Ticket #774 (closed maintenance: fixed)
* Advisory ID: DRUPAL-SA-CORE-2014-004
Reported by: | paul | Owned by: | annesley |
---|---|---|---|
Priority: | critical | Milestone: | Maintenance |
Component: | Drupal modules & settings | Keywords: | |
Cc: | chris, ed | Estimated Number of Hours: | 0.0 |
Add Hours to Ticket: | 0 | Billable?: | yes |
Total Hours: | 4.9 |
Description
View online: https://www.drupal.org/SA-CORE-2014-004
- Advisory ID: DRUPAL-SA-CORE-2014-004
- Project: Drupal core [1]
- Version: 6.x, 7.x
- Date: 2014-August-06
- Security risk: 13/25 ( Moderately Critical)
AC:None/A:None/CI:None/II:None/E:Proof/TD:100 [2]
- Exploitable from: Remote
- Vulnerability: Denial of service
Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available
(xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable
to an XML entity expansion attack and other related XML payload attacks which
can cause CPU and memory exhaustion and the site's database to reach the
maximum number of open connections. Any of these may lead to the site
becoming unavailable or unresponsive (denial of service).
All Drupal sites are vulnerable to this attack whether XML-RPC is used or
not.
In addition, a similar vulnerability exists in the core OpenID module (for
sites that have this module enabled).
This is a joint release as the XML-RPC vulnerability also affects WordPress
(see the announcement [3]).
- /A CVE identifier [4] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
- Drupal core 7.x versions prior to 7.31.
- Drupal core 6.x versions prior to 6.33.
Install the latest version:
- If you use Drupal 7.x, upgrade to Drupal core 7.31 [5].
- If you use Drupal 6.x, upgrade to Drupal core 6.33 [6].
If you are unable to install the latest version of Drupal immediately, you
can alternatively remove the xmlrpc.php file from the root of Drupal core (or
add a rule to .htaccess to prevent access to xmlrpc.php) and disable the
OpenID module. These steps are sufficient to mitigate the vulnerability in
Drupal core if your site does not require the use of XML-RPC or OpenID
functionality. However, this mitigation will not be effective if you are
using a contributed module that exposes Drupal's XML-RPC API at a different
URL (for example, the Services module); updating Drupal core is therefore
strongly recommended.
Also see the Drupal core [7] project page.
- Andrew Nacin [10] of the WordPress Security Team
- Michael Adams [11] of the WordPress Security Team
- Frédéric Marand [12]
- David Rothstein [13] of the Drupal Security Team
- Damien Tournoud [14] of the Drupal Security Team
- Greg Knaddison [15] of the Drupal Security Team
- Stéphane Corlosquet [16] of the Drupal Security Team
- Dave Reid [17] of the Drupal Security Team
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [20].
Learn more about the Drupal Security team and their policies [21], writing
secure code for Drupal [22], and securing your site [23].
[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] https://wordpress.org/news/2014/08/wordpress-3-9-2/
[4] http://cve.mitre.org/
[5] http://drupal.org/drupal-7.31-release-notes
[6] http://drupal.org/drupal-6.33-release-notes
[7] http://drupal.org/project/drupal
[8] https://www.drupal.org/user/1867894
[9] https://www.drupal.org/user/2891345
[10] http://profiles.wordpress.org/nacin
[11] http://profiles.wordpress.org/mdawaffe
[12] https://www.drupal.org/user/27985
[13] https://www.drupal.org/user/124982
[14] https://www.drupal.org/user/22211
[15] https://www.drupal.org/u/greggles
[16] https://www.drupal.org/user/52142
[17] https://www.drupal.org/user/53892
[18] http://drupal.org/security-team
[19] http://wordpress.org
[20] http://drupal.org/contact
[21] http://drupal.org/security-team
[22] http://drupal.org/writing-secure-code
[23] http://drupal.org/security/secure-configuration
_
Security-news mailing list
Security-news@…
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
Change History
comment:1 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 0.0 to 0.125
comment:2 Changed 2 years ago by chris
- Cc chris added
- Owner changed from ed to annesley
- Priority changed from major to critical
- Component changed from Unassigned to Drupal modules & settings
- Milestone set to Maintenance
Annesley this looks like it really needs to be done today, or if you are going to postpone updating Drupal dore then you need to add Nginx config to deny access to xmlrpc.php. If you need help with the Nginx config let me know. This also affects WordPress, I'm going to look at the sites on ParrotServer now.
comment:3 Changed 2 years ago by chris
Note that this issue affects all the Drupal sites on wiki:PuffinServer -- it appear to me that any development sites which are not password protected should also updated.
comment:4 Changed 2 years ago by annesley
does anyone know what is the likelihood of TN.org being the victim of a DDOS or DOS attack?
because DDOS and DOS are not automated, they are individual hackers using it to gain access to banks etc. we are not a target. is this correct? so i put it at 0.00000000001% chance of it happening over the next 5 years.
how long would it take us (downtime) to solve it in the case of a DOS? 5 hours?
do our IP chains / firewall protect against this? (i think not in this case anyway)
if it did we could ignore all further DOS Drupal holes. worth installing IP chains burst protection? (excuse my lack of precise knowledge here but you get what i am saying)
we seem to have OpenID Module there, but not installed.
we are using Services_Links but not Services.
@chris: do we have a dedicated server or virtual? is there risk to the other sites that you host or from?
i am not against deleting the XMLRPC.php file however. i think we are not providing any XML based services anyway...? have i understood it's role correctly?
comment:5 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 0.125 to 0.25
@Annesley
We're not using Services or Open ID contrib modules.
On the stage servers I think we can just remove the xmlrpc.php files.
comment:6 Changed 2 years ago by annesley
hmm... mind you, this sort of attack could certainly be very easily automated. even if it hasn't been. a script kiddy could achieve this XML entity expansion attack because it is so simply to do. it doesn't require multi-threaded requests or normal DOS procedures, it's just a recursive entity definition in the DTD of the XML RPC request.
we should delete XMLRPC.php today then. we have no need to expose Remote Procedure Calls anyway AFAIK. and no intention to do this.
comment:7 Changed 2 years ago by annesley
@chris: could you handle the deletion of this file? is that within your role?
thanks :)
comment:8 Changed 2 years ago by annesley
@Paul: we do have OpenID Module on the server though...
it's showing as "not installed" from drush
comment:9 follow-up: ↓ 12 Changed 2 years ago by annesley
ok, it seems that removing XMLRPC.php removes the OpenID core module vulnerability as well. according to my understanding...
comment:10 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 0.25 to 0.375
The security team advice that the module just needs to be disabled on the server:
If you are unable to install the latest version of Drupal immediately, you
can alternatively remove the xmlrpc.php file from the root of Drupal core (or
add a rule to .htaccess to prevent access to xmlrpc.php) and disable the
OpenID module.
comment:11 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.375 to 0.625
The security advisory says:
The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).
Since this also applies to WordPress it is bound to result in a lot of attention being devoted to any possible automated exploits so it would be sensible to take steps to mitigate the risk. I don't know what the exact potential is for "XML payload attacks" but it is worth noting that we were at the limit of max MySQL connections with the default BOA config until it was increased 6 weeks ago, see ticket:587#comment:17, currently we have 39 with a max of 50:
There are 54 copies of xmlrpc.php on the server. We can't use .htaccess files because we are not using Apache.
It is a virtual server, see: wiki:PuffinServer#Puffin
comment:12 in reply to: ↑ 9 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 0.625 to 0.75
Replying to annesley:
ok, it seems that removing XMLRPC.php removes the OpenID core module vulnerability as well. according to my understanding...
There are two similar vulnerabilities that exists in XML-RPC and the core OpenID module. They probably have some shared code between them.
comment:13 follow-up: ↓ 14 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 0.75 to 0.875
@Annesley @Chris
I think we can just delete all of these xmlrpc.php files?
comment:14 in reply to: ↑ 13 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.05
- Total Hours changed from 0.875 to 0.925
Replying to paul:
I think we can just delete all of these xmlrpc.php files?
I can do that if you think it is safe to do so, note that some xmlrpc.php files will get recreated by things like the next BOA update, ticket:775
comment:16 follow-up: ↓ 17 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 0.925 to 1.05
Good. Thanks Chris.
@Annesley
Maybe delete the xmlrpc.php file now and then follow up with building a new platform for production?
comment:17 in reply to: ↑ 16 Changed 2 years ago by paul
Replying to paul:
Good. Thanks Chris.
@Annesley
Maybe delete the xmlrpc.php files now (with help from Chris) and then follow up with building a new platform for production?
comment:18 Changed 2 years ago by annesley
let me run a few checks before we delete it.
i will delete it on staging first and have a browse of course. but also check for references in the codebase.
comment:19 Changed 2 years ago by annesley
grep -rsi xmlrpc.php *
includes/common.inc: * http://www.example.com/xmlrpc.php
modules/blogapi/blogapi.module: $xmlrpc = $base_url .'/xmlrpc.php';
sites/all/modules/contrib/robotstxt/robots.txt:Disallow: /xmlrpc.php
blog api is "not installed"
so i'll go ahead and delete it from staging now.
comment:20 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 1.05 to 1.175
Building a new platform with latest version of core and then migrating the live site over will fix the problem for the live site and will probably not take more than 15 minutes. So we can have this problem resolved for stage / production within the half hour I would say?
comment:21 Changed 2 years ago by annesley
@paul: ok
staging seems fine without it's xmlrpc.php of course. there are no links to it except from blogapi.
comment:22 Changed 2 years ago by paul
Cool. Many drupal sites just delete the xmlrpc.php from the server if it's not being used.
comment:23 follow-up: ↓ 24 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 1.175 to 1.425
@Chris
I think these are the version of xmlrpc.php that are not automatically generated by Aegir:
puffin:~# find / -name xmlrpc.php
/data/disk/tn/static/transition-network-d6-s011/xmlrpc.php
/data/disk/tn/static/transition-network-d6-p010-booker/xmlrpc.php
/data/disk/tn/static/transition-network-d6-s009/xmlrpc.php
/data/disk/tn/static/transition-network-d6-s008/xmlrpc.php
/data/disk/tn/static/transition-network-d6-s012/xmlrpc.php
/data/disk/tn/static/transition-network-d6-p009/xmlrpc.php
/data/disk/tn/static/transition-network-d6-32-p001-booker/xmlrpc.php
/data/disk/tn/static/iirs-d006/xmlrpc.php
/data/disk/tn/static/iirs-d007/xmlrpc.php
/data/disk/tn/distro/007/drupal-7.30.1-prod/xmlrpc.php
/data/disk/tn/distro/007/openatrium-7.x-2.19-7.30.1/xmlrpc.php
/data/disk/tn/distro/006/drupal-7.28.1-prod/xmlrpc.php
/data/disk/tn/distro/006/openatrium-7.x-2.19-7.28.1/xmlrpc.php
/data/disk/tn/distro/005/drupal-7.27.1-prod/xmlrpc.php
/data/disk/tn/distro/005/openatrium-7.x-2.17-7.27.1/xmlrpc.php
/data/disk/tn/distro/004/openatrium-7.x-2.09-7.24.1/xmlrpc.php
/data/disk/tn/distro/004/drupal-7.24.1-prod/xmlrpc.php
...
Do you have any thoughts on dealing with the second block? I'll deal with the first block now ..
comment:24 in reply to: ↑ 23 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 1.425 to 1.525
Replying to paul:
/data/disk/tn/static/iirs-d006/xmlrpc.php
/data/disk/tn/static/iirs-d007/xmlrpc.php
/data/disk/tn/distro/007/drupal-7.30.1-prod/xmlrpc.php
/data/disk/tn/distro/007/openatrium-7.x-2.19-7.30.1/xmlrpc.php
/data/disk/tn/distro/006/drupal-7.28.1-prod/xmlrpc.php
/data/disk/tn/distro/006/openatrium-7.x-2.19-7.28.1/xmlrpc.php
/data/disk/tn/distro/005/drupal-7.27.1-prod/xmlrpc.php
/data/disk/tn/distro/005/openatrium-7.x-2.17-7.27.1/xmlrpc.php
/data/disk/tn/distro/004/openatrium-7.x-2.09-7.24.1/xmlrpc.php
/data/disk/tn/distro/004/drupal-7.24.1-prod/xmlrpc.php
...
Do you have any thoughts on dealing with the second block?
I think the simplest and quickest thing would be to delete them. I don't know if they are available to the public and the Nginx config is really hard to follow so it would take a while to work out which, if any, are and then to add rules to deny access to the files and then any changes would probably be clobbered at some point...
comment:25 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 1.525 to 2.275
@Chris
Agreed. I'll do that shortly.
@TN
What I have done so far:
Deleted my earlier stage sites.
Built a new stage platform.
Migrated the latest version of the stage site over to the new platform.
Turned on the database log & checked the site is working.
The new production platform is now scheduled to be built. As soon as the platform is built I'll migrate the live site over to the new production platform...
comment:26 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 2.275 to 2.525
The live site is now migrated to the new production platform & seems to be working fine.
The only xmlrpc.php files that have not been updated or deleted are the aegir versions of the files.
puffin:~# find / -name xmlrpc.php
/data/disk/tn/static/transition-network-d6-33-p001-booker/xmlrpc.php
/data/disk/tn/static/transition-network-d6-33-s001-booker/xmlrpc.php
/data/disk/tn/aegir/distro/009/xmlrpc.php
/data/disk/tn/aegir/distro/011/xmlrpc.php
/data/disk/tn/aegir/distro/010/xmlrpc.php
/data/disk/tn/aegir/distro/008/xmlrpc.php
/data/disk/tn/platforms/transitionnetwork.org/xmlrpc.php
/data/all/000/core/pressflow-6.29.1/xmlrpc.php
/data/all/000/core/drupal-7.23.3/xmlrpc.php
/data/all/000/core/drupal-7.27.1/xmlrpc.php
/data/all/000/core/drupal-7.30.1/xmlrpc.php
/data/all/000/core/pressflow-6.32.2/xmlrpc.php
/data/all/000/core/drupal-7.28.1/xmlrpc.php
/data/all/000/core/drupal-7.24.1/xmlrpc.php
/data/all/000/core/pressflow-6.31.1/xmlrpc.php
/data/all/000/core/pressflow-6.31.2/xmlrpc.php
/data/all/000/core/pressflow-6.28.3/xmlrpc.php
/var/aegir/hostmaster-BOA-2.0.4/xmlrpc.php
/var/aegir/host_master/009/xmlrpc.php
/var/aegir/host_master/001/xmlrpc.php
/var/aegir/host_master/007/xmlrpc.php
/var/aegir/host_master/002/xmlrpc.php
/var/aegir/host_master/003/xmlrpc.php
/var/aegir/host_master/011/xmlrpc.php
/var/aegir/host_master/010/xmlrpc.php
/var/aegir/host_master/013/xmlrpc.php
/var/aegir/host_master/012/xmlrpc.php
/var/aegir/host_master/006/xmlrpc.php
/var/aegir/host_master/005/xmlrpc.php
/var/aegir/host_master/004/xmlrpc.php
/var/aegir/host_master/008/xmlrpc.php
/var/aegir/host_master/014/xmlrpc.php
/var/aegir/host_master/015/xmlrpc.php
/var/backups/trash/drupal-7.22.1/xmlrpc.php
/var/backups/codebases-cleanup/001/pressflow-6.26.2-dev/xmlrpc.php
/var/backups/codebases-cleanup/001/pressflow-6.26.2-stage/xmlrpc.php
/var/backups/codebases-cleanup/001/pressflow-6.26.2-prod/xmlrpc.php
/var/backups/codebases-cleanup/002/drupal-7.22.1-prod/xmlrpc.php
puffin:~#
comment:27 Changed 2 years ago by chris
I think there might now be a few more due to the BOA update:
updatedb locate xmlrpc.php /data/all/000/core/drupal-7.23.3/xmlrpc.php /data/all/000/core/drupal-7.24.1/xmlrpc.php /data/all/000/core/drupal-7.27.1/xmlrpc.php /data/all/000/core/drupal-7.28.1/xmlrpc.php /data/all/000/core/drupal-7.30.1/xmlrpc.php /data/all/000/core/drupal-7.31.1/xmlrpc.php /data/all/000/core/pressflow-6.28.3/xmlrpc.php /data/all/000/core/pressflow-6.29.1/xmlrpc.php /data/all/000/core/pressflow-6.31.1/xmlrpc.php /data/all/000/core/pressflow-6.31.2/xmlrpc.php /data/all/000/core/pressflow-6.32.2/xmlrpc.php /data/all/000/core/pressflow-6.33.1/xmlrpc.php /data/disk/tn/aegir/distro/008/xmlrpc.php /data/disk/tn/aegir/distro/009/xmlrpc.php /data/disk/tn/aegir/distro/010/xmlrpc.php /data/disk/tn/aegir/distro/011/xmlrpc.php /data/disk/tn/aegir/distro/012/xmlrpc.php /data/disk/tn/distro/008/drupal-7.31.1-prod/xmlrpc.php /data/disk/tn/distro/008/openatrium-7.x-2.19-7.31.1/xmlrpc.php /data/disk/tn/platforms/transitionnetwork.org/xmlrpc.php /data/disk/tn/static/transition-network-d6-33-p001-booker/xmlrpc.php /data/disk/tn/static/transition-network-d6-33-s001-booker/xmlrpc.php /var/aegir/host_master/001/xmlrpc.php /var/aegir/host_master/002/xmlrpc.php /var/aegir/host_master/003/xmlrpc.php /var/aegir/host_master/004/xmlrpc.php /var/aegir/host_master/005/xmlrpc.php /var/aegir/host_master/006/xmlrpc.php /var/aegir/host_master/007/xmlrpc.php /var/aegir/host_master/008/xmlrpc.php /var/aegir/host_master/009/xmlrpc.php /var/aegir/host_master/010/xmlrpc.php /var/aegir/host_master/011/xmlrpc.php /var/aegir/host_master/012/xmlrpc.php /var/aegir/host_master/013/xmlrpc.php /var/aegir/host_master/014/xmlrpc.php /var/aegir/host_master/015/xmlrpc.php /var/aegir/host_master/016/xmlrpc.php /var/aegir/hostmaster-BOA-2.0.4/xmlrpc.php /var/backups/codebases-cleanup/001/pressflow-6.26.2-dev/xmlrpc.php /var/backups/codebases-cleanup/001/pressflow-6.26.2-prod/xmlrpc.php /var/backups/codebases-cleanup/001/pressflow-6.26.2-stage/xmlrpc.php /var/backups/codebases-cleanup/002/drupal-7.22.1-prod/xmlrpc.php /var/backups/trash/drupal-7.22.1/xmlrpc.php
I don't know if any of these are available to the public?
comment:28 Changed 2 years ago by paul
Thanks Chris. I'll investigate ..
comment:29 follow-up: ↓ 30 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 2.525 to 3.025
All the sites that are listed on Aegir have had their xmlrpc.php either removed or updated.
However, I had a look over all of the sites and noticed that we have three sites with public domains that are not being updated:
iirs-test.transitionnetwork.org Drupal 7.26
space.transitionnetwork.org Open Atrium 2.0.9 7.24.1 P.004 Drupal 7.24
news.transitionnetwork.org Drupal 6.29
Any thoughts on what should be done with these? Can any of these be deleted? The latest versions of Drupal are 6.33 & 7.31
I deleted the xmlrpc.php from this ghost platform:
/data/disk/tn/platforms/transitionnetwork.org/xmlrpc.php
I think all of the aegir files are just sitting on the server.
comment:30 in reply to: ↑ 29 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 3.025 to 3.275
Replying to paul:
we have three sites with public domains that are not being updated:
iirs-test.transitionnetwork.org Drupal 7.26
space.transitionnetwork.org Open Atrium 2.0.9 7.24.1 P.004 Drupal 7.24
news.transitionnetwork.org Drupal 6.29
Well spotted!
- http://news.transitionnetwork.org/ this is in use and as far as I'm aware should be updated, best check with Ed. The ticket on which it was migrated to PuffinServer is ticket:480, I would guess that it's code is in a git repo, perhaps use Drush to get a admin login to the site and check the status to start with?
- https://space.transitionnetwork.org/home this is a non-public site that Jim set up for Ed, I think it wasn't used, best check with Ed if it is needed. If it is then upgrading it should be straight forward as it shouldn't have many, (or any) plugins.
- http://iirs-test.transitionnetwork.org/ I don't know if Jim or Annesley set that up, best check with Ed and Annesley.
comment:31 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 3.275 to 3.4
For http://news.transitionnetwork.org/ I just need to migrate it to the new production platform. I'll do that now ..
comment:32 Changed 2 years ago by paul
I'll migrate to stage first ..
comment:33 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 3.4 to 3.65
http://news.transitionnetwork.org/ is now updated to the latest production platform & we now have a clone of this site on a stage platfrom. Looking now into https://space.transitionnetwork.org/ ..
comment:34 follow-up: ↓ 36 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 3.65 to 3.9
Theres appears to be nothing documented about openatrium on the wiki / trac.
The current version of the open atrium site is here:
puffin:/data/disk/tn/distro/004/openatrium-7.x-2.09-7.24.1# ls -la
total 592K
drwxr-xr-x 4 tn users 4.0K Aug 7 19:09 ./
drwx--x--x 5 tn users 4.0K Nov 30 2013 ../
lrwxrwxrwx 1 tn users 46 Nov 30 2013 authorize.php -> /data/all/000/core/drupal-7.24.1/authorize.php
drwxrwsr-x 2 tn.ftp www-data 4.0K Jan 13 2014 cache/
lrwxrwxrwx 1 tn users 41 Nov 30 2013 cron.php -> /data/all/000/core/drupal-7.24.1/cron.php
lrwxrwxrwx 1 tn users 48 Nov 30 2013 crossdomain.xml -> /data/all/000/core/drupal-7.24.1/crossdomain.xml
-r--r--r-- 1 tn users 573K Aug 7 23:13 drushrc.php
lrwxrwxrwx 1 tn users 42 Nov 30 2013 .htaccess -> /data/all/000/core/drupal-7.24.1/.htaccess
lrwxrwxrwx 1 tn users 41 Nov 30 2013 includes -> /data/all/000/core/drupal-7.24.1/includes/
lrwxrwxrwx 1 tn users 42 Nov 30 2013 index.php -> /data/all/000/core/drupal-7.24.1/index.php
lrwxrwxrwx 1 tn users 44 Nov 30 2013 install.php -> /data/all/000/core/drupal-7.24.1/install.php
lrwxrwxrwx 1 root root 39 May 1 16:25 js.php -> /data/all/005/o_contrib_seven/js/js.php
lrwxrwxrwx 1 tn users 37 Nov 30 2013 misc -> /data/all/000/core/drupal-7.24.1/misc/
lrwxrwxrwx 1 tn users 40 Nov 30 2013 modules -> /data/all/000/core/drupal-7.24.1/modules/
lrwxrwxrwx 1 tn users 49 Nov 30 2013 profiles -> /data/all/004/openatrium-7.x-2.09-7.24.1/profiles/
drwxr-x--x 5 tn users 4.0K Jan 12 2014 sites/
lrwxrwxrwx 1 tn users 39 Nov 30 2013 themes -> /data/all/000/core/drupal-7.24.1/themes/
lrwxrwxrwx 1 tn users 43 Nov 30 2013 update.php -> /data/all/000/core/drupal-7.24.1/update.php
lrwxrwxrwx 1 tn users 43 Nov 30 2013 web.config -> /data/all/000/core/drupal-7.24.1/web.config
We need to be using:
/data/disk/tn/distro/008/openatrium-7.x-2.19-7.31.
I'll see if I can build a new openatrium platform with Aegir ..
comment:35 Changed 2 years ago by paul
This latest openatrium platform is automatically built by Aegir. I'll migrate the openatrium site to the new platform ..
comment:36 in reply to: ↑ 34 Changed 2 years ago by chris
Replying to paul:
Theres appears to be nothing documented about openatrium on the wiki / trac.
There are a couple of tickets:
There might be some others.
Perhaps Jim didn't get around to documenting it further than this?
comment:37 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 3.9 to 4.15
Thanks Chris. I'll take a look a these shortly.
@TN
Openatium is now updated.
I'll take a look at IIRs shortly.
I'll also see what platforms can be deleted from Aegir - platforms that are no longer being used as the site(s) that once ran on them have been migrated to a more recent version of the platform
comment:38 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 4.15 to 4.65
The IIRs site is built manually without an external platform file, and outside of version control. It's currently running drupal 7.26 and a collection of modules.
@ Annesley
I have put the site into maintenance mode for now as the site needs to be upgraded. Any thoughts on what to do next?
I have deleted platform / sites that are no longer needed - but have retained the previous version of the platform just in case we need to migrate back to the previous version of the site.
https://tn.puffin.webarch.net/hosting/sites
https://tn.puffin.webarch.net/hosting/platforms
Everything we can do now - to keep our sites/server secure - has been done.
comment:39 Changed 2 years ago by annesley
hi! iirs-test is nothing to do with me.
i am using an enabled IIRS Module on booker staging https://booker-stage-20140717.transitionnetwork.org/IIRS/registration/
which appears to have disappeared. but i am developing locally so can copy it back no problem.
comment:40 follow-up: ↓ 41 Changed 2 years ago by ed
- IIRS-test on D7 is Jim's old work and can be removed
- Open Atrium was set up as a trial intranet, got picked up by the international team before we'd trialled it, I'm not sure how much it's being used now, finding out is on my agenda
- news.transitionnetwork.org is a news feed aggregator which collects news feeds from TI sites and re-publishes teasers of them on that domain, and into the TI profile pages. It is one of the services that will be de-commissioned this autumn
comment:41 in reply to: ↑ 40 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 4.65 to 4.775
Replying to ed:
- IIRS-test on D7 is Jim's old work and can be removed
I'll remove now ..
- Open Atrium was set up as a trial intranet, got picked up by the international team before we'd trialled it, I'm not sure how much it's being used now, finding out is on my agenda
Maybe we could trial the software as a basecamp tool while bulding the IIRS?
- news.transitionnetwork.org is a news feed aggregator which collects news feeds from TI sites and re-publishes teasers of them on that domain, and into the TI profile pages. It is one of the services that will be de-commissioned this autumn
Thanks
comment:42 follow-ups: ↓ 43 ↓ 44 Changed 2 years ago by ed
- Good
- Interesting. The national hubs found it cumbersome and it looked like we'd need to do more work to really get it sorted. Staff are about to move to google apps lock stock and barrel I reckon (and now recommend). Tech: atm we're using the wiki pages and emails as agreed. I'm interested in using a use case based tool for TNv3, and not particularly ingterested in doing any dev work on OA.
- Good.
comment:43 in reply to: ↑ 42 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 4.775 to 4.9
Replying to ed:
- Good
The IIRS site and platform have now been deleted.
- Interesting. The national hubs found it cumbersome and it looked like we'd need to do more work to really get it sorted. Staff are about to move to google apps lock stock and barrel I reckon (and now recommend). Tech: atm we're using the wiki pages and emails as agreed. I'm interested in using a use case based tool for TNv3, and not particularly ingterested in doing any dev work on OA.
- Good.
comment:44 in reply to: ↑ 42 Changed 2 years ago by chris
Replying to ed:
Staff are about to move to google apps lock stock and barrel I reckon (and now recommend).
Choosing to becoming dependant on one of the planets biggest imperial corporations [1] for internal communications and documentation, when there are Free/libre alternatives which can be self hosted, is not the way to be resilient and autonomous.
[1] https://www.wikileaks.org/Op-ed-The-Banality-of-Don-t-Be.html
comment:45 Changed 2 years ago by annesley
@Chris: do you accept the cost-benefit-politics suggestion?
do you agree that we cannot be perfect politically? and that it's a matter of where we draw the line, not a binary decision?
so, to use an extreme to illustrate the point: if it cost £200,000 / year to avoid using Google and install Free/libre alternatives would you agree that we should use Google?
don't think that i am not with you. i am. i totally reject Capitalism, hierarchy, elites, consumption, etc. but i want you to join us in trying to calculate where to draw the line, instead of repeating this binary idea. Transition lives in Capitalism and it doesn't have endless money. decisions must be made. we cannot run our own copy of the Internet because the Cobolt used in the intermediate machines is mined in oppressive conditions for example.
i think the essential problem here is the fact is that IT software has massive economies of scale. so trying to implement things individually is always going to empty the pockets of the very organisations that are trying to defeat Capitalism.
how much does it cost to run these alternatives? and train people, and maintain them? give us an estimate for a year period.
comment:46 Changed 2 years ago by ed
@Annesley and @Chris - conversations about TN's decisions around intranet software are out of scope here.
Please do not pursue this conversation on this ticket or on TN time. Please feel free to enjoy it down the pub however :)
comment:47 Changed 2 years ago by paul
@TN
Sorry off topic ..
What libre alternatives were considered before choosing Google?
comment:48 Changed 2 years ago by ed
@Paul happy to discuss this with you in your time at another time when I'm not doing other stuff
comment:49 Changed 2 years ago by ed
- Status changed from new to closed
- Resolution set to fixed
Closing this ticket for now as before we got side tracked Paul said 'Everything we can do now - to keep our sites/server secure - has been done.'
@Annesley
Let me know if you need any help.