Ticket #701 (assigned maintenance)
Emails & Telephone calls
Reported by: | paul | Owned by: | paul |
---|---|---|---|
Priority: | major | Milestone: | Maintenance |
Component: | Drupal modules & settings | Keywords: | |
Cc: | chris, ade | Estimated Number of Hours: | 0.0 |
Add Hours to Ticket: | 0 | Billable?: | yes |
Total Hours: | 47.7 |
Description (last modified by paul) (diff)
Attachments
Change History
comment:2 Changed 3 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.0 to 0.25
Emails [10th] 0,15
comment:4 Changed 3 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.25 to 0.5
Emails [18th] 0,15
comment:5 Changed 3 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.3
- Total Hours changed from 0.5 to 0.8
Calls [24th] 0,20
comment:6 Changed 3 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 0.8 to 1.3
Emails [31st] 0,30
comment:7 Changed 3 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 1.3 to 1.55
Emails [31st] 0,15
comment:8 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 1.55 to 2.3
Skype call [19th June]
comment:9 Changed 2 years ago by ben
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 2.3 to 3.05
Skype call
comment:10 Changed 2 years ago by annesley
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 3.05 to 3.55
Skype call [19th June]
comment:11 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 3.55 to 3.8
Just checked to see if the recent rounds of drupal security updates apply to TN. No - all good.
comment:12 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 3.8 to 4.05
Just checked to see if the recent rounds of drupal security updates apply to TN. No - all good.
comment:13 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 4.05 to 4.55
Yesterday:
Checking to see if the recent rounds of drupal security updates apply to TN. No - all good.
Email reply to Annesley / TN
comment:14 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 4.55 to 4.8
Conversation on mailing list about updating production.
comment:15 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 4.8 to 5.3
Email exchange on mailing list and follow up on BOA issue.
comment:16 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 5.3 to 5.8
A few responses to the mailing list conversation, will continue reading tomorrow
comment:17 Changed 23 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 5.8 to 6.05
Checking to see if the recent rounds of drupal security updates apply to TN. No - all good.
comment:18 Changed 23 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 6.05 to 6.3
Checking to see if the recent rounds of drupal security updates apply to TN. No - all good.
comment:19 Changed 22 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.15
- Total Hours changed from 6.3 to 6.45
Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.
comment:20 Changed 22 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 6.45 to 6.7
Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.
https://booker-stage-20141120.transitionnetwork.org/admin/reports/updates
comment:21 Changed 22 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 6.7 to 6.95
Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.
https://booker-stage-20141120.transitionnetwork.org/admin/reports/updates
comment:22 Changed 22 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 6.95 to 7.075
Checked to see if the recent rounds of drupal security updates apply to TN. Views needs updating ..
comment:23 Changed 22 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 7.075 to 7.825
Updated the live site & profile on github.
Email exchange with Ade.
comment:24 Changed 21 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 7.825 to 8.075
Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.
comment:25 Changed 21 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 8.075 to 8.2
Checked to see if the recent rounds of drupal security updates apply to TN. Webform needs updating ..
comment:26 Changed 21 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 8.2 to 8.7
Updated the live site. Profile does not need updating.
comment:27 Changed 20 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 8.7 to 8.825
Checked to see if the recent rounds of drupal security updates apply to TN. Drupal core, CTools & Webform needs updating ..
Changed 20 months ago by paul
- Attachment Screen Shot 2015-03-19 at 14.46.43.png added
Load error while building a new platfrom
comment:28 Changed 20 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 8.825 to 9.325
Trying to build the platform again ..
comment:29 Changed 20 months ago by paul
Worked second time ..
comment:30 Changed 20 months ago by paul
- Add Hours to Ticket changed from 0.0 to 1.0
- Total Hours changed from 9.325 to 10.325
Built new stage/production platforms for 6.35 (Both platforms failed first time).
Migrated stage/production sites (www. & news.) over to the new platforms .
Production sites up and running:
https://www.transitionnetwork.org/admin/reports/status
Updated the profile and pushed up to my git repository.
comment:31 Changed 20 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 10.325 to 10.575
Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.
comment:32 Changed 20 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 10.575 to 10.825
Checked to see if the recent rounds of drupal security updates apply to TN. No - all good.
comment:33 Changed 20 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 10.825 to 11.075
Checked to see if there are any drupal security updates to apply to TN. No - all good.
Responded to mailing list.
comment:34 Changed 19 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 11.075 to 11.325
Checked to see if there are any drupal security updates to apply to TN. No - all good.
comment:35 Changed 19 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 11.325 to 11.575
Checked to see if there are any drupal security updates to apply to TN. No - all good.
comment:36 Changed 19 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 11.575 to 12.075
Email communications.
comment:37 Changed 19 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 12.075 to 12.325
Checked to see if there are any drupal security updates to apply to TN. No - all good.
comment:38 Changed 19 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 12.325 to 12.575
Email communications
comment:39 Changed 19 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 12.575 to 13.325
Investigating the TN site on PHP 5.5.3
comment:40 Changed 19 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 13.325 to 13.575
Checked to see if there are any drupal security updates to apply to TN. No - all good.
comment:41 Changed 18 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 13.575 to 13.825
Email communications
comment:42 Changed 18 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 13.825 to 14.075
Email communications
comment:43 Changed 18 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 14.075 to 14.325
Checked to see if there are any drupal security updates to apply to TN. No - all good.
comment:44 Changed 18 months ago by paul
Chris, is this something that affects us ..
View online: https://www.drupal.org/node/2492317
comment:45 Changed 18 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 14.325 to 14.45
I almost missed this as this update looks to be a platform level update that is not shown on the drupal updates page.
https://booker-stage-20150319.transitionnetwork.org/admin/reports/updates
comment:46 Changed 18 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 14.45 to 15.2
Email communications (I'll send an updated invoice later in the month )
comment:47 Changed 18 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 15.2 to 15.45
Email communications
comment:48 Changed 18 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 15.45 to 15.95
Email communications & reading through wiki page.
https://wiki.transitionnetwork.org/BOA_Server/Development_workflow
comment:49 Changed 18 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 15.95 to 16.2
Checked to see if there are any drupal security updates to apply to TN. No - all good.
comment:50 Changed 18 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 16.2 to 16.45
Checked to see if there are any drupal security updates to apply to TN. No - all good.
comment:51 Changed 18 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 16.45 to 16.7
Checked to see if there are any drupal security updates to apply to TN. No - all good.
comment:52 Changed 17 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 16.7 to 16.95
Checked to see if there are any drupal security updates to apply to TN. The following needs to be applied
View online: https://www.drupal.org/SA-CORE-2015-002
- Advisory ID: DRUPAL-SA-CORE-2015-002
- Project: Drupal core [1]
- Version: 6.x, 7.x
- Date: 2015-June-17
- Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
- Vulnerability: Access bypass, Information Disclosure, Open Redirect, Multiple vulnerabilities
However , it looks as though pressflow haven't posted a response to the security update:
https://github.com/omega8cc/boa/search?q=pressflow
The following link currently gives a 404
http://files.aegir.cc/core/pressflow-6.36.1.tar.gz
I'll try again later this afternoon.
comment:53 Changed 17 months ago by chris
- Cc chris, ade added
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 16.95 to 17.05
I don't know if this is relevant, but the latest version of BOA, which we are not running, see ticket:854, didn't have a Pressflow update, the latest version of Pressflow from BOA is Pressflow 6.34 and that came out with BOA-2.3.7 in November 2014.
Does the site use the OpenID module? That is the only Drupal 6 issue in SA-CORE-2015-002.
Impersonation (OpenID module - Drupal 6 and 7 - Critical)
A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.
This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange).
I have also added myself and Ade as CCs for this ticket, I hopw that is OK.
comment:54 Changed 17 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 17.05 to 17.3
Thanks Chris,
We're not using the OpenID so we can skip the core update. I would normally just apply any core update.
I'll update the following ..
View online: https://www.drupal.org/node/2507753
- Advisory ID: DRUPAL-SA-CONTRIB-2015-126
- Project: Content Construction Kit (CCK) [1] (third-party module)
- Version: 6.x
- Date: 2015-June-17
- Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2]
- Vulnerability: Open Redirect
Next time we have a core update that needs to be applied: I'll investigate further how to proceed.
comment:55 Changed 17 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 17.3 to 17.8
Updated CCK on the stage / live sites.
comment:56 Changed 17 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 17.8 to 18.05
Checked to see if there are any drupal security updates to apply to TN. No - all good.
comment:57 Changed 17 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 18.05 to 18.8
Applied the the following drupal security update to TN.
View online: https://www.drupal.org/node/2516688
comment:58 Changed 17 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 18.8 to 19.3
No drupal security updates need to be applied this week.
I noticed that VBO appeared to still need a security update; but in fact it had already been applied on the the stage server.
https://booker-stage-20150319.transitionnetwork.org/admin/reports/updates
I doubled checked that this update was also applied on the live site:
puffin:/data/disk/tn/static/transition-network-d6-35-p001b-booker/sites/all/modules/contrib# cat views_bulk_operations/views_bulk_operations.info
name = Views Bulk Operations
description = Exposes new Views style 'Bulk Operations' for selecting multiple nodes and applying operations on them.
dependencies[] = views
package = Views
core = 6.x
php = 5.0
; Information added by drupal.org packaging script on 2013-06-21
version = "6.x-1.15"
core = "6.x"
project = "views_bulk_operations"
datestamp = "1371815759"
comment:59 Changed 16 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 19.3 to 19.55
No drupal security updates need to be applied this week.
comment:60 Changed 16 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 19.55 to 19.8
No drupal security updates need to be applied this week.
comment:61 Changed 16 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 19.8 to 20.05
No drupal security updates need to be applied this week.
comment:62 Changed 15 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 20.05 to 20.3
The following drupal security updates need to be applied this week:
View online: https://www.drupal.org/SA-CORE-2015-003
- Advisory ID: DRUPAL-SA-CORE-2015-003
- Project: Drupal core [1]
- Version: 6.x, 7.x
- Date: 2015-August-19
- Security risk: 18/25 ( Critical) AC:Complex/A:User/CI:All/II:All/E:Proof/TD:All [2]
- Vulnerability: Cross Site Scripting, Access bypass, SQL Injection, Open Redirect, Multiple vulnerabilities
This security advisory fixes multiple vulnerabilities.
View online: https://www.drupal.org/node/2554145
- Advisory ID: DRUPAL-SA-CONTRIB-2015-141
- Project: Chaos tool suite (ctools) [1] (third-party module)
- Version: 6.x, 7.x
- Date: 2015-August-19
- Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
- Vulnerability: Cross Site Scripting, Access bypass, Multiple vulnerabilities
I'll get these done first thing in the morning.
comment:63 follow-up: ↓ 64 Changed 15 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 20.3 to 20.425
Chris,
Are we no longer getting security updates for drupal?
https://github.com/omega8cc/boa/search?q=pressflow
http://files.aegir.cc/core/pressflow-6.38.1.tar.gz
Paul
comment:64 in reply to: ↑ 63 Changed 15 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 20.425 to 20.925
Replying to paul:
Are we no longer getting security updates for drupal?
https://github.com/omega8cc/boa/search?q=pressflow
http://files.aegir.cc/core/pressflow-6.38.1.tar.gz
As I recall we stopped doing BOA updates a while ago due to the fact that we couldn't agree on upgrading to a supported version of PHP (we tried to clone PuffinServer to do a test run but that failed, we don't have a dev server to test on as the dev server was dropped with the switch to BOA because, as I remember, it was deemed that the cost saving was more important than being able to test updates), so we are stuck with BOA 2.4.2, see wiki:PuffinServer#Upgradetickets.
I see that the latest Pressflow, 6.37.120 has merged in Drupal core 6.37 which has fixes for SA-CORE-2015-003, BOA has Pressflow 6.37.1, it appear to me that BOA hasn't yet added Pressflow 6.37.120?
I would expect that support for this will be added and a new BOA release will happen very soon.
There are security issues that could impact us in SA-CORE-2015-003:
Cross-site Scripting - Autocomplete system - Drupal 6 and 7
A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized.
This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files.
Cross-site Request Forgery - Form API - Drupal 6 and 7
A vulnerability was discovered in Drupal's form API that could allow file upload value callbacks to run with untrusted input, due to form token validation not being performed early enough. This vulnerability could allow a malicious user to upload files to the site under another user's account.
This vulnerability is mitigated by the fact that the uploaded files would be temporary, and Drupal normally deletes temporary files automatically after 6 hours.
Information Disclosure in Menu Links - Access system - Drupal 6 and 7
Users without the "access content" permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to.
In terms of what we can do I would suggest two options:
- Build a new BOA server and use that for testing the existing site with a supported version of PHP following the BOA migration documentation. If this works OK make this new server the live server and switch off PuffinServer (the IP address can be moved to the new server saving a DNS update and minimising downtime for the site).
- Abandon BOA and build a new server without it.
Either of the above two options would have a significant time and therefore cost implication so some alternative options might have to be though of?
This issue probably deserves a new ticket and/or a email to the ttech list or even a conference call?
comment:67 follow-up: ↓ 69 Changed 15 months ago by sam
Hi all Ade will be back from holiday soon. I'm pretty sure he won't want to spend much on any BOA re-configuration, so my guess is that we'll be looking to move the site to a more usual /dev /stage /live kind of setup without BOA. But that's a decision for Ade. In the short term, looking to mitigate the risks; > There are security issues that could impact us in [https://www.drupal.org > /SA-CORE-2015-003 SA-CORE-2015-003]: > > This vulnerability is mitigated by the fact that the malicious user must > be allowed to upload files. Disabling any user file uploads would mitigate this. > > == Cross-site Request Forgery - Form API - Drupal 6 and 7 == > > This vulnerability is mitigated by the fact that the uploaded files > would be temporary, Again disabling any user file uploads would mitigate this. > > == Information Disclosure in Menu Links - Access system - Drupal 6 and 7 > > Users without the "access content" permission can see the titles of > nodes that they do not have access to, if the nodes are added to a menu on > the site that the users have access to. I can't think of a situation on the current configuration which would be a problem for us. So today I'll have a look through all the forms and disable and user uploads which should give us some breathing space.. Thanks Sam > > In terms of what we can do I would suggest two options: > > 1. Build a new BOA server and use that for testing the existing site with > a supported version of PHP following the BOA migration documentation. If > this works OK make this new server the live server and switch off > PuffinServer (the IP address can be moved to the new server saving a DNS > update and minimising downtime for the site). > 2. Abandon BOA and build a new server without it. > > Either of the above two options would have a significant time and > therefore cost implication so some alternative options might have to be > though of? > > This issue probably deserves a new ticket and/or a email to the ttech list > or even a conference call? > > -- > Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/701#comment:64> > Transition Technology <https://tech.transitionnetwork.org/trac> > Support and issues tracking for the Transition Network Web Project.
comment:68 Changed 15 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 20.925 to 21.175
Hello,
The choice seems to be do nothing or do something, both incur a significant cost, one financial the other relating to the security of users who use the website. We have responsibility to do something, so we may as well implement whatever solution will be the easiest to use going forward.
I think having a new server would be my preference. We can then have things setup how we want them (using git and branches, ..), and do things more quickly.
Best, Paul
comment:69 in reply to: ↑ 67 Changed 15 months ago by chris
Replying to sam:
So today I'll have a look through all the forms and disable and user
uploads which should give us some breathing space..
Nice one.
comment:70 Changed 15 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 21.175 to 21.3
That all sound good Sam. Thanks. Let me know if you have any questions.
Best, Paul
comment:71 Changed 15 months ago by sam
Hi all So I disabled the three webforms that allowed file upload (all old and not in use in any case) https://www.transitionnetwork.org/admin/content/webform I also unchecked topmost 'upload' box on this page & saved https://www.transitionnetwork.org/admin/settings/imce/profile/edit/2 I think that should cover it, unless anyone else can think of areas where users can upload files? The only thing I think this breaks is users being able to add images to: * Projects - we hardly get any of these anyway, I've made a note on the form for users to email these to us if they want to include a photo. *Initiative profile - Again very low volume, I've made a note on the form for users to email these to us if they want to include a photo. I'll email staff to let them know just in case there are any unexpected consequences, I very much doubt anyone will notice though.. Thanks Sam On 21 August 2015 at 11:17, Sam Rossiter <samrossiter@transitionnetwork.org> wrote: > Hi all > > Ade will be back from holiday soon. I'm pretty sure he won't want to > spend much on any BOA re-configuration, so my guess is that we'll be > looking to move the site to a more usual /dev /stage /live kind of > setup without BOA. But that's a decision for Ade. > > In the short term, looking to mitigate the risks; > >> There are security issues that could impact us in [https://www.drupal.org >> /SA-CORE-2015-003 SA-CORE-2015-003]: >> > This vulnerability is mitigated by the fact that the malicious user must >> be allowed to upload files. > > Disabling any user file uploads would mitigate this. > >> > == Cross-site Request Forgery - Form API - Drupal 6 and 7 == >> > This vulnerability is mitigated by the fact that the uploaded files >> would be temporary, > > Again disabling any user file uploads would mitigate this. > >> > == Information Disclosure in Menu Links - Access system - Drupal 6 and 7 >> > Users without the "access content" permission can see the titles of >> nodes that they do not have access to, if the nodes are added to a menu on >> the site that the users have access to. > > I can't think of a situation on the current configuration which would > be a problem for us. > > So today I'll have a look through all the forms and disable and user > uploads which should give us some breathing space.. > > Thanks > > Sam > > >> >> In terms of what we can do I would suggest two options: >> >> 1. Build a new BOA server and use that for testing the existing site with >> a supported version of PHP following the BOA migration documentation. If >> this works OK make this new server the live server and switch off >> PuffinServer (the IP address can be moved to the new server saving a DNS >> update and minimising downtime for the site). >> 2. Abandon BOA and build a new server without it. >> >> Either of the above two options would have a significant time and >> therefore cost implication so some alternative options might have to be >> though of? >> >> This issue probably deserves a new ticket and/or a email to the ttech list >> or even a conference call? >> >> -- >> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/701#comment:64> >> Transition Technology <https://tech.transitionnetwork.org/trac> >> Support and issues tracking for the Transition Network Web Project.
comment:72 Changed 15 months ago by sam
Ah one more: Removed jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp from the list of allowed files for role "authenticated user" here: https://www.transitionnetwork.org/admin/settings/uploads Thanks Sam On 21 August 2015 at 11:31, Sam Rossiter <samrossiter@transitionnetwork.org> wrote: > Hi all > > So I disabled the three webforms that allowed file upload (all old and > not in use in any case) > https://www.transitionnetwork.org/admin/content/webform > > I also unchecked topmost 'upload' box on this page & saved > https://www.transitionnetwork.org/admin/settings/imce/profile/edit/2 > > I think that should cover it, unless anyone else can think of areas > where users can upload files? > > The only thing I think this breaks is users being able to add images to: > > * Projects - we hardly get any of these anyway, I've made a note on > the form for users to email these to us if they want to include a > photo. > > *Initiative profile - Again very low volume, I've made a note on the > form for users to email these to us if they want to include a photo. > > I'll email staff to let them know just in case there are any > unexpected consequences, I very much doubt anyone will notice though.. > > Thanks > > Sam > > On 21 August 2015 at 11:17, Sam Rossiter > <samrossiter@transitionnetwork.org> wrote: >> Hi all >> >> Ade will be back from holiday soon. I'm pretty sure he won't want to >> spend much on any BOA re-configuration, so my guess is that we'll be >> looking to move the site to a more usual /dev /stage /live kind of >> setup without BOA. But that's a decision for Ade. >> >> In the short term, looking to mitigate the risks; >> >>> There are security issues that could impact us in [https://www.drupal.org >>> /SA-CORE-2015-003 SA-CORE-2015-003]: >>> > This vulnerability is mitigated by the fact that the malicious user must >>> be allowed to upload files. >> >> Disabling any user file uploads would mitigate this. >> >>> > == Cross-site Request Forgery - Form API - Drupal 6 and 7 == >>> > This vulnerability is mitigated by the fact that the uploaded files >>> would be temporary, >> >> Again disabling any user file uploads would mitigate this. >> >>> > == Information Disclosure in Menu Links - Access system - Drupal 6 and 7 >>> > Users without the "access content" permission can see the titles of >>> nodes that they do not have access to, if the nodes are added to a menu on >>> the site that the users have access to. >> >> I can't think of a situation on the current configuration which would >> be a problem for us. >> >> So today I'll have a look through all the forms and disable and user >> uploads which should give us some breathing space.. >> >> Thanks >> >> Sam >> >> >>> >>> In terms of what we can do I would suggest two options: >>> >>> 1. Build a new BOA server and use that for testing the existing site with >>> a supported version of PHP following the BOA migration documentation. If >>> this works OK make this new server the live server and switch off >>> PuffinServer (the IP address can be moved to the new server saving a DNS >>> update and minimising downtime for the site). >>> 2. Abandon BOA and build a new server without it. >>> >>> Either of the above two options would have a significant time and >>> therefore cost implication so some alternative options might have to be >>> though of? >>> >>> This issue probably deserves a new ticket and/or a email to the ttech list >>> or even a conference call? >>> >>> -- >>> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/701#comment:64> >>> Transition Technology <https://tech.transitionnetwork.org/trac> >>> Support and issues tracking for the Transition Network Web Project.
comment:73 Changed 15 months ago by paul
Sounds like you got this one covered. Thanks Sam!
comment:74 Changed 15 months ago by sam
If we define 'covered' as deliberately breaking a load of stuff then yes :) I figure we should work out a proper solution for this fairly soon, but obviously Ade needs to be involved in that. At least this way we can think about what to do without sitting on an insecure site.. Ta Sam On 21 August 2015 at 11:44, Transition Technology Trac <trac@tech.transitionnetwork.org> wrote: > #701: Emails & Telephone calls > -------------------------------------+------------------------------------- > Reporter: paul | Owner: ed > Type: maintenance | Status: new > Priority: major | Milestone: > Component: Unassigned | Maintenance > Keywords: | Resolution: > Add Hours to Ticket: 0 | Estimated Number of Hours: 0.0 > Total Hours: 21.3 | Billable?: 1 > -------------------------------------+------------------------------------- > > Comment (by paul): > > Sounds like you got this one covered. Thanks Sam! > > -- > Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/701#comment:73> > Transition Technology <https://tech.transitionnetwork.org/trac> > Support and issues tracking for the Transition Network Web Project.
comment:75 Changed 15 months ago by paul
Yes :D covered - for now :)
comment:76 Changed 15 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Owner changed from ed to paul
- Status changed from new to assigned
- Component changed from Unassigned to Drupal modules & settings
- Total Hours changed from 21.3 to 21.4
BTW I saw ed was CC'd in on this ticket as he owned it, so I have changed the owner to paul. It isn't clear to me why the other people that get copies of these comments are CC'd (see the email headers) as they are not listed as ticket CC's?
comment:77 Changed 15 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 21.4 to 22.15
No additional security updates need to be applied.
Here is a first draft of how we could try to do the core updates manually:
Download and extract the latest Drupal tar ball.
Remove all .txt files and the sites folder.
From the stage/production directory (under /data/disk/tn/static) remove all .php files, and the following directories: includes/ modules/, misc/ , profiles/, themes/. However, keep the following modules and links in the modules directory: simpletest, path_alias_cache, o_contrib@, cookie_cache_bypass
Copy over the remaining files and folders from the drupal tarball to the stage/production directory.
Best, Paul
comment:78 Changed 15 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 22.15 to 22.65
I have manually updated ctools and views_bulk_operations on the live site (fairly straightforward). I thought these updates were already done. Apologies, if this is down to an error on my part.
Tomorrow, I'll try to update drupal core on my stage site following the instructions I documented earlier. If the the update looks successful we can then test the site to see if there are any problems.
Best, Paul
comment:79 Changed 15 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 22.65 to 22.9
Email communication.
comment:80 Changed 15 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 22.9 to 23.15
No drupal security updates need to be applied this week.
I still need to try updating drupal core on my stage site. I'll see if I can do this later this afternoon.
comment:81 Changed 15 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 23.15 to 23.65
It's actually fairly straightforward to update core manually.
Can I just get confirmation that we have a backup of the live site. I'll then manually update core on the live site.
comment:82 Changed 14 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 23.65 to 23.9
No drupal security updates need to be applied this week.
comment:83 Changed 14 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 23.9 to 24.15
No drupal security updates need to be applied this week.
comment:84 Changed 14 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 24.15 to 24.4
No drupal security updates need to be applied this week.
comment:85 Changed 13 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 24.4 to 24.65
No drupal security updates need to be applied this week.
comment:86 Changed 13 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 24.65 to 24.9
No drupal security updates need to be applied this week.
comment:87 Changed 13 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 24.9 to 25.15
No drupal security updates need to be applied this week.
Changed 13 months ago by paul
- Attachment Screen Shot 2015-11-05 at 12.38.28.png added
Files directory not fully protected.
comment:88 follow-up: ↓ 89 Changed 13 months ago by paul
- Add Hours to Ticket changed from 0.0 to 1.25
- Total Hours changed from 25.15 to 26.4
No drupal security updates needed to be applied this week.
However, I took the opportunity to manually update core and update the database. After updating core I also deleted the current files/ .htaccess file (see screenshot) and regenerated this from the files system page.
https://www.transitionnetwork.org/admin/reports/status
https://www.transitionnetwork.org/admin/settings/file-system
comment:89 in reply to: ↑ 88 Changed 13 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 26.4 to 26.5
Replying to paul:
I also deleted the current files/ .htaccess file (see screenshot) and regenerated this from the files system page.
Note that since we are using Nginx and not Apache that all .htaccess files will be ignored and have no effect.
If there are some new rules from a .htaccess file that we need to add to the Ngnix config then we will have to do that manually -- where is the .htaccess file you recreated? I could check it against the Ngnix config (if I can actually find it in the BOA created mess of config files...).
comment:90 Changed 13 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 26.5 to 26.75
So looking for the .htaccess file, there are 96 on the server...
updatedb locate .htaccess
It seems like /data/disk/tn/static/sites/transitionnetwork.org-PROD/files/.htaccess is the one? It contains:
# Turn off all options we don't need. Options None Options +FollowSymLinks # Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 <Files *> # Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 </Files> # If we know how to do it safely, disable the PHP engine entirely. <IfModule mod_php5.c> php_flag engine off </IfModule> # PHP 4, Apache 1. <IfModule mod_php4.c> php_flag engine off </IfModule> # PHP 4, Apache 2. <IfModule sapi_apache2.c> php_flag engine off </IfModule>
So all it is doing is disabling PHP for the uploads directory. I would guess that this is already covered, so to test it I created /data/disk/tn/static/sites/transitionnetwork.org-PROD/files/info.php containing:
<?php phpinfo(); ?>
And it is available here:
And it is served with the default Nginx Mime type, Content-Type: application/octet-stream and not processed, so we are covered.
comment:91 Changed 13 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 26.75 to 27.0
Thanks Chris. I forgot we are using Nginx.
The .htaccess is located here:
/data/disk/tn/static/transition-network-d6-35-p001b-booker/sites/www.transitionnetwork.org/files
It has the same content as the file you referenced above.
Looks good:
$ curl -I https://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/info.php HTTP/1.1 200 OK Server: nginx Date: Thu, 05 Nov 2015 14:00:45 GMT Content-Type: application/octet-stream Content-Length: 20 Connection: keep-alive Last-Modified: Thu, 05 Nov 2015 13:46:36 GMT ETag: "563b5dbc-14" Expires: Sat, 05 Dec 2015 14:00:45 GMT Cache-Control: max-age=2592000 Accept-Ranges: bytes Strict-Transport-Security: max-age=15768000
comment:92 Changed 13 months ago by paul
Removed the info.php file.
comment:93 Changed 13 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 27.0 to 27.25
No drupal security updates need to be applied this week.
Modules unsupported this week: Hierarchical Select
This the first module to become unsupported for Drupal 6. If we know that we are not using any particular unsupported module on the website we should disable the module, just in case there are unresolved security issues with the module.
comment:94 follow-up: ↓ 95 Changed 12 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 27.25 to 27.75
No drupal security updates need to be applied this week.
Would you like me to provide extended support for Drupal 6 when it becomes unsupported by the community?
If so, we will need to read up on the security team process (i.e. go through the handbook pages) and contact the security team for further guidance.
https://www.drupal.org/d6-lts-support
https://www.drupal.org/node/2287855
comment:95 in reply to: ↑ 94 Changed 12 months ago by chris
Replying to paul:
Would you like me to provide extended support for Drupal 6 when it becomes unsupported by the community?
I can't answer that (I don't know what the plans are regarding continuing to use Drupal 6 or switching to something else, can anyone shed any light on this?) but I did open a ticket for this issue: ticket:883.
comment:96 Changed 12 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 27.75 to 28.0
No drupal security updates need to be applied this week.
comment:97 Changed 12 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 28.0 to 28.75
The following drupal security updates have been applied this week:
View online: https://www.drupal.org/node/2627448
comment:98 Changed 12 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 28.75 to 29.5
Investigating the news website as per email communications.
comment:99 Changed 12 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 29.5 to 29.75
Confirmed that the news website is up to date.
http://news.transitionnetwork.org/admin/reports/updates
The main administrative account is currently assigned to me. If you need to change this in the future you can do this with drush:
513 cd /data/disk/tn/static/
514 ls
515 cd transition-network-d6-35-p001b-booker/sites/news.transitionnetwork.org/
516 ls -la
517 sudo -u tn drush uli
comment:100 Changed 12 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 29.75 to 30.0
No drupal security updates need to be applied this week.
comment:101 Changed 11 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 30.0 to 30.25
No drupal security updates need to be applied this week.
comment:102 Changed 11 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 30.25 to 30.5
Email communications.
comment:103 Changed 11 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 30.5 to 30.75
No drupal security updates need to be applied this week.
comment:104 Changed 10 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 30.75 to 31.0
No drupal security updates need to be applied this week.
comment:105 Changed 10 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.45
- Total Hours changed from 31.0 to 31.45
No drupal security updates need to be applied this week.
Reviewing recent emails. Phone conversation with Ade.
Email communications.
comment:106 Changed 9 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 31.45 to 32.2
The following drupal security updates have been applied this week:
View online: https://www.drupal.org/node/2666446
comment:107 Changed 9 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 32.2 to 32.45
No drupal security updates need to be applied this week.
comment:108 Changed 9 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 32.45 to 32.95
Awaiting drupal 6 security updates from the LTS vendors.
https://www.drupal.org/project/d6lts
View online: https://www.drupal.org/SA-CORE-2016-001
- Advisory ID: SA-CORE-2016-001
- Project: Drupal core [1]
- Version: 6.x, 7.x, 8.x
- Date: 2016-February-24
- Security risk: 15/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2]
- Vulnerability: Multiple vulnerabilities
View online: https://www.drupal.org/node/2674854
- Advisory ID: DRUPAL-SA-CONTRIB-2016-008
- Project: FileField? [1] (third-party module)
- Version: 6.x
- Date: 2016-February-24
- Security risk: 11/25 ( Moderately Critical) AC:Complex/A:User/CI:None/II:Some/E:Proof/TD:All [2]
- Vulnerability: Denial of Service
The "Available updates" page was showing everything as "Not supported" so I have disabled the Update status & Update status advanced settings modules.
I'll pick this up again later today after talking to security team / LTS vendors.
comment:109 Changed 9 months ago by paul
- Add Hours to Ticket changed from 0.0 to 1.25
- Total Hours changed from 32.95 to 34.2
There have been official releases for these security updates.
Both of these drupal security updates have now been applied.
comment:110 Changed 9 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 34.2 to 34.7
No drupal security updates need to be applied today. I'll check again tomorrow morning.
https://www.drupal.org/node/2284611/commits
https://www.drupal.org/project/d6lts/git-instructions
https://www.drupal.org/project/d6lts
comment:111 Changed 9 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 34.7 to 34.95
No drupal security updates need to be applied this week.
comment:112 Changed 8 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 34.95 to 35.2
No drupal security updates need to be applied this week.
comment:113 Changed 8 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 35.2 to 35.45
No drupal security updates need to be applied this week.
comment:114 Changed 8 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 35.45 to 35.7
No drupal security updates need to be applied this week.
Taken a backup of the database.
comment:115 Changed 7 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 35.7 to 36.45
There were drupal security updates that needed to be applied this week:
puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/features# patch -p1 < features-sdo-138758-15-D6.patch
patching file features.admin.inc
Hunk #1 succeeded at 596 (offset -6 lines).
Hunk #2 succeeded at 619 (offset -6 lines).
https://www.drupal.org/node/2705751
There are some other security issues in review. I'll apply these as soon as they are reviewed.
https://www.drupal.org/project/issues/d6lts
comment:116 Changed 7 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 36.45 to 36.95
There were drupal security updates that needed to be applied this week:
puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/views# patch -p1 < SA-CONTRIB-2014-054-6.x-2.x.patch
patching file includes/view.inc
patching file plugins/views_plugin_display.inc
comment:117 Changed 7 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 36.95 to 37.45
No drupal security updates need to be applied this week.
Taken a backup of the code & database.
comment:118 Changed 7 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 37.45 to 37.7
No drupal security updates need to be applied this week.
comment:119 Changed 6 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 37.7 to 37.95
No drupal security updates need to be applied this week.
comment:120 Changed 6 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 37.95 to 38.2
No drupal security updates need to be applied this week.
comment:121 Changed 6 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 38.2 to 38.7
There were drupal security updates that needed to be applied this week:
puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/xmlsitemap# patch -p1 < SA-CONTRIB-2016-030-6.x-2.x.patch
patching file xsl/xmlsitemap.xsl.js
puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/xmlsitemap#
comment:122 Changed 6 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 38.7 to 39.45
No drupal security updates need to be applied this week.
Taken a backup of the code, files & database.
puffin:/data/disk/tn/static# ls -la lrwxrwxrwx 1 root users 37 Mar 3 10:38 tn -> transition-network-d6-35-p001b-booker/ puffin:/data/disk/tn/static# tar -cf - tn | gzip > tn.20160602.tar.gz puffin:/data/disk/tn/static# mv tn.20160602.tar.gz /home/paul/ puffin:/data/disk/tn/static/tn/sites/www.transitionnetwork.org# ls -l total 472K lrwxrwxrwx 1 tn users 60 Jun 14 2013 files -> /data/disk/tn/static/sites/transitionnetwork.org-PROD/files// puffin:/data/disk/tn/static/sites/transitionnetwork.org-PROD# tar -cf - files | gzip > tn.files.20160602.tar.gz puffin:/data/disk/tn/static/sites/transitionnetwork.org-PROD# mv tn.files.20160602.tar.gz /home/paul/ scp -r transitionnetwork.org:tn.20160602.tar.gz . scp -r transitionnetwork.org:tn.files.20160602.tar.gz .
I had previously missed the flies directory.
Let me know if I should take the time to set the website up on my local server to confirm that we can rebuild the website from the above backup.
I have taken a backup of the database with the Backup & Migrate module. I'll investigate how to take a manual backup of the database later this afternoon.
comment:123 Changed 6 months ago by chris
Paul I'm not sure the work you are doing on backups is necessary, we have 60 days worth of MySQL and files backed up that you can access, see wiki:PuffinServer#Backups and in addition we have 60 days worth of snapshots of the whole servers (which only Webarchitects can access).
comment:124 Changed 6 months ago by paul
- Add Hours to Ticket 0 deleted
Sorry, I'll have a look at these. Are we testing these backups somewhere?
comment:125 Changed 6 months ago by chris
No, I haven't done any testing of the backups.
comment:126 Changed 6 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 39.45 to 39.7
No drupal security updates need to be applied this week.
comment:127 Changed 5 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 39.7 to 40.45
There were drupal security updates that needed to be applied this week:
Issue status update for:
https://www.drupal.org/node/2749407
Update issue:
https://www.drupal.org/node/2749407/edit
Current issue values:
Status: Active
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files:
SA-CONTRIB-2016-036-6.x-2.x.patch [1]
SA-CONTRIB-2016-036-6.x-3.x.patch [2]
Reporter: dsnopek [3]
Created: June 15, 2016 - 20:27
Updated: June 15, 2016 - 20:27
The issue described in Views - Less Critical - Access Bypass -
SA-CONTRIB-2016-036 [4] also affects Drupal 6! A series of patches are
attached for different versions of views.
[1] https://www.drupal.org/files/issues/SA-CONTRIB-2016-036-6.x-2.x.patch
[2] https://www.drupal.org/files/issues/SA-CONTRIB-2016-036-6.x-3.x.patch
[3] https://www.drupal.org/u/dsnopek
[4] https://www.drupal.org/node/2749333
puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/views# patch -p1 < SA-CONTRIB-2016-036-6.x-2.x.patch patching file modules/statistics.views.inc patching file modules/statistics/views_handler_field_node_counter_timestamp.inc patching file modules/statistics/views_handler_field_statistics_numeric.inc
The database did not need updating unlike the corresponding security release for Drupal 7.
Note:
If anyone should need access to the database update script from their user account, you can uncomment the following line:
puffin:/data/disk/tn/static/tn# nano sites/www.transitionnetwork.org/settings.php #$update_free_access = TRUE;
comment:129 Changed 5 months ago by sam
Thanks Paul.. On 16 June 2016 at 11:20, Transition Technology Trac < trac@tech.transitionnetwork.org> wrote: > #701: Emails & Telephone calls > -------------------------------------+------------------------------------- > Reporter: paul | Owner: paul > Type: maintenance | Status: > Priority: major | assigned > Component: Drupal | Milestone: > modules & settings | Maintenance > Keywords: | Resolution: > Add Hours to Ticket: 0.75 | Estimated Number of Hours: 0.0 > Total Hours: 39.7 | Billable?: 1 > -------------------------------------+------------------------------------- > Changes (by paul): > > * hours: 0.0 => 0.75 > * totalhours: 39.7 => 40.45 > > > Comment: > > There were drupal security updates that needed to be applied this week: > > Issue status update for: > https://www.drupal.org/node/2749407 > Update issue: > https://www.drupal.org/node/2749407/edit > > Current issue values: > Status: Active > Priority: Normal > Category: Task > Component: Code > Assigned: Unassigned > Project: Drupal 6 Long Term Support > Files: > SA-CONTRIB-2016-036-6.x-2.x.patch [1] > SA-CONTRIB-2016-036-6.x-3.x.patch [2] > Reporter: dsnopek [3] > Created: June 15, 2016 - 20:27 > Updated: June 15, 2016 - 20:27 > The issue described in Views - Less Critical - Access Bypass - > SA-CONTRIB-2016-036 [4] also affects Drupal 6! A series of patches are > attached for different versions of views. > > > [1] https://www.drupal.org/files/issues/SA-CONTRIB-2016-036-6.x-2.x.patch > [2] https://www.drupal.org/files/issues/SA-CONTRIB-2016-036-6.x-3.x.patch > [3] https://www.drupal.org/u/dsnopek > [4] https://www.drupal.org/node/2749333 > > > {{{ > puffin:/data/disk/tn/static/tn/sites/all/modules/contrib/views# patch -p1 > < SA-CONTRIB-2016-036-6.x-2.x.patch > patching file modules/statistics.views.inc > patching file > modules/statistics/views_handler_field_node_counter_timestamp.inc > patching file > modules/statistics/views_handler_field_statistics_numeric.inc > }}} > > > The database did not need updating unlike the corresponding security > release for Drupal 7. > > Note: > > If anyone should need access to the database update script from their user > account, you can uncomment the following line: > > > {{{ > puffin:/data/disk/tn/static/tn# nano > sites/www.transitionnetwork.org/settings.php > > #$update_free_access = TRUE; > }}} > > -- > Ticket URL: < > https://tech.transitionnetwork.org/trac/ticket/701#comment:127> > Transition Technology <https://tech.transitionnetwork.org/trac> > Support and issues tracking for the Transition Network Web Project. >
comment:130 Changed 5 months ago by paul
Chris,
Would you place a recent copy of the database in my home directory?
Attempts to install a recent database backup taken by the Backup & Migrate module:
Dirac:transitionnetwork-org paul$ file TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz: ASCII English text, with very long lines Dirac:transitionnetwork-org paul$ gunzip TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz gunzip: TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz: not in gzip format Archive: TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz End-of-central-directory signature not found. Either this file is not a zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive. unzip: cannot find zipfile directory in one of TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz or TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz.zip, and cannot find TransitionNetwork-paulbooker-2016-06-02T11-52-33.sql.gz.ZIP, period.
comment:131 Changed 5 months ago by chris
Paul, as noted here, wiki:PuffinServer#Backups, backupninja "dumps all the mysql databases into /var/backups/mysql" -- you have sudo so you should be good to grab the latest from there?
comment:132 Changed 5 months ago by paul
Thanks Chris.
comment:133 Changed 5 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 40.45 to 40.7
No drupal security updates need to be applied this week.
comment:134 Changed 5 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 40.7 to 40.95
No drupal security updates need to be applied this week.
comment:135 Changed 5 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 40.95 to 41.2
No drupal security updates need to be applied this week.
Taken a backup of the database.
comment:136 Changed 4 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 41.2 to 41.45
No drupal security updates need to be applied this week.
comment:137 Changed 4 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 41.45 to 41.7
No drupal security updates need to be applied this week.
comment:138 Changed 4 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 41.7 to 41.95
No drupal security updates need to be applied this week.
comment:139 Changed 4 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 41.95 to 42.2
No drupal security updates need to be applied this week.
comment:140 Changed 3 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 42.2 to 42.95
There were drupal security updates that needed to be applied this week:
Issue status update for:
https://www.drupal.org/node/2782161
Update issue:
https://www.drupal.org/node/2782161/edit
Current issue values:
Status: Needs review
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files:
SA-CONTRIB-2016-042-6.x-4.x.patch [1]
SA-CONTRIB-2016-042-6.x-3.x.patch [2]
SA-CONTRIB-2016-042-6.x-2.x.patch [3]
Reporter: dsnopek [4]
Created: August 10, 2016 - 16:16
Updated: August 10, 2016 - 16:16
The Google Analytics module has a moderately critical cross-site scripting
vulnerability.
With the help of the D6LTS vendors, a new version was released:
https://www.drupal.org/project/google_analytics/releases/6.x-4.3 [5]
As well as patches for the 6.x-3.x and 6.x-2.x branches.
[1] https://www.drupal.org/files/issues/SA-CONTRIB-2016-042-6.x-4.x.patch
[2] https://www.drupal.org/files/issues/SA-CONTRIB-2016-042-6.x-3.x.patch
[3] https://www.drupal.org/files/issues/SA-CONTRIB-2016-042-6.x-2.x.patch
[4] https://www.drupal.org/u/dsnopek
[5] https://www.drupal.org/project/google_analytics/releases/6.x-4.3
The security updates for Piwik were not applied immediately as this module is currently not enabled. The detail are provided below:
Issue status update for:
https://www.drupal.org/node/2782163
Update issue:
https://www.drupal.org/node/2782163/edit
Current issue values:
Status: Needs review
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files: SA-CONTRIB-2016-043.patch [1]
Reporter: dsnopek [2]
Created: August 10, 2016 - 16:17
Updated: August 10, 2016 - 16:17
The Piwik module has a moderately critical cross-site scripting
vulnerability.
With the help of the D6LTS vendors, a new version was released:
https://www.drupal.org/node/2781639 [3]
A patch is also attached.
[1] https://www.drupal.org/files/issues/SA-CONTRIB-2016-043.patch
[2] https://www.drupal.org/u/dsnopek
[3] https://www.drupal.org/node/2781639
comment:141 Changed 3 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 42.95 to 43.45
There were drupal security updates that needed to be applied this week:
Issue status update for:
https://www.drupal.org/node/2785707
Update issue:
https://www.drupal.org/node/2785707/edit
#2 -- August 17, 2016 - 18:11 : dsnopek
https://www.drupal.org/node/2785707#comment-11521787
Issue changes:
- Status: Active
+ Status: Fixed
Committed!
Current issue values:
Status: Fixed
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files: SA-CONTRIB-2016-047.patch [1]
Reporter: dsnopek [2]
Created: August 17, 2016 - 18:10
Updated: August 17, 2016 - 18:11
One of the hunks failed. The function was different to what was expected; needs investigating.
transx@dedi2835:~/public_html/sites/all/modules/contrib/panels$ patch -p1 < SA-CONTRIB-2016-047.patch
patching file D6UPDATE.txt
patching file includes/plugins.inc
patching file panels.install
Hunk #2 succeeded at 1557 (offset -20 lines).
patching file panels.module
Hunk #1 succeeded at 267 (offset -1 lines).
Hunk #2 succeeded at 410 (offset -5 lines).
Hunk #3 succeeded at 706 (offset -5 lines).
Hunk #4 succeeded at 1283 (offset -5 lines).
Hunk #5 succeeded at 1581 (offset -5 lines).
patching file panels_ipe/panels_ipe.api.php
patching file panels_ipe/plugins/display_renderers/panels_renderer_ipe.class.php
Hunk #3 FAILED at 108.
Hunk #4 succeeded at 128 (offset -3 lines).
Hunk #5 succeeded at 150 (offset -1 lines).
1 out of 5 hunks FAILED -- saving rejects to file panels_ipe/plugins/display_renderers/panels_renderer_ipe.class.php.rej
patching file panels_mini/panels_mini.install
patching file panels_mini/panels_mini.module
patching file panels_mini/plugins/panels_storage/panels_mini.inc
patching file panels_node/panels_node.install
patching file panels_node/panels_node.module
patching file panels_node/plugins/panels_storage/panels_node.inc
patching file plugins/display_renderers/panels_renderer_editor.class.php
patching file plugins/display_renderers/panels_renderer_standard.class.php
patching file plugins/panels_storage/page_manager.inc
patching file plugins/task_handlers/panel_context.inc
comment:142 Changed 3 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 43.45 to 43.7
No drupal security updates need to be applied this week.
comment:143 Changed 3 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 43.7 to 43.95
No drupal security updates need to be applied this week.
comment:144 Changed 2 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 43.95 to 44.2
No drupal security updates need to be applied this week.
comment:145 Changed 2 months ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 44.2 to 44.45
No drupal security updates need to be applied this week.
comment:146 Changed 8 weeks ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 44.45 to 44.7
No drupal security updates need to be applied this week.
comment:147 Changed 7 weeks ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 44.7 to 44.95
No drupal security updates need to be applied this week.
comment:148 Changed 6 weeks ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 44.95 to 45.45
No drupal security updates need to be applied this week.
https://www.drupal.org/psa-2016-003
https://transitionnetwork.org/admin/settings/webform
https://transitionnetwork.org/admin/settings/uploads
https://transitionnetwork.org/admin/user/permissions#module-upload
comment:149 Changed 6 weeks ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 45.45 to 45.95
There were drupal security updates that needed to be applied this week:
Issue status update for:
https://www.drupal.org/node/2817359
Current issue values:
Status: Needs review
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files: elysia_cron-sa-contrib-2016-052.patch [1]
Reporter: dsnopek [2]
Created: October 12, 2016 - 17:15
Updated: October 12, 2016 - 17:15
An SA was just published for elysia_cron:
https://www.drupal.org/node/2817211 [3]
The D6LTS vendors backported the patch to D6 which is attached
[1] https://www.drupal.org/files/issues/elysia_cron-sa-contrib-2016-052.patch
[2] https://www.drupal.org/u/dsnopek
[3] https://www.drupal.org/node/2817211
One of the hunks failed. The function was different to what was expected; the update was manually applied.
transx@dedi2835:~/public_html/sites/all/modules/contrib/elysia_cron$ patch -p1 < elysia_cron-sa-contrib-2016-052.patch
patching file elysia_cron.admin.inc
Hunk #1 FAILED at 99.
Hunk #2 succeeded at 554 (offset -46 lines).
1 out of 2 hunks FAILED -- saving rejects to file elysia_cron.admin.inc.rej
transx@dedi2835:~/public_html/sites/all/modules/contrib/elysia_cron$ cat elysia_cron.admin.inc.rej
--- elysia_cron.admin.inc +++ elysia_cron.admin.inc @@ -99,7 +99,7 @@ function elysia_cron_admin_page() { ); $rows[] = array( '', - $conf['rule'] . (!empty($conf['weight']) ? ' <small>(' . t('Weight') . ': ' . $conf['weight'] . ')</small>' : ''), + check_plain($conf['rule']) . (!empty($conf['weight']) ? ' <small>(' . t('Weight') . ': ' . $conf['weight'] . ')</small>' : ''), elysia_cron_date($conf['last_run']), $conf['last_execution_time'] . 's', $conf['execution_count'],
comment:150 Changed 5 weeks ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 45.95 to 46.7
There were drupal security updates that needed to be applied this week:
Issue status update for:
https://www.drupal.org/node/2820535
#2 -- October 19, 2016 - 17:34 : dsnopek
https://www.drupal.org/node/2820535#comment-11738607
Issue changes:
- Status: Active
+ Status: Fixed
Committed to repo!
Current issue values:
Status: Fixed
Priority: Normal
Category: Task
Component: Code
Assigned: Unassigned
Project: Drupal 6 Long Term Support
Files: SA-CONTRIB-2016-053.patch [1]
Reporter: dsnopek [2]
Created: October 19, 2016 - 17:33
Updated: October 19, 2016 - 17:34
[1] https://www.drupal.org/files/issues/SA-CONTRIB-2016-053.patch
[2] https://www.drupal.org/u/dsnopek
transx@dedi2835:~/public_html/sites/all/modules/contrib/webform$ wget https://www.drupal.org/files/issues/SA-CONTRIB-2016-053.patch
--2016-10-20 13:41:14-- https://www.drupal.org/files/issues/SA-CONTRIB-2016-053.patch
Resolving www.drupal.org (www.drupal.org)... 151.101.13.133
Connecting to www.drupal.org (www.drupal.org)|151.101.13.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1631 (1.6K) [text/plain]
Saving to: ‘SA-CONTRIB-2016-053.patch’
SA-CONTRIB-2016-053.patch 100%[=========================================================================>] 1.59K --.-KB/s in 0s
2016-10-20 13:41:14 (41.6 MB/s) - ‘SA-CONTRIB-2016-053.patch’ saved [1631/1631]
transx@dedi2835:~/public_html/sites/all/modules/contrib/webform$ ls
CHANGELOG.txt css includes LICENSE.txt SA-CONTRIB-2016-053.patch tests views webform.info webform.module
components images js README.txt templates THEMING.txt webform.api.php webform.install
transx@dedi2835:~/public_html/sites/all/modules/contrib/webform$ patch -p1 < SA-CONTRIB-2016-053.patch
patching file webform.module
Downloaded a recent copy of the database. Shall I check that we can recover from these database backups on my local network?
comment:151 Changed 4 weeks ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 46.7 to 46.95
No drupal security updates need to be applied this week.
comment:152 Changed 3 weeks ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 46.95 to 47.2
No drupal security updates need to be applied this week.
comment:153 Changed 11 days ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 47.2 to 47.45
No drupal security updates need to be applied this week.
comment:154 Changed 4 days ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 47.45 to 47.7
No drupal security updates need to be applied this week.
There maybe an update later in the week:
View online: https://www.drupal.org/SA-CORE-2016-005