Emails & Telephone calls

[paul]

Emails [10th] 0,15

[paul]

Emails [18th] 0,15

[paul]

Calls [24th] 0,20

[paul]

Emails [31st] 0,30

[paul]

Emails [31st] 0,15

[paul]

Skype call [19th June]

[ben]

Skype call

[annesley]

Skype call [19th June]

[paul]

Just checked to see if the recent rounds of security updates apply to TN. No - all good.

[paul]

Just checked to see if the recent rounds of drupal security updates apply to TN. No - all good.

[paul]

Yesterday:

Checking to see if the recent rounds of drupal security updates apply to TN. No - all good.

Email reply to Annesley / TN

[paul]

Conversation on mailing list about updating production.

[paul]

Email exchange on mailing list and follow up on BOA issue.

​https://github.com/omega8cc/boa/issues/527

[paul]

A few responses to the mailing list conversation, will continue reading tomorrow

[paul]

Checking to see if the recent rounds of drupal security updates apply to TN. No - all good.

[paul]

Checking to see if the recent rounds of drupal security updates apply to TN. No - all good.

[paul]

Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.

[paul]

Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.

​https://booker-stage-20141120.transitionnetwork.org/admin/reports/updates

[paul]

Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.

​​https://booker-stage-20141120.transitionnetwork.org/admin/reports/updates

[paul]

Checked to see if the recent rounds of drupal security updates apply to TN. Views needs updating ..

[paul]

Updated the live site & profile on github.

Email exchange with Ade.

[paul]

Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.

[paul]

Checked to see if the recent rounds of drupal security updates apply to TN. Webform needs updating ..

[paul]

Updated the live site. Profile does not need updating.

[paul]

Checked to see if the recent rounds of drupal security updates apply to TN. Drupal core, CTools & Webform needs updating ..

[paul]

Load error while building a new platfrom

[paul]

Trying to build the platform again ..

[paul]

Worked second time ..

[paul]

Built new stage/production platforms for 6.35 (Both platforms failed first time).
Migrated stage/production sites (www. & news.) over to the new platforms .
Production sites up and running:
​​https://www.transitionnetwork.org/admin/reports/status
Updated the profile and pushed up to my git repository.

[paul]

Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.

[paul]

Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.

[paul]

Checked to see if there are any drupal security updates to apply to TN. No - all good.

Responded to mailing list.

[paul]

Checked to see if there are any drupal security updates to apply to TN. No - all good.

[paul]

Checked to see if there are any drupal security updates to apply to TN. No - all good.

[paul]

Email communications.

[paul]

Checked to see if there are any drupal security updates to apply to TN. No - all good.

[paul]

Email communications

[paul]

Investigating the TN site on PHP 5.5.3

[paul]

Checked to see if there are any drupal security updates to apply to TN. No - all good.

[paul]

Email communications

[paul]

Email communications

[paul]

Checked to see if there are any drupal security updates to apply to TN. No - all good.

[paul]

Chris, is this something that affects us ..

View online: ​https://www.drupal.org/node/2492317

• Advisory ID: DRUPAL-SA-CONTRIB-2014-113
• Project: Hostmaster (Aegir) [1] (third-party module)
• Version: 6.x, 7.x
• Date: 2015-May-20
• Security risk: 13/25 ( Moderately Critical) AC:Complex/A:Admin/CI:All/II:Some/E:Theoretical/TD:Default [2]
• Vulnerability: Arbitrary PHP code execution

[paul]

I almost missed this as this update looks to be a platform level update that is not shown on the drupal updates page.

​https://booker-stage-20150319.transitionnetwork.org/admin/reports/updates

[paul]

Email communications (I'll send an updated invoice later in the month )

[paul]

Email communications

[paul]

Email communications & reading through wiki page.
​https://wiki.transitionnetwork.org/BOA_Server/Development_workflow

[paul]

Checked to see if there are any drupal security updates to apply to TN. No - all good.

[paul]

Checked to see if there are any drupal security updates to apply to TN. No - all good.

[paul]

Checked to see if there are any drupal security updates to apply to TN. No - all good.

[paul]

Checked to see if there are any drupal security updates to apply to TN. The following needs to be applied

View online: ​https://www.drupal.org/SA-CORE-2015-002

• Advisory ID: DRUPAL-SA-CORE-2015-002
• Project: Drupal core [1]
• Version: 6.x, 7.x
• Date: 2015-June-17
• Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
• Vulnerability: Access bypass, Information Disclosure, Open Redirect, Multiple vulnerabilities

However , it looks as though pressflow haven't posted a response to the security update:

​https://github.com/omega8cc/boa/search?q=pressflow

The following link currently gives a 404

​http://files.aegir.cc/core/pressflow-6.36.1.tar.gz

I'll try again later this afternoon.

[chris]

I don't know if this is relevant, but the latest version of BOA, which we are not running, see ticket:854, didn't have a Pressflow update, the latest version of Pressflow from BOA is Pressflow 6.34 and that came out with BOA-2.3.7 in November 2014.

Does the site use the OpenID module? That is the only Drupal 6 issue in ​SA-CORE-2015-002.

Impersonation (OpenID module - Drupal 6 and 7 - Critical)

A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.

This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange).

I have also added myself and Ade as CCs for this ticket, I hopw that is OK.

[paul]

Thanks Chris,

We're not using the OpenID so we can skip the core update. I would normally just apply any core update.

I'll update the following ..

View online: ​https://www.drupal.org/node/2507753

• Advisory ID: DRUPAL-SA-CONTRIB-2015-126
• Project: Content Construction Kit (CCK) [1] (third-party module)
• Version: 6.x
• Date: 2015-June-17
• Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2]
• Vulnerability: Open Redirect

Next time we have a core update that needs to be applied: I'll investigate further how to proceed.

[paul]

Updated CCK on the stage / live sites.

[paul]

Checked to see if there are any drupal security updates to apply to TN. No - all good.

[paul]

Applied the the following drupal security update to TN.

View online: ​https://www.drupal.org/node/2516688

• Advisory ID: DRUPAL-SA-CONTRIB-2015-131
• Project: Views Bulk Operations (VBO) [1] (third-party module)
• Version: 6.x, 7.x
• Date: 2015-July-01
• Security risk: 10/25 ( Moderately Critical) AC:Basic/A:Admin/CI:None/II:All/E:Theoretical/TD:Uncommon [2]
• Vulnerability: Access bypass

[paul]

No drupal security updates need to be applied this week.

I noticed that VBO appeared to still need a security update; but in fact it had already been applied on the the stage server.

​https://booker-stage-20150319.transitionnetwork.org/admin/reports/updates

I doubled checked that this update was also applied on the live site:

puffin:/data/disk/tn/static/transition-network-d6-35-p001b-booker/sites/all/modules/contrib# cat views_bulk_operations/views_bulk_operations.info
name = Views Bulk Operations
description = Exposes new Views style 'Bulk Operations' for selecting multiple nodes and applying operations on them.
dependencies[] = views
package = Views
core = 6.x
php = 5.0

; Information added by drupal.org packaging script on 2013-06-21
version = "6.x-1.15"
core = "6.x"
project = "views_bulk_operations"
datestamp = "1371815759"

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

The following drupal security updates need to be applied this week:

View online: ​https://www.drupal.org/SA-CORE-2015-003

• Advisory ID: DRUPAL-SA-CORE-2015-003
• Project: Drupal core [1]
• Version: 6.x, 7.x
• Date: 2015-August-19
• Security risk: 18/25 ( Critical) AC:Complex/A:User/CI:All/II:All/E:Proof/TD:All [2]
• Vulnerability: Cross Site Scripting, Access bypass, SQL Injection, Open Redirect, Multiple vulnerabilities

This security advisory fixes multiple vulnerabilities.

View online: ​https://www.drupal.org/node/2554145

• Advisory ID: DRUPAL-SA-CONTRIB-2015-141
• Project: Chaos tool suite (ctools) [1] (third-party module)
• Version: 6.x, 7.x
• Date: 2015-August-19
• Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
• Vulnerability: Cross Site Scripting, Access bypass, Multiple vulnerabilities

I'll get these done first thing in the morning.

[paul]

Chris,

Are we no longer getting security updates for drupal?

​https://github.com/omega8cc/boa/search?q=pressflow
​http://files.aegir.cc/core/pressflow-6.38.1.tar.gz

Paul

[chris]

Replying to paul:

Are we no longer getting security updates for drupal?

​https://github.com/omega8cc/boa/search?q=pressflow
​http://files.aegir.cc/core/pressflow-6.38.1.tar.gz

As I recall we stopped doing BOA updates a while ago due to the fact that we couldn't agree on upgrading to a supported version of PHP (we tried to clone PuffinServer to do a test run but that failed, we don't have a dev server to test on as the dev server was dropped with the switch to BOA because, as I remember, it was deemed that the cost saving was more important than being able to test updates), so we are stuck with BOA 2.4.2, see wiki:PuffinServer#Upgradetickets.

I see that the latest ​Pressflow, ​6.37.120 has merged in Drupal core 6.37 which has fixes for ​SA-CORE-2015-003, ​BOA has Pressflow 6.37.1, it appear to me that BOA hasn't yet added Pressflow 6.37.120?

I would expect that support for this will be added and a new BOA release will happen very soon.

There are security issues that could impact us in ​SA-CORE-2015-003:

Cross-site Scripting - Autocomplete system - Drupal 6 and 7

A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized.

This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files.

Cross-site Request Forgery - Form API - Drupal 6 and 7

A vulnerability was discovered in Drupal's form API that could allow file upload value callbacks to run with untrusted input, due to form token validation not being performed early enough. This vulnerability could allow a malicious user to upload files to the site under another user's account.

This vulnerability is mitigated by the fact that the uploaded files would be temporary, and Drupal normally deletes temporary files automatically after 6 hours.

Information Disclosure in Menu Links - Access system - Drupal 6 and 7

Users without the "access content" permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to.

In terms of what we can do I would suggest two options:

1. Build a new BOA server and use that for testing the existing site with a supported version of PHP following the BOA migration documentation. If this works OK make this new server the live server and switch off PuffinServer (the IP address can be moved to the new server saving a DNS update and minimising downtime for the site).
2. Abandon BOA and build a new server without it.

Either of the above two options would have a significant time and therefore cost implication so some alternative options might have to be though of?

This issue probably deserves a new ticket and/or a email to the ttech list or even a conference call?

[sam]

Hi all

Ade will be back from holiday soon. I'm pretty sure he won't want to
spend much on any BOA re-configuration, so my guess is that we'll be
looking to move the site to a more usual /dev /stage /live kind of
setup without BOA. But that's a decision for Ade.

In the short term, looking to mitigate the risks;

>  There are security issues that could impact us in [https://www.drupal.org
>  /SA-CORE-2015-003 SA-CORE-2015-003]:
>  > This vulnerability is mitigated by the fact that the malicious user must
>  be allowed to upload files.

Disabling any user file uploads would mitigate this.

>  > == Cross-site Request Forgery - Form API - Drupal 6 and 7 ==
>  > This vulnerability is mitigated by the fact that the uploaded files
>  would be temporary,

Again disabling any user file uploads would mitigate this.

>  > == Information Disclosure in Menu Links - Access system - Drupal 6 and 7
>  > Users without the "access content" permission can see the titles of
>  nodes that they do not have access to, if the nodes are added to a menu on
>  the site that the users have access to.

I can't think of a situation on the current configuration which would
be a problem for us.

So today I'll have a look through all the forms and disable and user
uploads which should give us some breathing space..

Thanks

Sam


>
>  In terms of what we can do I would suggest two options:
>
>  1. Build a new BOA server and use that for testing the existing site with
>  a supported version of PHP following the BOA migration documentation. If
>  this works OK make this new server the live server and switch off
>  PuffinServer (the IP address can be moved to the new server saving a DNS
>  update and minimising downtime for the site).
>  2. Abandon BOA and build a new server without it.
>
>  Either of the above two options would have a significant time and
>  therefore cost implication so some alternative options might have to be
>  though of?
>
>  This issue probably deserves a new ticket and/or a email to the ttech list
>  or even a conference call?
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/701#comment:64>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.

[paul]

Hello,

The choice seems to be do nothing or do something, both incur a significant cost, one financial the other relating to the security of users who use the website. We have responsibility to do something, so we may as well implement whatever solution will be the easiest to use going forward.

I think having a new server would be my preference. We can then have things setup how we want them (using git and branches, ..), and do things more quickly.

Best, Paul

[chris]

Replying to sam:

So today I'll have a look through all the forms and disable and user
uploads which should give us some breathing space..

Nice one.

[paul]

That all sound good Sam. Thanks. Let me know if you have any questions.

Best, Paul

[sam]

Hi all

So I disabled the three webforms that allowed file upload (all old and
not in use in any case)
https://www.transitionnetwork.org/admin/content/webform

I also unchecked topmost 'upload' box on this page & saved
https://www.transitionnetwork.org/admin/settings/imce/profile/edit/2

I think that should cover it, unless anyone else can think of areas
where users can upload files?

The only thing I think this breaks is users being able to add images to:

* Projects - we hardly get any of these anyway, I've made a note on
the form for users to email these to us if they want to include a
photo.

*Initiative profile - Again very low volume, I've made a note on the
form for users to email these to us if they want to include a photo.

I'll email staff to let them know just in case there are any
unexpected consequences, I very much doubt anyone will notice though..

Thanks

Sam

On 21 August 2015 at 11:17, Sam Rossiter
<samrossiter@transitionnetwork.org> wrote:
> Hi all
>
> Ade will be back from holiday soon. I'm pretty sure he won't want to
> spend much on any BOA re-configuration, so my guess is that we'll be
> looking to move the site to a more usual /dev /stage /live kind of
> setup without BOA. But that's a decision for Ade.
>
> In the short term, looking to mitigate the risks;
>
>>  There are security issues that could impact us in [https://www.drupal.org
>>  /SA-CORE-2015-003 SA-CORE-2015-003]:
>>  > This vulnerability is mitigated by the fact that the malicious user must
>>  be allowed to upload files.
>
> Disabling any user file uploads would mitigate this.
>
>>  > == Cross-site Request Forgery - Form API - Drupal 6 and 7 ==
>>  > This vulnerability is mitigated by the fact that the uploaded files
>>  would be temporary,
>
> Again disabling any user file uploads would mitigate this.
>
>>  > == Information Disclosure in Menu Links - Access system - Drupal 6 and 7
>>  > Users without the "access content" permission can see the titles of
>>  nodes that they do not have access to, if the nodes are added to a menu on
>>  the site that the users have access to.
>
> I can't think of a situation on the current configuration which would
> be a problem for us.
>
> So today I'll have a look through all the forms and disable and user
> uploads which should give us some breathing space..
>
> Thanks
>
> Sam
>
>
>>
>>  In terms of what we can do I would suggest two options:
>>
>>  1. Build a new BOA server and use that for testing the existing site with
>>  a supported version of PHP following the BOA migration documentation. If
>>  this works OK make this new server the live server and switch off
>>  PuffinServer (the IP address can be moved to the new server saving a DNS
>>  update and minimising downtime for the site).
>>  2. Abandon BOA and build a new server without it.
>>
>>  Either of the above two options would have a significant time and
>>  therefore cost implication so some alternative options might have to be
>>  though of?
>>
>>  This issue probably deserves a new ticket and/or a email to the ttech list
>>  or even a conference call?
>>
>> --
>> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/701#comment:64>
>> Transition Technology <https://tech.transitionnetwork.org/trac>
>> Support and issues tracking for the Transition Network Web Project.

[sam]

Ah one more:

Removed jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp from the
list of allowed files for role "authenticated user" here:
https://www.transitionnetwork.org/admin/settings/uploads

Thanks

Sam

On 21 August 2015 at 11:31, Sam Rossiter
<samrossiter@transitionnetwork.org> wrote:
> Hi all
>
> So I disabled the three webforms that allowed file upload (all old and
> not in use in any case)
> https://www.transitionnetwork.org/admin/content/webform
>
> I also unchecked topmost 'upload' box on this page & saved
> https://www.transitionnetwork.org/admin/settings/imce/profile/edit/2
>
> I think that should cover it, unless anyone else can think of areas
> where users can upload files?
>
> The only thing I think this breaks is users being able to add images to:
>
> * Projects - we hardly get any of these anyway, I've made a note on
> the form for users to email these to us if they want to include a
> photo.
>
> *Initiative profile - Again very low volume, I've made a note on the
> form for users to email these to us if they want to include a photo.
>
> I'll email staff to let them know just in case there are any
> unexpected consequences, I very much doubt anyone will notice though..
>
> Thanks
>
> Sam
>
> On 21 August 2015 at 11:17, Sam Rossiter
> <samrossiter@transitionnetwork.org> wrote:
>> Hi all
>>
>> Ade will be back from holiday soon. I'm pretty sure he won't want to
>> spend much on any BOA re-configuration, so my guess is that we'll be
>> looking to move the site to a more usual /dev /stage /live kind of
>> setup without BOA. But that's a decision for Ade.
>>
>> In the short term, looking to mitigate the risks;
>>
>>>  There are security issues that could impact us in [https://www.drupal.org
>>>  /SA-CORE-2015-003 SA-CORE-2015-003]:
>>>  > This vulnerability is mitigated by the fact that the malicious user must
>>>  be allowed to upload files.
>>
>> Disabling any user file uploads would mitigate this.
>>
>>>  > == Cross-site Request Forgery - Form API - Drupal 6 and 7 ==
>>>  > This vulnerability is mitigated by the fact that the uploaded files
>>>  would be temporary,
>>
>> Again disabling any user file uploads would mitigate this.
>>
>>>  > == Information Disclosure in Menu Links - Access system - Drupal 6 and 7
>>>  > Users without the "access content" permission can see the titles of
>>>  nodes that they do not have access to, if the nodes are added to a menu on
>>>  the site that the users have access to.
>>
>> I can't think of a situation on the current configuration which would
>> be a problem for us.
>>
>> So today I'll have a look through all the forms and disable and user
>> uploads which should give us some breathing space..
>>
>> Thanks
>>
>> Sam
>>
>>
>>>
>>>  In terms of what we can do I would suggest two options:
>>>
>>>  1. Build a new BOA server and use that for testing the existing site with
>>>  a supported version of PHP following the BOA migration documentation. If
>>>  this works OK make this new server the live server and switch off
>>>  PuffinServer (the IP address can be moved to the new server saving a DNS
>>>  update and minimising downtime for the site).
>>>  2. Abandon BOA and build a new server without it.
>>>
>>>  Either of the above two options would have a significant time and
>>>  therefore cost implication so some alternative options might have to be
>>>  though of?
>>>
>>>  This issue probably deserves a new ticket and/or a email to the ttech list
>>>  or even a conference call?
>>>
>>> --
>>> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/701#comment:64>
>>> Transition Technology <https://tech.transitionnetwork.org/trac>
>>> Support and issues tracking for the Transition Network Web Project.

[paul]

Sounds like you got this one covered. Thanks Sam!

[sam]

If we define 'covered' as deliberately breaking a load of stuff then yes :)

I figure we should work out a proper solution for this fairly soon,
but obviously Ade needs to be involved in that. At least this way we
can think about what to do without sitting on an insecure site..

Ta

Sam

On 21 August 2015 at 11:44, Transition Technology Trac
<trac@tech.transitionnetwork.org> wrote:
> #701: Emails & Telephone calls
> -------------------------------------+-------------------------------------
>            Reporter:  paul           |                      Owner:  ed
>                Type:  maintenance    |                     Status:  new
>            Priority:  major          |                  Milestone:
>           Component:  Unassigned     |  Maintenance
>            Keywords:                 |                 Resolution:
> Add Hours to Ticket:  0              |  Estimated Number of Hours:  0.0
>         Total Hours:  21.3           |                  Billable?:  1
> -------------------------------------+-------------------------------------
>
> Comment (by paul):
>
>  Sounds like you got this one covered. Thanks Sam!
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/701#comment:73>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.

[paul]

Yes :D covered - for now :)

[chris]

BTW I saw ed was CC'd in on this ticket as he owned it, so I have changed the owner to paul. It isn't clear to me why the other people that get copies of these comments are CC'd (see the email headers) as they are not listed as ticket CC's?

[paul]

No additional security updates need to be applied.

Here is a first draft of how we could try to do the core updates manually:

Download and extract the latest Drupal tar ball.

Remove all .txt files and the sites folder.

From the stage/production directory (under /data/disk/tn/static) remove all .php files, and the following directories: includes/ modules/, misc/ , profiles/, themes/. However, keep the following modules and links in the modules directory: simpletest, path_alias_cache, o_contrib@, cookie_cache_bypass

Copy over the remaining files and folders from the drupal tarball to the stage/production directory.

Best, Paul

[paul]

I have manually updated ctools and views_bulk_operations on the live site (fairly straightforward). I thought these updates were already done. Apologies, if this is down to an error on my part.

Tomorrow, I'll try to update drupal core on my stage site following the instructions I documented earlier. If the the update looks successful we can then test the site to see if there are any problems.

Best, Paul

[paul]

Email communication.

[paul]

No drupal security updates need to be applied this week.

I still need to try updating drupal core on my stage site. I'll see if I can do this later this afternoon.

[paul]

It's actually fairly straightforward to update core manually.

Can I just get confirmation that we have a backup of the live site. I'll then manually update core on the live site.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

Files directory not fully protected.

[paul]

No drupal security updates needed to be applied this week.

However, I took the opportunity to manually update core and update the database. After updating core I also deleted the current files/ .htaccess file (see screenshot) and regenerated this from the files system page.

​https://www.transitionnetwork.org/admin/reports/status
​https://www.transitionnetwork.org/admin/settings/file-system

[chris]

Replying to paul:

I also deleted the current files/ .htaccess file (see screenshot) and regenerated this from the files system page.

Note that since we are using Nginx and not Apache that all .htaccess files will be ignored and have no effect.

If there are some new rules from a .htaccess file that we need to add to the Ngnix config then we will have to do that manually -- where is the .htaccess file you recreated? I could check it against the Ngnix config (if I can actually find it in the BOA created mess of config files...).

[chris]

So looking for the .htaccess file, there are 96 on the server...

updatedb
locate .htaccess

It seems like /data/disk/tn/static/sites/transitionnetwork.org-PROD/files/.htaccess is the one? It contains:

# Turn off all options we don't need.
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
  php_flag engine off
</IfModule>
# PHP 4, Apache 1.
<IfModule mod_php4.c>
  php_flag engine off
</IfModule>
# PHP 4, Apache 2.
<IfModule sapi_apache2.c>
  php_flag engine off
</IfModule>

So all it is doing is disabling PHP for the uploads directory. I would guess that this is already covered, so to test it I created /data/disk/tn/static/sites/transitionnetwork.org-PROD/files/info.php containing:

<?php phpinfo(); ?>

And it is available here:

• ​https://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/info.php

And it is served with the default Nginx Mime type, Content-Type: application/octet-stream and not processed, so we are covered.

[paul]

Thanks Chris. I forgot we are using Nginx.

The .htaccess is located here:

/data/disk/tn/static/transition-network-d6-35-p001b-booker/sites/www.transitionnetwork.org/files

It has the same content as the file you referenced above.

Looks good:

$ curl -I https://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/info.php
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 Nov 2015 14:00:45 GMT
Content-Type: application/octet-stream
Content-Length: 20
Connection: keep-alive
Last-Modified: Thu, 05 Nov 2015 13:46:36 GMT
ETag: "563b5dbc-14"
Expires: Sat, 05 Dec 2015 14:00:45 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
Strict-Transport-Security: max-age=15768000

[paul]

Removed the info.php file.

[paul]

No drupal security updates need to be applied this week.

Modules unsupported this week: Hierarchical Select

This the first module to become unsupported for Drupal 6. If we know that we are not using any particular unsupported module on the website we should disable the module, just in case there are unresolved security issues with the module.

[paul]

No drupal security updates need to be applied this week.

Would you like me to provide extended support for Drupal 6 when it becomes unsupported by the community?

If so, we will need to read up on the security team process (i.e. go through the handbook pages) and contact the security team for further guidance.

​https://www.drupal.org/d6-lts-support
​https://www.drupal.org/node/2287855

[chris]

Replying to paul:

Would you like me to provide extended support for Drupal 6 when it becomes unsupported by the community?

I can't answer that (I don't know what the plans are regarding continuing to use Drupal 6 or switching to something else, can anyone shed any light on this?) but I did open a ticket for this issue: ticket:883.

[paul]

No drupal security updates need to be applied this week.

[paul]

The following drupal security updates have been applied this week:

View online: ​https://www.drupal.org/node/2627448

• Advisory ID: DRUPAL-SA-CONTRIB-2015-168
• Project: Mollom [1] (third-party module)
• Version: 6.x
• Date: 2015-December-02
• Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
• Vulnerability: Access bypass

[paul]

Investigating the news website as per email communications.

[paul]

Confirmed that the news website is up to date.

​http://news.transitionnetwork.org/admin/reports/updates

The main administrative account is currently assigned to me. If you need to change this in the future you can do this with drush:

513 cd /data/disk/tn/static/
514 ls
515 cd transition-network-d6-35-p001b-booker/sites/news.transitionnetwork.org/
516 ls -la
517 sudo -u tn drush uli

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

Email communications.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

Reviewing recent emails. Phone conversation with Ade.

Email communications.

[paul]

The following drupal security updates have been applied this week:

View online: ​https://www.drupal.org/node/2666446

• Advisory ID: DRUPAL-SA-CONTRIB-2016-pending
• Project: Embedded Media Field [1] (third-party module)
• Version: 6.x
• Date: 2016-February-10
• Security risk: 19/25 ( Critical) AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All [2]
• Vulnerability: Cross Site Scripting

[paul]

No drupal security updates need to be applied this week.

[paul]

Awaiting drupal 6 security updates from the LTS vendors.

​https://www.drupal.org/project/d6lts

View online: ​https://www.drupal.org/SA-CORE-2016-001

• Advisory ID: SA-CORE-2016-001
• Project: Drupal core [1]
• Version: 6.x, 7.x, 8.x
• Date: 2016-February-24
• Security risk: 15/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2]
• Vulnerability: Multiple vulnerabilities

View online: ​https://www.drupal.org/node/2674854

• Advisory ID: DRUPAL-SA-CONTRIB-2016-008
• Project: FileField? [1] (third-party module)
• Version: 6.x
• Date: 2016-February-24
• Security risk: 11/25 ( Moderately Critical) AC:Complex/A:User/CI:None/II:Some/E:Proof/TD:All [2]
• Vulnerability: Denial of Service

The "Available updates" page was showing everything as "Not supported" so I have disabled the Update status & Update status advanced settings modules.

I'll pick this up again later today after talking to security team / LTS vendors.

[paul]

There have been official releases for these security updates.

Both of these drupal security updates have now been applied.

[paul]

No drupal security updates need to be applied today. I'll check again tomorrow morning.

​https://www.drupal.org/node/2284611/commits
​https://www.drupal.org/project/d6lts/git-instructions
​https://www.drupal.org/project/d6lts

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

Taken a backup of the database.

[paul]

There were drupal security updates that needed to be applied this week:

puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/features# patch -p1 < features-sdo-138758-15-D6.patch
patching file features.admin.inc
Hunk #1 succeeded at 596 (offset -6 lines).
Hunk #2 succeeded at 619 (offset -6 lines).

​https://www.drupal.org/node/2705751

There are some other security issues in review. I'll apply these as soon as they are reviewed.
​https://www.drupal.org/project/issues/d6lts

[paul]

There were drupal security updates that needed to be applied this week:

puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/views# patch -p1 < SA-CONTRIB-2014-054-6.x-2.x.patch
patching file includes/view.inc
patching file plugins/views_plugin_display.inc

​https://www.drupal.org/node/2710259

[paul]

No drupal security updates need to be applied this week.

Taken a backup of the code & database.

​https://www.drupal.org/node/2284611/commits

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

There were drupal security updates that needed to be applied this week:

puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/xmlsitemap# patch -p1 < SA-CONTRIB-2016-030-6.x-2.x.patch
patching file xsl/xmlsitemap.xsl.js
puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/xmlsitemap#

​https://www.drupal.org/node/2733569#comment-11229739

[paul]

No drupal security updates need to be applied this week.

Taken a backup of the code, files & database.

puffin:/data/disk/tn/static# ls -la
lrwxrwxrwx  1 root   users   37 Mar  3 10:38 tn -> transition-network-d6-35-p001b-booker/

puffin:/data/disk/tn/static# tar -cf - tn | gzip > tn.20160602.tar.gz
puffin:/data/disk/tn/static# mv tn.20160602.tar.gz /home/paul/

puffin:/data/disk/tn/static/tn/sites/www.transitionnetwork.org# ls -l
total 472K

lrwxrwxrwx 1 tn users      60 Jun 14  2013 files -> /data/disk/tn/static/sites/transitionnetwork.org-PROD/files//

puffin:/data/disk/tn/static/sites/transitionnetwork.org-PROD# tar -cf - files | gzip > tn.files.20160602.tar.gz
puffin:/data/disk/tn/static/sites/transitionnetwork.org-PROD# mv tn.files.20160602.tar.gz /home/paul/

scp -r transitionnetwork.org:tn.20160602.tar.gz .
scp -r transitionnetwork.org:tn.files.20160602.tar.gz .

I had previously missed the flies directory.

Let me know if I should take the time to set the website up on my local server to confirm that we can rebuild the website from the above backup.

I have taken a backup of the database with the Backup & Migrate module. I'll investigate how to take a manual backup of the database later this afternoon.

[chris]

Paul I'm not sure the work you are doing on backups is necessary, we have 60 days worth of MySQL and files backed up that you can access, see wiki:PuffinServer#Backups and in addition we have 60 days worth of snapshots of the whole servers (which only Webarchitects can access).

[paul]

Sorry, I'll have a look at these. Are we testing these backups somewhere?

[chris]

No, I haven't done any testing of the backups.

[paul]

No drupal security updates need to be applied this week.

[paul]

There were drupal security updates that needed to be applied this week:

Issue status update for:
​https://www.drupal.org/node/2749407
Update issue:
​https://www.drupal.org/node/2749407/edit

Current issue values:
Status: Active
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files:

SA-CONTRIB-2016-036-6.x-2.x.patch [1]
SA-CONTRIB-2016-036-6.x-3.x.patch [2]

Reporter: dsnopek [3]
Created: June 15, 2016 - 20:27
Updated: June 15, 2016 - 20:27
The issue described in Views - Less Critical - Access Bypass -
SA-CONTRIB-2016-036 [4] also affects Drupal 6! A series of patches are
attached for different versions of views.

[1] ​https://www.drupal.org/files/issues/SA-CONTRIB-2016-036-6.x-2.x.patch
[2] ​https://www.drupal.org/files/issues/SA-CONTRIB-2016-036-6.x-3.x.patch
[3] ​https://www.drupal.org/u/dsnopek
[4] ​https://www.drupal.org/node/2749333

puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/views# patch -p1 < SA-CONTRIB-2016-036-6.x-2.x.patch 
patching file modules/statistics.views.inc
patching file modules/statistics/views_handler_field_node_counter_timestamp.inc
patching file modules/statistics/views_handler_field_statistics_numeric.inc

The database did not need updating unlike the corresponding security release for Drupal 7.

Note:

If anyone should need access to the database update script from their user account, you can uncomment the following line:

puffin:/data/disk/tn/static/tn# nano sites/www.transitionnetwork.org/settings.php 

#$update_free_access = TRUE;

[sam]

Thanks Paul..

On 16 June 2016 at 11:20, Transition Technology Trac <
trac@tech.transitionnetwork.org> wrote:

> #701: Emails & Telephone calls
> -------------------------------------+-------------------------------------
>            Reporter:  paul           |                      Owner:  paul
>                Type:  maintenance    |                     Status:
>            Priority:  major          |  assigned
>           Component:  Drupal         |                  Milestone:
>   modules & settings                 |  Maintenance
>            Keywords:                 |                 Resolution:
> Add Hours to Ticket:  0.75           |  Estimated Number of Hours:  0.0
>         Total Hours:  39.7           |                  Billable?:  1
> -------------------------------------+-------------------------------------
> Changes (by paul):
>
>  * hours:  0.0 => 0.75
>  * totalhours:  39.7 => 40.45
>
>
> Comment:
>
>  There were drupal security updates that needed to be applied this week:
>
>  Issue status update for:
>  https://www.drupal.org/node/2749407
>  Update issue:
>  https://www.drupal.org/node/2749407/edit
>
>  Current issue values:
>  Status:    Active
>  Priority:  Normal
>  Category:  Task
>  Component: Code
>  Assigned:  Unassigned
>  Project:   Drupal 6 Long Term Support
>  Files:
>      SA-CONTRIB-2016-036-6.x-2.x.patch [1]
>      SA-CONTRIB-2016-036-6.x-3.x.patch [2]
>  Reporter:  dsnopek [3]
>  Created:   June 15, 2016 - 20:27
>  Updated:   June 15, 2016 - 20:27
>  The issue described in Views - Less Critical - Access Bypass -
>  SA-CONTRIB-2016-036 [4] also affects Drupal 6! A series of patches are
>  attached for different versions of views.
>
>
>  [1] https://www.drupal.org/files/issues/SA-CONTRIB-2016-036-6.x-2.x.patch
>  [2] https://www.drupal.org/files/issues/SA-CONTRIB-2016-036-6.x-3.x.patch
>  [3] https://www.drupal.org/u/dsnopek
>  [4] https://www.drupal.org/node/2749333
>
>
>  {{{
>  puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/views# patch -p1
>  < SA-CONTRIB-2016-036-6.x-2.x.patch
>  patching file modules/statistics.views.inc
>  patching file
>  modules/statistics/views_handler_field_node_counter_timestamp.inc
>  patching file
>  modules/statistics/views_handler_field_statistics_numeric.inc
>  }}}
>
>
>  The database did not need updating unlike the corresponding security
>  release for Drupal 7.
>
>  Note:
>
>  If anyone should need access to the database update script from their user
>  account, you can uncomment the following line:
>
>
>  {{{
>  puffin:/data/disk/tn/static/tn# nano
>  sites/www.transitionnetwork.org/settings.php
>
>  #$update_free_access = TRUE;
>  }}}
>
> --
> Ticket URL: <
> https://tech.transitionnetwork.org/trac/ticket/701#comment:127>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>

[paul]

Chris,

Would you place a recent copy of the database in my home directory?

Attempts to install a recent database backup taken by the Backup & Migrate module:

Dirac:transitionnetwork-org paul$ file TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz 
TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz: ASCII English text, with very long lines

Dirac:transitionnetwork-org paul$ gunzip TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz 
gunzip: TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz: not in gzip format

Archive:  TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz or
        TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz.zip, and cannot find TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz.ZIP, period.

[chris]

Paul, as noted here, wiki:PuffinServer#Backups, backupninja "dumps all the mysql databases into /var/backups/mysql" -- you have sudo so you should be good to grab the latest from there?

[paul]

Thanks Chris.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

Taken a backup of the database.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

There were drupal security updates that needed to be applied this week:

Issue status update for:
​https://www.drupal.org/node/2782161
Update issue:
​https://www.drupal.org/node/2782161/edit

Current issue values:
Status: Needs review
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files:

SA-CONTRIB-2016-042-6.x-4.x.patch [1]
SA-CONTRIB-2016-042-6.x-3.x.patch [2]
SA-CONTRIB-2016-042-6.x-2.x.patch [3]

Reporter: dsnopek [4]
Created: August 10, 2016 - 16:16
Updated: August 10, 2016 - 16:16
The Google Analytics module has a moderately critical cross-site scripting
vulnerability.

With the help of the D6LTS vendors, a new version was released:

​https://www.drupal.org/project/google_analytics/releases/6.x-4.3 [5]

As well as patches for the 6.x-3.x and 6.x-2.x branches.

[1] ​https://www.drupal.org/files/issues/SA-CONTRIB-2016-042-6.x-4.x.patch
[2] ​https://www.drupal.org/files/issues/SA-CONTRIB-2016-042-6.x-3.x.patch
[3] ​https://www.drupal.org/files/issues/SA-CONTRIB-2016-042-6.x-2.x.patch
[4] ​https://www.drupal.org/u/dsnopek
[5] ​https://www.drupal.org/project/google_analytics/releases/6.x-4.3

The security updates for Piwik were not applied immediately as this module is currently not enabled. The detail are provided below:

Issue status update for:
​https://www.drupal.org/node/2782163
Update issue:
​https://www.drupal.org/node/2782163/edit

Current issue values:
Status: Needs review
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files: SA-CONTRIB-2016-043.patch [1]
Reporter: dsnopek [2]
Created: August 10, 2016 - 16:17
Updated: August 10, 2016 - 16:17
The Piwik module has a moderately critical cross-site scripting
vulnerability.

With the help of the D6LTS vendors, a new version was released:

​https://www.drupal.org/node/2781639 [3]

A patch is also attached.

[1] ​https://www.drupal.org/files/issues/SA-CONTRIB-2016-043.patch
[2] ​https://www.drupal.org/u/dsnopek
[3] ​https://www.drupal.org/node/2781639

[paul]

There were drupal security updates that needed to be applied this week:

Issue status update for:
​https://www.drupal.org/node/2785707
Update issue:
​https://www.drupal.org/node/2785707/edit

#2 -- August 17, 2016 - 18:11 : dsnopek
​https://www.drupal.org/node/2785707#comment-11521787

Issue changes:

• Status: Active

+ Status: Fixed
Committed!

Current issue values:
Status: Fixed
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files: SA-CONTRIB-2016-047.patch [1]
Reporter: dsnopek [2]
Created: August 17, 2016 - 18:10
Updated: August 17, 2016 - 18:11

One of the hunks failed. The function was different to what was expected; needs investigating.

transx@dedi2835:~/public_html/sites/all/modules/contrib/panels$ patch -p1 < SA-CONTRIB-2016-047.patch
patching file D6UPDATE.txt
patching file includes/plugins.inc
patching file panels.install
Hunk #2 succeeded at 1557 (offset -20 lines).
patching file panels.module
Hunk #1 succeeded at 267 (offset -1 lines).
Hunk #2 succeeded at 410 (offset -5 lines).
Hunk #3 succeeded at 706 (offset -5 lines).
Hunk #4 succeeded at 1283 (offset -5 lines).
Hunk #5 succeeded at 1581 (offset -5 lines).
patching file panels_ipe/panels_ipe.api.php
patching file panels_ipe/plugins/display_renderers/panels_renderer_ipe.class.php
Hunk #3 FAILED at 108.
Hunk #4 succeeded at 128 (offset -3 lines).
Hunk #5 succeeded at 150 (offset -1 lines).
1 out of 5 hunks FAILED -- saving rejects to file panels_ipe/plugins/display_renderers/panels_renderer_ipe.class.php.rej
patching file panels_mini/panels_mini.install
patching file panels_mini/panels_mini.module
patching file panels_mini/plugins/panels_storage/panels_mini.inc
patching file panels_node/panels_node.install
patching file panels_node/panels_node.module
patching file panels_node/plugins/panels_storage/panels_node.inc
patching file plugins/display_renderers/panels_renderer_editor.class.php
patching file plugins/display_renderers/panels_renderer_standard.class.php
patching file plugins/panels_storage/page_manager.inc
patching file plugins/task_handlers/panel_context.inc

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

​https://www.drupal.org/psa-2016-003

​https://transitionnetwork.org/admin/settings/webform
​https://transitionnetwork.org/admin/settings/uploads
​https://transitionnetwork.org/admin/user/permissions#module-upload

[paul]

There were drupal security updates that needed to be applied this week:

Issue status update for:
​https://www.drupal.org/node/2817359

Current issue values:
Status: Needs review
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files: elysia_cron-sa-contrib-2016-052.patch [1]
Reporter: dsnopek [2]
Created: October 12, 2016 - 17:15
Updated: October 12, 2016 - 17:15
An SA was just published for elysia_cron:

​https://www.drupal.org/node/2817211 [3]

The D6LTS vendors backported the patch to D6 which is attached

[1] ​https://www.drupal.org/files/issues/elysia_cron-sa-contrib-2016-052.patch
[2] ​https://www.drupal.org/u/dsnopek
[3] ​https://www.drupal.org/node/2817211

One of the hunks failed. The function was different to what was expected; the update was manually applied.

transx@dedi2835:~/public_html/sites/all/modules/contrib/elysia_cron$ patch -p1 < elysia_cron-sa-contrib-2016-052.patch
patching file elysia_cron.admin.inc
Hunk #1 FAILED at 99.
Hunk #2 succeeded at 554 (offset -46 lines).
1 out of 2 hunks FAILED -- saving rejects to file elysia_cron.admin.inc.rej
transx@dedi2835:~/public_html/sites/all/modules/contrib/elysia_cron$ cat elysia_cron.admin.inc.rej

--- elysia_cron.admin.inc
+++ elysia_cron.admin.inc
@@ -99,7 +99,7 @@ function elysia_cron_admin_page() {
         );
         $rows[] = array(
           '',
-          $conf['rule'] . (!empty($conf['weight']) ? ' <small>(' . t('Weight') . ': ' . $conf['weight'] . ')</small>' : ''),
+          check_plain($conf['rule']) . (!empty($conf['weight']) ? ' <small>(' . t('Weight') . ': ' . $conf['weight'] . ')</small>' : ''),
           elysia_cron_date($conf['last_run']),
           $conf['last_execution_time'] . 's',
           $conf['execution_count'],

[paul]

There were drupal security updates that needed to be applied this week:

Issue status update for:
​https://www.drupal.org/node/2820535

#2 -- October 19, 2016 - 17:34 : dsnopek
​https://www.drupal.org/node/2820535#comment-11738607

Issue changes:

• Status: Active

+ Status: Fixed
Committed to repo!

Current issue values:
Status: Fixed
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files: SA-CONTRIB-2016-053.patch [1]
Reporter: dsnopek [2]
Created: October 19, 2016 - 17:33
Updated: October 19, 2016 - 17:34

[1] ​https://www.drupal.org/files/issues/SA-CONTRIB-2016-053.patch
[2] ​https://www.drupal.org/u/dsnopek

transx@dedi2835:~/public_html/sites/all/modules/contrib/webform$ wget ​https://www.drupal.org/files/issues/SA-CONTRIB-2016-053.patch
--2016-10-20 13:41:14-- ​https://www.drupal.org/files/issues/SA-CONTRIB-2016-053.patch
Resolving www.drupal.org (www.drupal.org)... 151.101.13.133
Connecting to www.drupal.org (www.drupal.org)|151.101.13.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1631 (1.6K) [text/plain]
Saving to: ‘SA-CONTRIB-2016-053.patch’

SA-CONTRIB-2016-053.patch 100%[=========================================================================>] 1.59K --.-KB/s in 0s

2016-10-20 13:41:14 (41.6 MB/s) - ‘SA-CONTRIB-2016-053.patch’ saved [1631/1631]

transx@dedi2835:~/public_html/sites/all/modules/contrib/webform$ ls
CHANGELOG.txt css includes LICENSE.txt SA-CONTRIB-2016-053.patch tests views webform.info webform.module
components images js README.txt templates THEMING.txt webform.api.php webform.install
transx@dedi2835:~/public_html/sites/all/modules/contrib/webform$ patch -p1 < SA-CONTRIB-2016-053.patch
patching file webform.module

Downloaded a recent copy of the database. Shall I check that we can recover from these database backups on my local network?

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

[paul]

No drupal security updates need to be applied this week.

There maybe an update later in the week:

View online: ​https://www.drupal.org/SA-CORE-2016-005

• Advisory ID: DRUPAL-SA-CORE-2016-005
• Project: Drupal core [1]
• Version: 7.x, 8.x
• Date: 2016-November-16
• Security risk: 13/25 ( Moderately Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
• Vulnerability: Multiple vulnerabilities