      chris
        *       curl/squeeze libcurl3/squeeze libcurl3-gnutls/squeeze libcurl4-openss
l-dev/squeeze : updated

wiki:ParrotServer update:

2013-11-17      chris
        *       curl/squeeze libcurl3/squeeze libcurl3-gnutls/squeeze : updated

[chris]

wiki:PuffinServer updates:

2013-11-21      chris
        *       curl/wheezy libcurl3/wheezy libcurl3-gnutls/wheezy libcurl4-openssl-dev/wheezy : updated

wiki:PenguinServer updates:

2013-11-21      chris
        *       libcurl3-gnutls/squeeze nginx/squeeze nginx-common/squeeze nginx-full/squeeze : updated

wiki:ParrotServer updates:

2013-11-21      chris
        *       curl/squeeze libcurl3/squeeze libcurl3-gnutls/squeeze : updated

[chris]

wiki:PuffinServer updates:

2013-11-21      chris
        *       libmariadbclient-dev/squeeze libmariadbclient18/squeeze libmariadbd-d
ev/squeeze libmysqlclient18/squeeze mariadb-client-5.5/squeeze mariadb-client-core-5.
5/squeeze mariadb-common/squeeze mariadb-server-5.5/squeeze mariadb-server-core-5.5/squeeze mysql-common/squeeze : updated

[chris]

wiki:PuffinServer:

2013-11-25      chris
        *       libnss3/wheezy libnss3-1d/wheezy : updated

[chris]

wiki:PuffinServer:

2013-12-03      chris
        *       libopenjpeg2/wheezy : updated

[chris]

wiki:PenguinServer updates:

2013-12-04      chris
        *       libruby1.8/squeeze libruby1.9.1/squeeze ruby1.8/squeeze ruby1.8-dev/squeeze ruby1.9.1/squeeze ruby1.9.1-dev/squeeze : updated

I also restarted the Webrick server for ​http://patterns.transitionresearchnetwork.org/

[chris]

wiki:PuffinServer updates:

2013-12-09      chris
        *       libsmbclient/wheezy libwbclient0/wheezy samba-common/wheezy samba-common-bin/wheezy smbclient/wheezy : updated

[chris]

wiki:ParrotServer updates:

2013-12-09      chris
        *       munin-common/wheezy munin-node/wheezy munin-plugins-core/wheezy munin-plugins-extra/wheezy : updated

wiki:PuffinServer updates:

2013-12-09      chris
        *       libvarnishapi1/wheezy : updated

2013-12-09      chris
        *       munin-common/wheezy munin-node/wheezy munin-plugins-core/wheezy munin-plugins-extra/wheezy : updated

wiki:PenguinServer:

2013-12-09      chris
        *       munin/wheezy munin-common/wheezy munin-doc/wheezy munin-node/wheezy munin-plugins-core/wheezy munin-plugins-extra/wheezy : updated

Also these lines needed editing in /usr/share/munin/plugins/apt_all on all three servers:

#my @releases = ("stable", "testing","unstable");
my @releases = ("stable");

[chris]

PHP security updates, see ​http://lists.debian.org/debian-security-announce/2013/msg00230.html note thst wiki:PuffinServer doesn't have php from debs anymore, see ticket:629#comment:9.

wiki:ParrotServer:

2013-12-12      chris
        *       libapache2-mod-php5/wheezy php-pear/wheezy php5/wheezy php5-cli/wheezy php5-common/wheezy php5-curl/wheezy php5-dev/wheezy php5-gd/wheezy php5-intl/wheezy php5-mcrypt/wheezy php5-mysql/wheezy php5-xmlrpc/wheezy : updated

wiki:PenguinServer:

2013-12-12      chris
        *       php-pear/wheezy php5/wheezy php5-cli/wheezy php5-common/wheezy php5-fpm/wheezy php5-gd/wheezy php5-mysql/wheezy : updated

[chris]

wiki:PenguinServer updates:

2013-12-14      chris
        *       apt/wheezy apt-utils/wheezy base-files/wheezy libapt-inst1.5/wheezy libapt-pkg4.12/wheezy libexpat1/wheezy libexpat1-dev/wheezy libnet-server-perl/wheezy librsvg2-2/wheezy librsvg2-common/wheezy tzdata/wheezy : updated

wiki:ParrotServer updates:

2013-12-14      chris
        *       apt/wheezy apt-utils/wheezy base-files/wheezy iftop/wheezy libapt-inst1.5/wheezy libapt-pkg4.12/wheezy libexpat1/wheezy libnet-server-perl/wheezy librsvg2-2/wheezy librsvg2-common/wheezy tzdata/wheezy : updated

The wiki:PuffinServer updates are being done on ticket:629#comment:12 and the time for this is being recorded there.

[chris]

wiki:PenguinServer MySQL update:

013-12-16      chris
        *       libmysqlclient-dev/wheezy libmysqlclient18/wheezy mysql-client-5.5/wheezy mysql-common/wheezy mysql-server-5.5/wheezy mysql-server-core-5.5/wheezy : updated

wiki:ParrotServer updates:

2013-12-16      chris
        *       libmysqlclient18/wheezy mysql-client-5.5/wheezy mysql-common/wheezy mysql-server/wheezy mysql-server-5.5/wheezy mysql-server-core-5.5/wheezy : updated

[chris]

wiki:PuffinServer updates:

2013-12-17      chris
        *       libnspr4/wheezy libnspr4-0d/wheezy : updated

[chris]

GPG updates, see ​http://lists.debian.org/debian-security-announce/2013/msg00235.html

wiki:PuffinServer upgrades:

2013-12-18      chris
        *       gnupg-curl : installed
        *       gnupg/wheezy gpgv/wheezy : updated

wiki:PenguinServer upgrades:

2013-12-18      chris
        *       gnupg/wheezy gnupg-curl/wheezy gpgv/wheezy : updated

wiki:ParrotServer updates:

2013-12-18      chris
        *       gnupg-curl : installed
        *       gnupg/wheezy gpgv/wheezy : updated

[chris]

Pixman security updates, see ​http://lists.debian.org/debian-security-announce/2013/msg00237.html

wiki:PuffinServer upgrades:

2013-12-18      chris
        *       libpixman-1-0/wheezy libpixman-1-dev/wheezy : updated

wiki:PenguinServer upgrades:

2013-12-18      chris
        *       libpixman-1-0/wheezy libpixman-1-dev/wheezy : updated

wiki:ParrotServer updates:

2013-12-18      chris
        *       libpixman-1-0/wheezy : updated

[chris]

[SECURITY] [DSA 2824-1] curl security update ​http://lists.debian.org/debian-security-announce/2013/msg00238.html

wiki:ParrotServer updates:

2013-12-19      chris
        *       curl/wheezy libcurl3/wheezy libcurl3-gnutls/wheezy : updated

wiki:PuffinServer:

2013-12-19      chris
        *       curl/wheezy libcurl3/wheezy libcurl3-gnutls/wheezy libcurl4-openssl-dev/wheezy : updated

wiki:PenguinServer:

2013-12-19      chris
        *       libcurl3-gnutls/wheezy : updated

[chris]

DenyHosts security update, ​http://lists.debian.org/debian-security-announce/2013/msg00240.html

wiki:ParrotServer:

2013-12-22      chris
        *       denyhosts/wheezy : updated

wiki:PenguinServer:

2013-12-22      chris
        *       denyhosts/wheezy : updated

[chris]

OpenSSL security update:

Multiple security issues have been fixed in OpenSSL: The TLS 1.2 support
was susceptible to denial of service and retransmission of DTLS messages
was fixed. In addition this updates disables the insecure Dual_EC_DRBG
algorithm (which was unused anyway, see
​http://marc.info/?l=openssl-announce&m=138747119822324&w=2 for further
information) and no longer uses the RdRand feature available on some
Intel CPUs as a sole source of entropy unless explicitly requested.

​https://lists.debian.org/debian-security-announce/2014/msg00001.html

wiki:PuffinServer:

2014-01-01      chris
        *       libssl-dev/wheezy libssl-doc/wheezy libssl1.0.0/wheezy openssl/wheezy : updated

wiki:PenguinServer:

2014-01-01      chris
        *       libssl1.0.0/wheezy openssl/wheezy : updated

wiki:ParrotServer:

2014-01-01      chris
        *       libssl-dev/wheezy libssl-doc/wheezy libssl1.0.0/wheezy openssl/wheezy : updated

[chris]

wiki:PuffinServer devscripts security update ​https://lists.debian.org/debian-security-announce/2014/msg00004.html

014-01-05      chris
        *       devscripts/wheezy : updated

[chris]

OpenSSL security update, ​https://lists.debian.org/debian-security-announce/2014/msg00005.html

wiki:PuffinServer updates:

2014-01-07      chris                                                                        
*       libssl-dev/wheezy libssl-doc/wheezy libssl1.0.0/wheezy openssl/wheezy : updated

wiki:PenguinServer updates:

2014-01-07      chris
        *       libssl1.0.0/wheezy openssl/wheezy : updated

wiki:ParrotServer updates:

2014-01-07      chris                                                                        *       libssl-dev/wheezy libssl-doc/wheezy libssl1.0.0/wheezy openssl/wheezy : updated

[chris]

Debian libxfont security update, ​https://lists.debian.org/debian-security-announce/2014/msg00006.html

wiki:PuffinServer:

2014-01-07      chris
        *       libxfont1/wheezy : updated

wiki:PenguinServer:

2014-01-07      chris
        *       libxfont1/wheezy : updated

[chris]

Graphviz security update ​https://lists.debian.org/debian-security-announce/2014/msg00011.html

wiki:PuffinServer:

2014-01-14      chris
        *       libcdt4/wheezy libcgraph5/wheezy libgraph4/wheezy libgraphviz-dev/wheezy libgvc5/wheezy libgvpr1/wheezy libpathplan4/wheezy libxdot4/wheezy : updated

wiki:PenguinServer:

2014-01-14      chris
        *       libcdt4/wheezy libgraph4/wheezy libgvc5/wheezy libpathplan4/wheezy libxdot4/wheezy : updated

[chris]

​MySQL 5.5 security update:

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.35. Please see the MySQL 5.5 Release Notes and Oracle's
Critical Patch Update advisory for further details:

• ​http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-34.html
• ​http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-35.html
• ​http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

For the stable distribution (wheezy), these problems have been fixed in
version 5.5.35+dfsg-0+wheezy1.

For the unstable distribution (sid), these problems have been fixed in
version 5.5.35+dfsg-1.

We recommend that you upgrade your mysql-5.5 packages.

wiki:ParrotServer updates:

2014-01-23      chris
        *       libmysqlclient18/wheezy mysql-client-5.5/wheezy mysql-common/wheezy mysql-server/wheezy mysql-server-5.5/wheezy mysql-server-core-5.5/wheezy : updated

wiki:PenguinServer updates:

2014-01-23      chris
        *       libmysqlclient-dev/wheezy libmysqlclient18/wheezy mysql-client-5.5/wheezy mysql-common/wheezy mysql-server-5.5/wheezy mysql-server-core-5.5/wheezy : updated

[chris]

​denyhosts regression update:

A regression has been found on the denyhosts packages fixing
CVE-2013-6890. This regression could cause an attempted breakin attempt
to be missed by denyhosts, which would then fail to enforce a ban.

For the oldstable distribution (squeeze), this problem has been fixed in
version 2.6-7+deb6u3.

For the stable distribution (wheezy), this problem has been fixed in
version 2.6-10+deb7u3.

For the testing (jessie) and unstable (sid) distribution, the package denyhosts
has been removed, and its users are encouraged to switch to an alternative like
fail2ban.

We recommend that you upgrade your denyhosts packages.

wiki:PenguinServer:

2014-01-23      chris
        *       denyhosts/wheezy : updated

wiki:ParrotServer:

2014-01-23      chris
        *       denyhosts/wheezy : updated

[chris]

New MariaDB for wiki:PuffinServer:

2014-01-29      chris
        *       libmariadbclient-dev/wheezy libmariadbclient18/wheezy libmariadbd-dev/wheezy libmysqlclient18/wheezy mariadb-client-5.5/wheezy mariadb-client-core-5.5/wheezy mariadb-common/wheezy mariadb-server-5.5/wheezy mariadb-server-core-5.5/wheezy mysql-common/wheezy : updated

No announcement on the list yet regarding the reason for this update, see:

• ​http://lists.askmonty.org/pipermail/announce/2014-January/thread.html

[chris]

Debian ​curl security update:

wiki:PuffinServer update:

2014-01-31      chris
        *       curl/wheezy libcurl3/wheezy libcurl3-gnutls/wheezy libcurl4-openssl-dev/wheezy : updated

wiki:PenguinServer update:

2014-01-31      chris
        *       libcurl3-gnutls/wheezy : updated

wiki:ParrotServer:

2014-01-31      chris
        *       curl/wheezy libcurl3/wheezy libcurl3-gnutls/wheezy : updated

[chris]

Debian ​libyaml security update.

wiki:PenguinServer:

14-02-01      chris
       *       libyaml-0-2/wheezy : updated

[chris]

No announcement on ​the list for these updates yet

wiki:ParrotServer updates:

2014-02-08      chris
        *       apache2-mpm-itk/wheezy apache2-utils/wheezy apache2.2-bin/wheezy apache2.2-common/wheezy base-files/wheezy libc-bin/wheezy libc-dev-bin/wheezy libc6/wheezy libc6-dev/wheezy libssl-dev/wheezy libssl-doc/wheezy libssl1.0.0/wheezy linux-libc-dev/wheezy locales/wheezy multiarch-support/wheezy openssl/wheezy tzdata/wheezy wget/wheezy : updated

wikiPenguinServer updates:

2014-02-08      chris
        *       base-files/wheezy libc-bin/wheezy libc-dev-bin/wheezy libc6/wheezy libc6-dev/wheezy libssl1.0.0/wheezy linux-libc-dev/wheezy locales/wheezy multiarch-support/wheezy openssl/wheezy tzdata/wheezy wget/wheezy : updated

wiki:PuffinServer:

2014-02-08      chris
        *       base-files/wheezy libc-bin/wheezy libc-dev-bin/wheezy libc6/wheezy libc6-dbg/wheezy libc6-dev/wheezy libssl-dev/wheezy libssl-doc/wheezy libssl1.0.0/wheezy libupsclient1/wheezy linux-libc-dev/wheezy locales/wheezy multiarch-support/wheezy openssl/wheezy tzdata/wheezy tzdata-java/wheezy wget/wheezy whois/wheezy : updated

[chris]

wiki:PuffinServer sent me this email:

/usr/sbin/metche: line 196: warning: setlocale: LC_CTYPE: cannot change locale (en_US.UTF-8): No such file or directory                        

So I ran:

aptitude install locales-all

And I edited /etc/locale.gen and uncommented these lines:

en_GB.UTF-8 UTF-8
en_US.UTF-8 UTF-8

And ran:

locale-gen

And I edited /etc/default/locale to:

LANG=en_US.UTF-8
LANGUAGE=en_US:en
LC_ALL=en_US.UTF-8

Hopefully this will have solved this issue.

[chris]

Debian security update ​libyaml regression update, wiki:PenguinServer:

2014-02-12      chris
        *       libyaml-0-2/wheezy : updated

[chris]

Debian ​file security update wiki:ParrotServer:

2014-02-16      chris
        *       file/wheezy libmagic1/wheezy : updated

wiki:PenguinServer:

2014-02-16      chris
        *       file/wheezy libmagic1/wheezy : updated

wiki:PuffinServer:

2014-02-16      chris
        *       file/wheezy libmagic1/wheezy python-magic/wheezy : updated

[chris]

wiki:PuffinServer ​update:

2014-02-20      chris
        *       libpq5/wheezy : updated

[chris]

​gnutls26 security update, wiki:ParrotServer update:

014-02-22      chris
        *       libgnutls26/wheezy : updated

wiki:PuffinServer:

014-02-22      chris
        *       libgnutls-dev/wheezy libgnutls-openssl27/wheezy libgnutls26/wheezy libgnutlsxx27/wheezy : updated

wiki:PenguinServer:

2014-02-22      chris
        *           libgnutls26/wheezy : updated

[jim]

Hi Chris: do you know a way I can stop being updated about this ticket? I'm not in the CC list, but have replied in the past here so that might be it...

I don't want to be removed from Trac or notifications, just those for this ticket!

[chris]

Replying to jim:

Hi Chris: do you know a way I can stop being updated about this ticket? I'm not in the CC list, but have replied in the past here so that might be it...

I don't want to be removed from Trac or notifications, just those for this ticket!

According to this ​http://dev.piwik.org/trac/ticket/3362 there isn't a way, so I'll close this ticket and open a new one for debian updates next time there are some.

[jim]

Ah, that's a minor bummer...

OK, thanks for the migration! Probably nice to have a new one for 2014 anyway ;-)

[chris]

This ticket was superseded by ticket:692 on 2014-02-25.