Ticket #701 (assigned maintenance)

Opened 3 years ago

Last modified 4 days ago

Emails & Telephone calls

Reported by: paul Owned by: paul
Priority: major Milestone: Maintenance
Component: Drupal modules & settings Keywords:
Cc: chris, ade Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 47.7

Description (last modified by paul) (diff)


Attachments

Screen Shot 2015-03-19 at 14.46.43.png (184.8 KB) - added by paul 20 months ago.
Load error while building a new platfrom
Screen Shot 2015-07-09 at 12.38.55.png (47.0 KB) - added by paul 17 months ago.
Screen Shot 2015-11-05 at 12.38.28.png (182.5 KB) - added by paul 13 months ago.
Files directory not fully protected.

Change History

comment:1 Changed 3 years ago by paul

  • Description modified (diff)

comment:2 Changed 3 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 0.0 to 0.25

Emails [10th] 0,15

comment:3 Changed 3 years ago by ed

  • Milestone set to Maintenance

comment:4 Changed 3 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 0.25 to 0.5

Emails [18th] 0,15

comment:5 Changed 3 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.3
  • Total Hours changed from 0.5 to 0.8

Calls [24th] 0,20

comment:6 Changed 3 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 0.8 to 1.3

Emails [31st] 0,30

comment:7 Changed 3 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 1.3 to 1.55

Emails [31st] 0,15

comment:8 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 1.55 to 2.3

Skype call [19th June]

comment:9 Changed 2 years ago by ben

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 2.3 to 3.05

Skype call

comment:10 Changed 2 years ago by annesley

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 3.05 to 3.55

Skype call [19th June]

comment:11 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 3.55 to 3.8

Just checked to see if the recent rounds of drupal security updates apply to TN. No - all good.

Last edited 2 years ago by paul (previous) (diff)

comment:12 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 3.8 to 4.05

Just checked to see if the recent rounds of drupal security updates apply to TN. No - all good.

comment:13 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 4.05 to 4.55

Yesterday:

Checking to see if the recent rounds of drupal security updates apply to TN. No - all good.

Email reply to Annesley / TN

comment:14 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 4.55 to 4.8

Conversation on mailing list about updating production.

comment:15 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 4.8 to 5.3

Email exchange on mailing list and follow up on BOA issue.

https://github.com/omega8cc/boa/issues/527

comment:16 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 5.3 to 5.8

A few responses to the mailing list conversation, will continue reading tomorrow

comment:17 Changed 23 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 5.8 to 6.05

Checking to see if the recent rounds of drupal security updates apply to TN. No - all good.

comment:18 Changed 23 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 6.05 to 6.3

Checking to see if the recent rounds of drupal security updates apply to TN. No - all good.

comment:19 Changed 22 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.15
  • Total Hours changed from 6.3 to 6.45

Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.

comment:20 Changed 22 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 6.45 to 6.7

Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.

https://booker-stage-20141120.transitionnetwork.org/admin/reports/updates

Last edited 22 months ago by paul (previous) (diff)

comment:21 Changed 22 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 6.7 to 6.95

Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.

https://booker-stage-20141120.transitionnetwork.org/admin/reports/updates

comment:22 Changed 22 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 6.95 to 7.075

Checked to see if the recent rounds of drupal security updates apply to TN. Views needs updating ..

comment:23 Changed 22 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 7.075 to 7.825

Updated the live site & profile on github.

Email exchange with Ade.

comment:24 Changed 21 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 7.825 to 8.075

Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.

comment:25 Changed 21 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 8.075 to 8.2

Checked to see if the recent rounds of drupal security updates apply to TN. Webform needs updating ..

comment:26 Changed 21 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 8.2 to 8.7

Updated the live site. Profile does not need updating.

comment:27 Changed 20 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 8.7 to 8.825

Checked to see if the recent rounds of drupal security updates apply to TN. Drupal core, CTools & Webform needs updating ..

Changed 20 months ago by paul

Load error while building a new platfrom

comment:28 Changed 20 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 8.825 to 9.325

Trying to build the platform again ..

comment:29 Changed 20 months ago by paul

Worked second time ..

comment:30 Changed 20 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 1.0
  • Total Hours changed from 9.325 to 10.325

Built new stage/production platforms for 6.35 (Both platforms failed first time).
Migrated stage/production sites (www. & news.) over to the new platforms .
Production sites up and running:
https://www.transitionnetwork.org/admin/reports/status
Updated the profile and pushed up to my git repository.

comment:31 Changed 20 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 10.325 to 10.575

Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.

comment:32 Changed 20 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 10.575 to 10.825

Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.

comment:33 Changed 20 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 10.825 to 11.075

Checked to see if there are any drupal security updates to apply to TN. No - all good.

Responded to mailing list.

Last edited 20 months ago by paul (previous) (diff)

comment:34 Changed 19 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 11.075 to 11.325

Checked to see if there are any drupal security updates to apply to TN. No - all good.

comment:35 Changed 19 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 11.325 to 11.575

Checked to see if there are any drupal security updates to apply to TN. No - all good.

comment:36 Changed 19 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 11.575 to 12.075

Email communications.

comment:37 Changed 19 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 12.075 to 12.325

Checked to see if there are any drupal security updates to apply to TN. No - all good.

comment:38 Changed 19 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 12.325 to 12.575

Email communications

comment:39 Changed 19 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 12.575 to 13.325

Investigating the TN site on PHP 5.5.3

comment:40 Changed 19 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 13.325 to 13.575

Checked to see if there are any drupal security updates to apply to TN. No - all good.

comment:41 Changed 18 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 13.575 to 13.825

Email communications

comment:42 Changed 18 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 13.825 to 14.075

Email communications

comment:43 Changed 18 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 14.075 to 14.325

Checked to see if there are any drupal security updates to apply to TN. No - all good.

comment:44 Changed 18 months ago by paul

Chris, is this something that affects us ..

View online: https://www.drupal.org/node/2492317

  • Advisory ID: DRUPAL-SA-CONTRIB-2014-113
  • Project: Hostmaster (Aegir) [1] (third-party module)
  • Version: 6.x, 7.x
  • Date: 2015-May-20
  • Security risk: 13/25 ( Moderately Critical) AC:Complex/A:Admin/CI:All/II:Some/E:Theoretical/TD:Default [2]
  • Vulnerability: Arbitrary PHP code execution

comment:45 Changed 18 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 14.325 to 14.45

I almost missed this as this update looks to be a platform level update that is not shown on the drupal updates page.

https://booker-stage-20150319.transitionnetwork.org/admin/reports/updates

comment:46 Changed 18 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 14.45 to 15.2

Email communications (I'll send an updated invoice later in the month )

comment:47 Changed 18 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 15.2 to 15.45

Email communications

comment:48 Changed 18 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 15.45 to 15.95

Email communications & reading through wiki page.
https://wiki.transitionnetwork.org/BOA_Server/Development_workflow

Last edited 18 months ago by paul (previous) (diff)

comment:49 Changed 18 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 15.95 to 16.2

Checked to see if there are any drupal security updates to apply to TN. No - all good.

comment:50 Changed 18 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 16.2 to 16.45

Checked to see if there are any drupal security updates to apply to TN. No - all good.

comment:51 Changed 18 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 16.45 to 16.7

Checked to see if there are any drupal security updates to apply to TN. No - all good.

comment:52 Changed 17 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 16.7 to 16.95

Checked to see if there are any drupal security updates to apply to TN. The following needs to be applied

View online: https://www.drupal.org/SA-CORE-2015-002

  • Advisory ID: DRUPAL-SA-CORE-2015-002
  • Project: Drupal core [1]
  • Version: 6.x, 7.x
  • Date: 2015-June-17
  • Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
  • Vulnerability: Access bypass, Information Disclosure, Open Redirect, Multiple vulnerabilities

However , it looks as though pressflow haven't posted a response to the security update:

https://github.com/omega8cc/boa/search?q=pressflow

The following link currently gives a 404

http://files.aegir.cc/core/pressflow-6.36.1.tar.gz

I'll try again later this afternoon.

comment:53 Changed 17 months ago by chris

  • Cc chris, ade added
  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 16.95 to 17.05

I don't know if this is relevant, but the latest version of BOA, which we are not running, see ticket:854, didn't have a Pressflow update, the latest version of Pressflow from BOA is Pressflow 6.34 and that came out with BOA-2.3.7 in November 2014.

Does the site use the OpenID module? That is the only Drupal 6 issue in SA-CORE-2015-002.

Impersonation (OpenID module - Drupal 6 and 7 - Critical)

A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.

This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange).

I have also added myself and Ade as CCs for this ticket, I hopw that is OK.

comment:54 Changed 17 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 17.05 to 17.3

Thanks Chris,

We're not using the OpenID so we can skip the core update. I would normally just apply any core update.

I'll update the following ..

View online: https://www.drupal.org/node/2507753

  • Advisory ID: DRUPAL-SA-CONTRIB-2015-126
  • Project: Content Construction Kit (CCK) [1] (third-party module)
  • Version: 6.x
  • Date: 2015-June-17
  • Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2]
  • Vulnerability: Open Redirect

Next time we have a core update that needs to be applied: I'll investigate further how to proceed.

Last edited 17 months ago by paul (previous) (diff)

comment:55 Changed 17 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 17.3 to 17.8

Updated CCK on the stage / live sites.

comment:56 Changed 17 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 17.8 to 18.05

Checked to see if there are any drupal security updates to apply to TN. No - all good.

comment:57 Changed 17 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 18.05 to 18.8

Applied the the following drupal security update to TN.

View online: https://www.drupal.org/node/2516688

  • Advisory ID: DRUPAL-SA-CONTRIB-2015-131
  • Project: Views Bulk Operations (VBO) [1] (third-party module)
  • Version: 6.x, 7.x
  • Date: 2015-July-01
  • Security risk: 10/25 ( Moderately Critical) AC:Basic/A:Admin/CI:None/II:All/E:Theoretical/TD:Uncommon [2]
  • Vulnerability: Access bypass

Changed 17 months ago by paul

comment:58 Changed 17 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 18.8 to 19.3

No drupal security updates need to be applied this week.

I noticed that VBO appeared to still need a security update; but in fact it had already been applied on the the stage server.

https://booker-stage-20150319.transitionnetwork.org/admin/reports/updates

I doubled checked that this update was also applied on the live site:

puffin:/data/disk/tn/static/transition-network-d6-35-p001b-booker/sites/all/modules/contrib# cat views_bulk_operations/views_bulk_operations.info
name = Views Bulk Operations
description = Exposes new Views style 'Bulk Operations' for selecting multiple nodes and applying operations on them.
dependencies[] = views
package = Views
core = 6.x
php = 5.0

; Information added by drupal.org packaging script on 2013-06-21
version = "6.x-1.15"
core = "6.x"
project = "views_bulk_operations"
datestamp = "1371815759"

comment:59 Changed 16 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 19.3 to 19.55

No drupal security updates need to be applied this week.

comment:60 Changed 16 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 19.55 to 19.8

No drupal security updates need to be applied this week.

comment:61 Changed 16 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 19.8 to 20.05

No drupal security updates need to be applied this week.

comment:62 Changed 15 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 20.05 to 20.3

The following drupal security updates need to be applied this week:

View online: https://www.drupal.org/SA-CORE-2015-003

  • Advisory ID: DRUPAL-SA-CORE-2015-003
  • Project: Drupal core [1]
  • Version: 6.x, 7.x
  • Date: 2015-August-19
  • Security risk: 18/25 ( Critical) AC:Complex/A:User/CI:All/II:All/E:Proof/TD:All [2]
  • Vulnerability: Cross Site Scripting, Access bypass, SQL Injection, Open Redirect, Multiple vulnerabilities

This security advisory fixes multiple vulnerabilities.

View online: https://www.drupal.org/node/2554145

  • Advisory ID: DRUPAL-SA-CONTRIB-2015-141
  • Project: Chaos tool suite (ctools) [1] (third-party module)
  • Version: 6.x, 7.x
  • Date: 2015-August-19
  • Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
  • Vulnerability: Cross Site Scripting, Access bypass, Multiple vulnerabilities

I'll get these done first thing in the morning.

comment:63 follow-up: ↓ 64 Changed 15 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 20.3 to 20.425

comment:64 in reply to: ↑ 63 Changed 15 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 20.425 to 20.925

Replying to paul:

Are we no longer getting security updates for drupal?

https://github.com/omega8cc/boa/search?q=pressflow
http://files.aegir.cc/core/pressflow-6.38.1.tar.gz

As I recall we stopped doing BOA updates a while ago due to the fact that we couldn't agree on upgrading to a supported version of PHP (we tried to clone PuffinServer to do a test run but that failed, we don't have a dev server to test on as the dev server was dropped with the switch to BOA because, as I remember, it was deemed that the cost saving was more important than being able to test updates), so we are stuck with BOA 2.4.2, see wiki:PuffinServer#Upgradetickets.

I see that the latest Pressflow, 6.37.120 has merged in Drupal core 6.37 which has fixes for SA-CORE-2015-003, BOA has Pressflow 6.37.1, it appear to me that BOA hasn't yet added Pressflow 6.37.120?

I would expect that support for this will be added and a new BOA release will happen very soon.

There are security issues that could impact us in SA-CORE-2015-003:

Cross-site Scripting - Autocomplete system - Drupal 6 and 7

A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized.

This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files.

Cross-site Request Forgery - Form API - Drupal 6 and 7

A vulnerability was discovered in Drupal's form API that could allow file upload value callbacks to run with untrusted input, due to form token validation not being performed early enough. This vulnerability could allow a malicious user to upload files to the site under another user's account.

This vulnerability is mitigated by the fact that the uploaded files would be temporary, and Drupal normally deletes temporary files automatically after 6 hours.

Users without the "access content" permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to.

In terms of what we can do I would suggest two options:

  1. Build a new BOA server and use that for testing the existing site with a supported version of PHP following the BOA migration documentation. If this works OK make this new server the live server and switch off PuffinServer (the IP address can be moved to the new server saving a DNS update and minimising downtime for the site).
  2. Abandon BOA and build a new server without it.

Either of the above two options would have a significant time and therefore cost implication so some alternative options might have to be though of?

This issue probably deserves a new ticket and/or a email to the ttech list or even a conference call?

comment:67 follow-up: ↓ 69 Changed 15 months ago by sam

Hi all

Ade will be back from holiday soon. I'm pretty sure he won't want to
spend much on any BOA re-configuration, so my guess is that we'll be
looking to move the site to a more usual /dev /stage /live kind of
setup without BOA. But that's a decision for Ade.

In the short term, looking to mitigate the risks;

>  There are security issues that could impact us in [https://www.drupal.org
>  /SA-CORE-2015-003 SA-CORE-2015-003]:
>  > This vulnerability is mitigated by the fact that the malicious user must
>  be allowed to upload files.

Disabling any user file uploads would mitigate this.

>  > == Cross-site Request Forgery - Form API - Drupal 6 and 7 ==
>  > This vulnerability is mitigated by the fact that the uploaded files
>  would be temporary,

Again disabling any user file uploads would mitigate this.

>  > == Information Disclosure in Menu Links - Access system - Drupal 6 and 7
>  > Users without the "access content" permission can see the titles of
>  nodes that they do not have access to, if the nodes are added to a menu on
>  the site that the users have access to.

I can't think of a situation on the current configuration which would
be a problem for us.

So today I'll have a look through all the forms and disable and user
uploads which should give us some breathing space..

Thanks

Sam


>
>  In terms of what we can do I would suggest two options:
>
>  1. Build a new BOA server and use that for testing the existing site with
>  a supported version of PHP following the BOA migration documentation. If
>  this works OK make this new server the live server and switch off
>  PuffinServer (the IP address can be moved to the new server saving a DNS
>  update and minimising downtime for the site).
>  2. Abandon BOA and build a new server without it.
>
>  Either of the above two options would have a significant time and
>  therefore cost implication so some alternative options might have to be
>  though of?
>
>  This issue probably deserves a new ticket and/or a email to the ttech list
>  or even a conference call?
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/701#comment:64>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.

comment:68 Changed 15 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 20.925 to 21.175

Hello,

The choice seems to be do nothing or do something, both incur a significant cost, one financial the other relating to the security of users who use the website. We have responsibility to do something, so we may as well implement whatever will be the easiest to use going forward.

I think having a new server would be my preference. We can then have things setup how we want them (using git and branches, ..), and do things more quickly.

Best, Paul

Version 0, edited 15 months ago by paul (next)

comment:69 in reply to: ↑ 67 Changed 15 months ago by chris

Replying to sam:

So today I'll have a look through all the forms and disable and user
uploads which should give us some breathing space..

Nice one.

comment:70 Changed 15 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 21.175 to 21.3

That all sound good Sam. Thanks. Let me know if you have any questions.

Best, Paul

comment:71 Changed 15 months ago by sam

Hi all

So I disabled the three webforms that allowed file upload (all old and
not in use in any case)
https://www.transitionnetwork.org/admin/content/webform

I also unchecked topmost 'upload' box on this page & saved
https://www.transitionnetwork.org/admin/settings/imce/profile/edit/2

I think that should cover it, unless anyone else can think of areas
where users can upload files?

The only thing I think this breaks is users being able to add images to:

* Projects - we hardly get any of these anyway, I've made a note on
the form for users to email these to us if they want to include a
photo.

*Initiative profile - Again very low volume, I've made a note on the
form for users to email these to us if they want to include a photo.

I'll email staff to let them know just in case there are any
unexpected consequences, I very much doubt anyone will notice though..

Thanks

Sam

On 21 August 2015 at 11:17, Sam Rossiter
<samrossiter@transitionnetwork.org> wrote:
> Hi all
>
> Ade will be back from holiday soon. I'm pretty sure he won't want to
> spend much on any BOA re-configuration, so my guess is that we'll be
> looking to move the site to a more usual /dev /stage /live kind of
> setup without BOA. But that's a decision for Ade.
>
> In the short term, looking to mitigate the risks;
>
>>  There are security issues that could impact us in [https://www.drupal.org
>>  /SA-CORE-2015-003 SA-CORE-2015-003]:
>>  > This vulnerability is mitigated by the fact that the malicious user must
>>  be allowed to upload files.
>
> Disabling any user file uploads would mitigate this.
>
>>  > == Cross-site Request Forgery - Form API - Drupal 6 and 7 ==
>>  > This vulnerability is mitigated by the fact that the uploaded files
>>  would be temporary,
>
> Again disabling any user file uploads would mitigate this.
>
>>  > == Information Disclosure in Menu Links - Access system - Drupal 6 and 7
>>  > Users without the "access content" permission can see the titles of
>>  nodes that they do not have access to, if the nodes are added to a menu on
>>  the site that the users have access to.
>
> I can't think of a situation on the current configuration which would
> be a problem for us.
>
> So today I'll have a look through all the forms and disable and user
> uploads which should give us some breathing space..
>
> Thanks
>
> Sam
>
>
>>
>>  In terms of what we can do I would suggest two options:
>>
>>  1. Build a new BOA server and use that for testing the existing site with
>>  a supported version of PHP following the BOA migration documentation. If
>>  this works OK make this new server the live server and switch off
>>  PuffinServer (the IP address can be moved to the new server saving a DNS
>>  update and minimising downtime for the site).
>>  2. Abandon BOA and build a new server without it.
>>
>>  Either of the above two options would have a significant time and
>>  therefore cost implication so some alternative options might have to be
>>  though of?
>>
>>  This issue probably deserves a new ticket and/or a email to the ttech list
>>  or even a conference call?
>>
>> --
>> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/701#comment:64>
>> Transition Technology <https://tech.transitionnetwork.org/trac>
>> Support and issues tracking for the Transition Network Web Project.

comment:72 Changed 15 months ago by sam

Ah one more:

Removed jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp from the
list of allowed files for role "authenticated user" here:
https://www.transitionnetwork.org/admin/settings/uploads

Thanks

Sam

On 21 August 2015 at 11:31, Sam Rossiter
<samrossiter@transitionnetwork.org> wrote:
> Hi all
>
> So I disabled the three webforms that allowed file upload (all old and
> not in use in any case)
> https://www.transitionnetwork.org/admin/content/webform
>
> I also unchecked topmost 'upload' box on this page & saved
> https://www.transitionnetwork.org/admin/settings/imce/profile/edit/2
>
> I think that should cover it, unless anyone else can think of areas
> where users can upload files?
>
> The only thing I think this breaks is users being able to add images to:
>
> * Projects - we hardly get any of these anyway, I've made a note on
> the form for users to email these to us if they want to include a
> photo.
>
> *Initiative profile - Again very low volume, I've made a note on the
> form for users to email these to us if they want to include a photo.
>
> I'll email staff to let them know just in case there are any
> unexpected consequences, I very much doubt anyone will notice though..
>
> Thanks
>
> Sam
>
> On 21 August 2015 at 11:17, Sam Rossiter
> <samrossiter@transitionnetwork.org> wrote:
>> Hi all
>>
>> Ade will be back from holiday soon. I'm pretty sure he won't want to
>> spend much on any BOA re-configuration, so my guess is that we'll be
>> looking to move the site to a more usual /dev /stage /live kind of
>> setup without BOA. But that's a decision for Ade.
>>
>> In the short term, looking to mitigate the risks;
>>
>>>  There are security issues that could impact us in [https://www.drupal.org
>>>  /SA-CORE-2015-003 SA-CORE-2015-003]:
>>>  > This vulnerability is mitigated by the fact that the malicious user must
>>>  be allowed to upload files.
>>
>> Disabling any user file uploads would mitigate this.
>>
>>>  > == Cross-site Request Forgery - Form API - Drupal 6 and 7 ==
>>>  > This vulnerability is mitigated by the fact that the uploaded files
>>>  would be temporary,
>>
>> Again disabling any user file uploads would mitigate this.
>>
>>>  > == Information Disclosure in Menu Links - Access system - Drupal 6 and 7
>>>  > Users without the "access content" permission can see the titles of
>>>  nodes that they do not have access to, if the nodes are added to a menu on
>>>  the site that the users have access to.
>>
>> I can't think of a situation on the current configuration which would
>> be a problem for us.
>>
>> So today I'll have a look through all the forms and disable and user
>> uploads which should give us some breathing space..
>>
>> Thanks
>>
>> Sam
>>
>>
>>>
>>>  In terms of what we can do I would suggest two options:
>>>
>>>  1. Build a new BOA server and use that for testing the existing site with
>>>  a supported version of PHP following the BOA migration documentation. If
>>>  this works OK make this new server the live server and switch off
>>>  PuffinServer (the IP address can be moved to the new server saving a DNS
>>>  update and minimising downtime for the site).
>>>  2. Abandon BOA and build a new server without it.
>>>
>>>  Either of the above two options would have a significant time and
>>>  therefore cost implication so some alternative options might have to be
>>>  though of?
>>>
>>>  This issue probably deserves a new ticket and/or a email to the ttech list
>>>  or even a conference call?
>>>
>>> --
>>> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/701#comment:64>
>>> Transition Technology <https://tech.transitionnetwork.org/trac>
>>> Support and issues tracking for the Transition Network Web Project.

comment:73 Changed 15 months ago by paul

Sounds like you got this one covered. Thanks Sam!

comment:74 Changed 15 months ago by sam

If we define 'covered' as deliberately breaking a load of stuff then yes :)

I figure we should work out a proper solution for this fairly soon,
but obviously Ade needs to be involved in that. At least this way we
can think about what to do without sitting on an insecure site..

Ta

Sam

On 21 August 2015 at 11:44, Transition Technology Trac
<trac@tech.transitionnetwork.org> wrote:
> #701: Emails & Telephone calls
> -------------------------------------+-------------------------------------
>            Reporter:  paul           |                      Owner:  ed
>                Type:  maintenance    |                     Status:  new
>            Priority:  major          |                  Milestone:
>           Component:  Unassigned     |  Maintenance
>            Keywords:                 |                 Resolution:
> Add Hours to Ticket:  0              |  Estimated Number of Hours:  0.0
>         Total Hours:  21.3           |                  Billable?:  1
> -------------------------------------+-------------------------------------
>
> Comment (by paul):
>
>  Sounds like you got this one covered. Thanks Sam!
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/701#comment:73>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.

comment:75 Changed 15 months ago by paul

Yes :D covered - for now :)

Last edited 15 months ago by paul (previous) (diff)

comment:76 Changed 15 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Owner changed from ed to paul
  • Status changed from new to assigned
  • Component changed from Unassigned to Drupal modules & settings
  • Total Hours changed from 21.3 to 21.4

BTW I saw ed was CC'd in on this ticket as he owned it, so I have changed the owner to paul. It isn't clear to me why the other people that get copies of these comments are CC'd (see the email headers) as they are not listed as ticket CC's?

comment:77 Changed 15 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 21.4 to 22.15

No additional security updates need to be applied.

Here is a first draft of how we could try to do the core updates manually:

Download and extract the latest Drupal tar ball.

Remove all .txt files and the sites folder.

From the stage/production directory (under /data/disk/tn/static) remove all .php files, and the following directories: includes/ modules/, misc/ , profiles/, themes/. However, keep the following modules and links in the modules directory: simpletest, path_alias_cache, o_contrib@, cookie_cache_bypass

Copy over the remaining files and folders from the drupal tarball to the stage/production directory.

Best, Paul

comment:78 Changed 15 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 22.15 to 22.65

I have manually updated ctools and views_bulk_operations on the live site (fairly straightforward). I thought these updates were already done. Apologies, if this is down to an error on my part.

Tomorrow, I'll try to update drupal core on my stage site following the instructions I documented earlier. If the the update looks successful we can then test the site to see if there are any problems.

Best, Paul


comment:79 Changed 15 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 22.65 to 22.9

Email communication.

comment:80 Changed 15 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 22.9 to 23.15

No drupal security updates need to be applied this week.

I still need to try updating drupal core on my stage site. I'll see if I can do this later this afternoon.

comment:81 Changed 15 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 23.15 to 23.65

It's actually fairly straightforward to update core manually.

Can I just get confirmation that we have a backup of the live site. I'll then manually update core on the live site.

comment:82 Changed 14 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 23.65 to 23.9

No drupal security updates need to be applied this week.

comment:83 Changed 14 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 23.9 to 24.15

No drupal security updates need to be applied this week.

Last edited 14 months ago by paul (previous) (diff)

comment:84 Changed 14 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 24.15 to 24.4

No drupal security updates need to be applied this week.

comment:85 Changed 13 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 24.4 to 24.65

No drupal security updates need to be applied this week.

comment:86 Changed 13 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 24.65 to 24.9

No drupal security updates need to be applied this week.

comment:87 Changed 13 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 24.9 to 25.15

No drupal security updates need to be applied this week.

Changed 13 months ago by paul

Files directory not fully protected.

comment:88 follow-up: ↓ 89 Changed 13 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 1.25
  • Total Hours changed from 25.15 to 26.4

No drupal security updates needed to be applied this week.

However, I took the opportunity to manually update core and update the database. After updating core I also deleted the current files/ .htaccess file (see screenshot) and regenerated this from the files system page.

https://www.transitionnetwork.org/admin/reports/status
https://www.transitionnetwork.org/admin/settings/file-system

comment:89 in reply to: ↑ 88 Changed 13 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 26.4 to 26.5

Replying to paul:

I also deleted the current files/ .htaccess file (see screenshot) and regenerated this from the files system page.

Note that since we are using Nginx and not Apache that all .htaccess files will be ignored and have no effect.

If there are some new rules from a .htaccess file that we need to add to the Ngnix config then we will have to do that manually -- where is the .htaccess file you recreated? I could check it against the Ngnix config (if I can actually find it in the BOA created mess of config files...).

comment:90 Changed 13 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 26.5 to 26.75

So looking for the .htaccess file, there are 96 on the server...

updatedb
locate .htaccess

It seems like /data/disk/tn/static/sites/transitionnetwork.org-PROD/files/.htaccess is the one? It contains:

# Turn off all options we don't need.
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
  php_flag engine off
</IfModule>
# PHP 4, Apache 1.
<IfModule mod_php4.c>
  php_flag engine off
</IfModule>
# PHP 4, Apache 2.
<IfModule sapi_apache2.c>
  php_flag engine off
</IfModule>

So all it is doing is disabling PHP for the uploads directory. I would guess that this is already covered, so to test it I created /data/disk/tn/static/sites/transitionnetwork.org-PROD/files/info.php containing:

<?php phpinfo(); ?>

And it is available here:

And it is served with the default Nginx Mime type, Content-Type: application/octet-stream and not processed, so we are covered.

comment:91 Changed 13 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 26.75 to 27.0

Thanks Chris. I forgot we are using Nginx.

The .htaccess is located here:

/data/disk/tn/static/transition-network-d6-35-p001b-booker/sites/www.transitionnetwork.org/files

It has the same content as the file you referenced above.

Looks good:

$ curl -I https://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/info.php
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 Nov 2015 14:00:45 GMT
Content-Type: application/octet-stream
Content-Length: 20
Connection: keep-alive
Last-Modified: Thu, 05 Nov 2015 13:46:36 GMT
ETag: "563b5dbc-14"
Expires: Sat, 05 Dec 2015 14:00:45 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
Strict-Transport-Security: max-age=15768000
Last edited 13 months ago by paul (previous) (diff)

comment:92 Changed 13 months ago by paul

Removed the info.php file.

comment:93 Changed 13 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 27.0 to 27.25

No drupal security updates need to be applied this week.

Modules unsupported this week: Hierarchical Select

This the first module to become unsupported for Drupal 6. If we know that we are not using any particular unsupported module on the website we should disable the module, just in case there are unresolved security issues with the module.

Last edited 13 months ago by paul (previous) (diff)

comment:94 follow-up: ↓ 95 Changed 12 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 27.25 to 27.75

No drupal security updates need to be applied this week.

Would you like me to provide extended support for Drupal 6 when it becomes unsupported by the community?

If so, we will need to read up on the security team process (i.e. go through the handbook pages) and contact the security team for further guidance.

https://www.drupal.org/d6-lts-support
https://www.drupal.org/node/2287855

comment:95 in reply to: ↑ 94 Changed 12 months ago by chris

Replying to paul:

Would you like me to provide extended support for Drupal 6 when it becomes unsupported by the community?

I can't answer that (I don't know what the plans are regarding continuing to use Drupal 6 or switching to something else, can anyone shed any light on this?) but I did open a ticket for this issue: ticket:883.

comment:96 Changed 12 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 27.75 to 28.0

No drupal security updates need to be applied this week.

comment:97 Changed 12 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 28.0 to 28.75

The following drupal security updates have been applied this week:

View online: https://www.drupal.org/node/2627448

  • Advisory ID: DRUPAL-SA-CONTRIB-2015-168
  • Project: Mollom [1] (third-party module)
  • Version: 6.x
  • Date: 2015-December-02
  • Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
  • Vulnerability: Access bypass

comment:98 Changed 12 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 28.75 to 29.5

Investigating the news website as per email communications.

comment:99 Changed 12 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 29.5 to 29.75

Confirmed that the news website is up to date.

http://news.transitionnetwork.org/admin/reports/updates

The main administrative account is currently assigned to me. If you need to change this in the future you can do this with drush:

513 cd /data/disk/tn/static/
514 ls
515 cd transition-network-d6-35-p001b-booker/sites/news.transitionnetwork.org/
516 ls -la
517 sudo -u tn drush uli

comment:100 Changed 12 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 29.75 to 30.0

No drupal security updates need to be applied this week.

comment:101 Changed 11 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 30.0 to 30.25

No drupal security updates need to be applied this week.

comment:102 Changed 11 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 30.25 to 30.5

Email communications.

comment:103 Changed 11 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 30.5 to 30.75

No drupal security updates need to be applied this week.

comment:104 Changed 10 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 30.75 to 31.0

No drupal security updates need to be applied this week.

comment:105 Changed 10 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.45
  • Total Hours changed from 31.0 to 31.45

No drupal security updates need to be applied this week.

Reviewing recent emails. Phone conversation with Ade.

Email communications.

comment:106 Changed 9 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 31.45 to 32.2

The following drupal security updates have been applied this week:

View online: https://www.drupal.org/node/2666446

  • Advisory ID: DRUPAL-SA-CONTRIB-2016-pending
  • Project: Embedded Media Field [1] (third-party module)
  • Version: 6.x
  • Date: 2016-February-10
  • Security risk: 19/25 ( Critical) AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All [2]
  • Vulnerability: Cross Site Scripting

comment:107 Changed 9 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 32.2 to 32.45

No drupal security updates need to be applied this week.

comment:108 Changed 9 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 32.45 to 32.95

Awaiting drupal 6 security updates from the LTS vendors.

https://www.drupal.org/project/d6lts

View online: https://www.drupal.org/SA-CORE-2016-001

  • Advisory ID: SA-CORE-2016-001
  • Project: Drupal core [1]
  • Version: 6.x, 7.x, 8.x
  • Date: 2016-February-24
  • Security risk: 15/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2]
  • Vulnerability: Multiple vulnerabilities

View online: https://www.drupal.org/node/2674854

  • Advisory ID: DRUPAL-SA-CONTRIB-2016-008
  • Project: FileField? [1] (third-party module)
  • Version: 6.x
  • Date: 2016-February-24
  • Security risk: 11/25 ( Moderately Critical) AC:Complex/A:User/CI:None/II:Some/E:Proof/TD:All [2]
  • Vulnerability: Denial of Service

The "Available updates" page was showing everything as "Not supported" so I have disabled the Update status & Update status advanced settings modules.

I'll pick this up again later today after talking to security team / LTS vendors.

comment:109 Changed 9 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 1.25
  • Total Hours changed from 32.95 to 34.2

There have been official releases for these security updates.

Both of these drupal security updates have now been applied.

comment:110 Changed 9 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 34.2 to 34.7

comment:111 Changed 9 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 34.7 to 34.95

No drupal security updates need to be applied this week.

comment:112 Changed 8 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 34.95 to 35.2

No drupal security updates need to be applied this week.

comment:113 Changed 8 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 35.2 to 35.45

No drupal security updates need to be applied this week.

comment:114 Changed 8 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 35.45 to 35.7

No drupal security updates need to be applied this week.

Taken a backup of the database.

comment:115 Changed 7 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 35.7 to 36.45

There were drupal security updates that needed to be applied this week:

puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/features# patch -p1 < features-sdo-138758-15-D6.patch
patching file features.admin.inc
Hunk #1 succeeded at 596 (offset -6 lines).
Hunk #2 succeeded at 619 (offset -6 lines).

https://www.drupal.org/node/2705751

There are some other security issues in review. I'll apply these as soon as they are reviewed.
https://www.drupal.org/project/issues/d6lts

comment:116 Changed 7 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 36.45 to 36.95

There were drupal security updates that needed to be applied this week:

puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/views# patch -p1 < SA-CONTRIB-2014-054-6.x-2.x.patch
patching file includes/view.inc
patching file plugins/views_plugin_display.inc

https://www.drupal.org/node/2710259

comment:117 Changed 7 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 36.95 to 37.45

No drupal security updates need to be applied this week.

Taken a backup of the code & database.

https://www.drupal.org/node/2284611/commits

comment:118 Changed 7 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 37.45 to 37.7

No drupal security updates need to be applied this week.

comment:119 Changed 6 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 37.7 to 37.95

No drupal security updates need to be applied this week.

comment:120 Changed 6 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 37.95 to 38.2

No drupal security updates need to be applied this week.

comment:121 Changed 6 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 38.2 to 38.7

There were drupal security updates that needed to be applied this week:

puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/xmlsitemap# patch -p1 < SA-CONTRIB-2016-030-6.x-2.x.patch
patching file xsl/xmlsitemap.xsl.js
puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/xmlsitemap#

https://www.drupal.org/node/2733569#comment-11229739

comment:122 Changed 6 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 38.7 to 39.45

No drupal security updates need to be applied this week.

Taken a backup of the code, files & database.

puffin:/data/disk/tn/static# ls -la
lrwxrwxrwx  1 root   users   37 Mar  3 10:38 tn -> transition-network-d6-35-p001b-booker/

puffin:/data/disk/tn/static# tar -cf - tn | gzip > tn.20160602.tar.gz
puffin:/data/disk/tn/static# mv tn.20160602.tar.gz /home/paul/

puffin:/data/disk/tn/static/tn/sites/www.transitionnetwork.org# ls -l
total 472K

lrwxrwxrwx 1 tn users      60 Jun 14  2013 files -> /data/disk/tn/static/sites/transitionnetwork.org-PROD/files//

puffin:/data/disk/tn/static/sites/transitionnetwork.org-PROD# tar -cf - files | gzip > tn.files.20160602.tar.gz
puffin:/data/disk/tn/static/sites/transitionnetwork.org-PROD# mv tn.files.20160602.tar.gz /home/paul/

scp -r transitionnetwork.org:tn.20160602.tar.gz .
scp -r transitionnetwork.org:tn.files.20160602.tar.gz .

I had previously missed the flies directory.

Let me know if I should take the time to set the website up on my local server to confirm that we can rebuild the website from the above backup.

I have taken a backup of the database with the Backup & Migrate module. I'll investigate how to take a manual backup of the database later this afternoon.

comment:123 Changed 6 months ago by chris

Paul I'm not sure the work you are doing on backups is necessary, we have 60 days worth of MySQL and files backed up that you can access, see wiki:PuffinServer#Backups and in addition we have 60 days worth of snapshots of the whole servers (which only Webarchitects can access).

comment:124 Changed 6 months ago by paul

  • Add Hours to Ticket 0 deleted

Sorry, I'll have a look at these. Are we testing these backups somewhere?

comment:125 Changed 6 months ago by chris

No, I haven't done any testing of the backups.

comment:126 Changed 6 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 39.45 to 39.7

No drupal security updates need to be applied this week.

comment:127 Changed 5 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 39.7 to 40.45

There were drupal security updates that needed to be applied this week:

Issue status update for:
https://www.drupal.org/node/2749407
Update issue:
https://www.drupal.org/node/2749407/edit

Current issue values:
Status: Active
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files:

SA-CONTRIB-2016-036-6.x-2.x.patch [1]
SA-CONTRIB-2016-036-6.x-3.x.patch [2]

Reporter: dsnopek [3]
Created: June 15, 2016 - 20:27
Updated: June 15, 2016 - 20:27
The issue described in Views - Less Critical - Access Bypass -
SA-CONTRIB-2016-036 [4] also affects Drupal 6! A series of patches are
attached for different versions of views.

[1] https://www.drupal.org/files/issues/SA-CONTRIB-2016-036-6.x-2.x.patch
[2] https://www.drupal.org/files/issues/SA-CONTRIB-2016-036-6.x-3.x.patch
[3] https://www.drupal.org/u/dsnopek
[4] https://www.drupal.org/node/2749333

puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/views# patch -p1 < SA-CONTRIB-2016-036-6.x-2.x.patch 
patching file modules/statistics.views.inc
patching file modules/statistics/views_handler_field_node_counter_timestamp.inc
patching file modules/statistics/views_handler_field_statistics_numeric.inc

The database did not need updating unlike the corresponding security release for Drupal 7.

Note:

If anyone should need access to the database update script from their user account, you can uncomment the following line:

puffin:/data/disk/tn/static/tn# nano sites/www.transitionnetwork.org/settings.php 

#$update_free_access = TRUE;

comment:129 Changed 5 months ago by sam

Thanks Paul..

On 16 June 2016 at 11:20, Transition Technology Trac <
trac@tech.transitionnetwork.org> wrote:

> #701: Emails & Telephone calls
> -------------------------------------+-------------------------------------
>            Reporter:  paul           |                      Owner:  paul
>                Type:  maintenance    |                     Status:
>            Priority:  major          |  assigned
>           Component:  Drupal         |                  Milestone:
>   modules & settings                 |  Maintenance
>            Keywords:                 |                 Resolution:
> Add Hours to Ticket:  0.75           |  Estimated Number of Hours:  0.0
>         Total Hours:  39.7           |                  Billable?:  1
> -------------------------------------+-------------------------------------
> Changes (by paul):
>
>  * hours:  0.0 => 0.75
>  * totalhours:  39.7 => 40.45
>
>
> Comment:
>
>  There were drupal security updates that needed to be applied this week:
>
>  Issue status update for:
>  https://www.drupal.org/node/2749407
>  Update issue:
>  https://www.drupal.org/node/2749407/edit
>
>  Current issue values:
>  Status:    Active
>  Priority:  Normal
>  Category:  Task
>  Component: Code
>  Assigned:  Unassigned
>  Project:   Drupal 6 Long Term Support
>  Files:
>      SA-CONTRIB-2016-036-6.x-2.x.patch [1]
>      SA-CONTRIB-2016-036-6.x-3.x.patch [2]
>  Reporter:  dsnopek [3]
>  Created:   June 15, 2016 - 20:27
>  Updated:   June 15, 2016 - 20:27
>  The issue described in Views - Less Critical - Access Bypass -
>  SA-CONTRIB-2016-036 [4] also affects Drupal 6! A series of patches are
>  attached for different versions of views.
>
>
>  [1] https://www.drupal.org/files/issues/SA-CONTRIB-2016-036-6.x-2.x.patch
>  [2] https://www.drupal.org/files/issues/SA-CONTRIB-2016-036-6.x-3.x.patch
>  [3] https://www.drupal.org/u/dsnopek
>  [4] https://www.drupal.org/node/2749333
>
>
>  {{{
>  puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/views# patch -p1
>  < SA-CONTRIB-2016-036-6.x-2.x.patch
>  patching file modules/statistics.views.inc
>  patching file
>  modules/statistics/views_handler_field_node_counter_timestamp.inc
>  patching file
>  modules/statistics/views_handler_field_statistics_numeric.inc
>  }}}
>
>
>  The database did not need updating unlike the corresponding security
>  release for Drupal 7.
>
>  Note:
>
>  If anyone should need access to the database update script from their user
>  account, you can uncomment the following line:
>
>
>  {{{
>  puffin:/data/disk/tn/static/tn# nano
>  sites/www.transitionnetwork.org/settings.php
>
>  #$update_free_access = TRUE;
>  }}}
>
> --
> Ticket URL: <
> https://tech.transitionnetwork.org/trac/ticket/701#comment:127>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>

comment:130 Changed 5 months ago by paul

Chris,

Would you place a recent copy of the database in my home directory?

Attempts to install a recent database backup taken by the Backup & Migrate module:

Dirac:transitionnetwork-org paul$ file TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz 
TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz: ASCII English text, with very long lines

Dirac:transitionnetwork-org paul$ gunzip TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz 
gunzip: TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz: not in gzip format

Archive:  TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz or
        TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz.zip, and cannot find TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz.ZIP, period.

comment:131 Changed 5 months ago by chris

Paul, as noted here, wiki:PuffinServer#Backups, backupninja "dumps all the mysql databases into /var/backups/mysql" -- you have sudo so you should be good to grab the latest from there?

comment:132 Changed 5 months ago by paul

Thanks Chris.

comment:133 Changed 5 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 40.45 to 40.7

No drupal security updates need to be applied this week.

comment:134 Changed 5 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 40.7 to 40.95

No drupal security updates need to be applied this week.

comment:135 Changed 5 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 40.95 to 41.2

No drupal security updates need to be applied this week.

Taken a backup of the database.

comment:136 Changed 4 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 41.2 to 41.45

No drupal security updates need to be applied this week.

comment:137 Changed 4 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 41.45 to 41.7

No drupal security updates need to be applied this week.

comment:138 Changed 4 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 41.7 to 41.95

No drupal security updates need to be applied this week.

comment:139 Changed 4 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 41.95 to 42.2

No drupal security updates need to be applied this week.

comment:140 Changed 3 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 42.2 to 42.95

There were drupal security updates that needed to be applied this week:

Issue status update for:
https://www.drupal.org/node/2782161
Update issue:
https://www.drupal.org/node/2782161/edit

Current issue values:
Status: Needs review
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files:

SA-CONTRIB-2016-042-6.x-4.x.patch [1]
SA-CONTRIB-2016-042-6.x-3.x.patch [2]
SA-CONTRIB-2016-042-6.x-2.x.patch [3]

Reporter: dsnopek [4]
Created: August 10, 2016 - 16:16
Updated: August 10, 2016 - 16:16
The Google Analytics module has a moderately critical cross-site scripting
vulnerability.

With the help of the D6LTS vendors, a new version was released:

https://www.drupal.org/project/google_analytics/releases/6.x-4.3 [5]

As well as patches for the 6.x-3.x and 6.x-2.x branches.

[1] https://www.drupal.org/files/issues/SA-CONTRIB-2016-042-6.x-4.x.patch
[2] https://www.drupal.org/files/issues/SA-CONTRIB-2016-042-6.x-3.x.patch
[3] https://www.drupal.org/files/issues/SA-CONTRIB-2016-042-6.x-2.x.patch
[4] https://www.drupal.org/u/dsnopek
[5] https://www.drupal.org/project/google_analytics/releases/6.x-4.3

The security updates for Piwik were not applied immediately as this module is currently not enabled. The detail are provided below:

Issue status update for:
https://www.drupal.org/node/2782163
Update issue:
https://www.drupal.org/node/2782163/edit

Current issue values:
Status: Needs review
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files: SA-CONTRIB-2016-043.patch [1]
Reporter: dsnopek [2]
Created: August 10, 2016 - 16:17
Updated: August 10, 2016 - 16:17
The Piwik module has a moderately critical cross-site scripting
vulnerability.

With the help of the D6LTS vendors, a new version was released:

https://www.drupal.org/node/2781639 [3]

A patch is also attached.

[1] https://www.drupal.org/files/issues/SA-CONTRIB-2016-043.patch
[2] https://www.drupal.org/u/dsnopek
[3] https://www.drupal.org/node/2781639

comment:141 Changed 3 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 42.95 to 43.45

There were drupal security updates that needed to be applied this week:

Issue status update for:
https://www.drupal.org/node/2785707
Update issue:
https://www.drupal.org/node/2785707/edit

#2 -- August 17, 2016 - 18:11 : dsnopek
https://www.drupal.org/node/2785707#comment-11521787

Issue changes:

  • Status: Active

+ Status: Fixed
Committed!

Current issue values:
Status: Fixed
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files: SA-CONTRIB-2016-047.patch [1]
Reporter: dsnopek [2]
Created: August 17, 2016 - 18:10
Updated: August 17, 2016 - 18:11

One of the hunks failed. The function was different to what was expected; needs investigating.

transx@dedi2835:~/public_html/sites/all/modules/contrib/panels$ patch -p1 < SA-CONTRIB-2016-047.patch
patching file D6UPDATE.txt
patching file includes/plugins.inc
patching file panels.install
Hunk #2 succeeded at 1557 (offset -20 lines).
patching file panels.module
Hunk #1 succeeded at 267 (offset -1 lines).
Hunk #2 succeeded at 410 (offset -5 lines).
Hunk #3 succeeded at 706 (offset -5 lines).
Hunk #4 succeeded at 1283 (offset -5 lines).
Hunk #5 succeeded at 1581 (offset -5 lines).
patching file panels_ipe/panels_ipe.api.php
patching file panels_ipe/plugins/display_renderers/panels_renderer_ipe.class.php
Hunk #3 FAILED at 108.
Hunk #4 succeeded at 128 (offset -3 lines).
Hunk #5 succeeded at 150 (offset -1 lines).
1 out of 5 hunks FAILED -- saving rejects to file panels_ipe/plugins/display_renderers/panels_renderer_ipe.class.php.rej
patching file panels_mini/panels_mini.install
patching file panels_mini/panels_mini.module
patching file panels_mini/plugins/panels_storage/panels_mini.inc
patching file panels_node/panels_node.install
patching file panels_node/panels_node.module
patching file panels_node/plugins/panels_storage/panels_node.inc
patching file plugins/display_renderers/panels_renderer_editor.class.php
patching file plugins/display_renderers/panels_renderer_standard.class.php
patching file plugins/panels_storage/page_manager.inc
patching file plugins/task_handlers/panel_context.inc

comment:142 Changed 3 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 43.45 to 43.7

No drupal security updates need to be applied this week.

comment:143 Changed 3 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 43.7 to 43.95

No drupal security updates need to be applied this week.

comment:144 Changed 2 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 43.95 to 44.2

No drupal security updates need to be applied this week.

comment:145 Changed 2 months ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 44.2 to 44.45

No drupal security updates need to be applied this week.

comment:146 Changed 8 weeks ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 44.45 to 44.7

No drupal security updates need to be applied this week.

comment:147 Changed 7 weeks ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 44.7 to 44.95

No drupal security updates need to be applied this week.

comment:148 Changed 6 weeks ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 44.95 to 45.45

comment:149 Changed 6 weeks ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 45.45 to 45.95

There were drupal security updates that needed to be applied this week:

Issue status update for:
https://www.drupal.org/node/2817359

Current issue values:
Status: Needs review
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files: elysia_cron-sa-contrib-2016-052.patch [1]
Reporter: dsnopek [2]
Created: October 12, 2016 - 17:15
Updated: October 12, 2016 - 17:15
An SA was just published for elysia_cron:

https://www.drupal.org/node/2817211 [3]

The D6LTS vendors backported the patch to D6 which is attached

[1] https://www.drupal.org/files/issues/elysia_cron-sa-contrib-2016-052.patch
[2] https://www.drupal.org/u/dsnopek
[3] https://www.drupal.org/node/2817211

One of the hunks failed. The function was different to what was expected; the update was manually applied.

transx@dedi2835:~/public_html/sites/all/modules/contrib/elysia_cron$ patch -p1 < elysia_cron-sa-contrib-2016-052.patch
patching file elysia_cron.admin.inc
Hunk #1 FAILED at 99.
Hunk #2 succeeded at 554 (offset -46 lines).
1 out of 2 hunks FAILED -- saving rejects to file elysia_cron.admin.inc.rej
transx@dedi2835:~/public_html/sites/all/modules/contrib/elysia_cron$ cat elysia_cron.admin.inc.rej

--- elysia_cron.admin.inc
+++ elysia_cron.admin.inc
@@ -99,7 +99,7 @@ function elysia_cron_admin_page() {
         );
         $rows[] = array(
           '',
-          $conf['rule'] . (!empty($conf['weight']) ? ' <small>(' . t('Weight') . ': ' . $conf['weight'] . ')</small>' : ''),
+          check_plain($conf['rule']) . (!empty($conf['weight']) ? ' <small>(' . t('Weight') . ': ' . $conf['weight'] . ')</small>' : ''),
           elysia_cron_date($conf['last_run']),
           $conf['last_execution_time'] . 's',
           $conf['execution_count'],
Last edited 6 weeks ago by paul (previous) (diff)

comment:150 Changed 5 weeks ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 45.95 to 46.7

There were drupal security updates that needed to be applied this week:

Issue status update for:
https://www.drupal.org/node/2820535

#2 -- October 19, 2016 - 17:34 : dsnopek
https://www.drupal.org/node/2820535#comment-11738607

Issue changes:

  • Status: Active

+ Status: Fixed
Committed to repo!

Current issue values:
Status: Fixed
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files: SA-CONTRIB-2016-053.patch [1]
Reporter: dsnopek [2]
Created: October 19, 2016 - 17:33
Updated: October 19, 2016 - 17:34

[1] https://www.drupal.org/files/issues/SA-CONTRIB-2016-053.patch
[2] https://www.drupal.org/u/dsnopek

transx@dedi2835:~/public_html/sites/all/modules/contrib/webform$ wget https://www.drupal.org/files/issues/SA-CONTRIB-2016-053.patch
--2016-10-20 13:41:14-- https://www.drupal.org/files/issues/SA-CONTRIB-2016-053.patch
Resolving www.drupal.org (www.drupal.org)... 151.101.13.133
Connecting to www.drupal.org (www.drupal.org)|151.101.13.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1631 (1.6K) [text/plain]
Saving to: ‘SA-CONTRIB-2016-053.patch’

SA-CONTRIB-2016-053.patch 100%[=========================================================================>] 1.59K --.-KB/s in 0s

2016-10-20 13:41:14 (41.6 MB/s) - ‘SA-CONTRIB-2016-053.patch’ saved [1631/1631]

transx@dedi2835:~/public_html/sites/all/modules/contrib/webform$ ls
CHANGELOG.txt css includes LICENSE.txt SA-CONTRIB-2016-053.patch tests views webform.info webform.module
components images js README.txt templates THEMING.txt webform.api.php webform.install
transx@dedi2835:~/public_html/sites/all/modules/contrib/webform$ patch -p1 < SA-CONTRIB-2016-053.patch
patching file webform.module

Downloaded a recent copy of the database. Shall I check that we can recover from these database backups on my local network?

comment:151 Changed 4 weeks ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 46.7 to 46.95

No drupal security updates need to be applied this week.

comment:152 Changed 3 weeks ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 46.95 to 47.2

No drupal security updates need to be applied this week.

comment:153 Changed 11 days ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 47.2 to 47.45

No drupal security updates need to be applied this week.

comment:154 Changed 4 days ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 47.45 to 47.7

No drupal security updates need to be applied this week.

There maybe an update later in the week:

View online: https://www.drupal.org/SA-CORE-2016-005

  • Advisory ID: DRUPAL-SA-CORE-2016-005
  • Project: Drupal core [1]
  • Version: 7.x, 8.x
  • Date: 2016-November-16
  • Security risk: 13/25 ( Moderately Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
  • Vulnerability: Multiple vulnerabilities
Note: See TracTickets for help on using tickets.