Ticket #774 (closed maintenance: fixed)

Opened 2 years ago

Last modified 2 years ago

* Advisory ID: DRUPAL-SA-CORE-2014-004

Reported by: paul Owned by: annesley
Priority: critical Milestone: Maintenance
Component: Drupal modules & settings Keywords:
Cc: chris, ed Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 4.9

Description

View online: https://www.drupal.org/SA-CORE-2014-004

  • Advisory ID: DRUPAL-SA-CORE-2014-004
  • Project: Drupal core [1]
  • Version: 6.x, 7.x
  • Date: 2014-August-06
  • Security risk: 13/25 ( Moderately Critical)

AC:None/A:None/CI:None/II:None/E:Proof/TD:100 [2]

  • Exploitable from: Remote
  • Vulnerability: Denial of service


Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available
(xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable
to an XML entity expansion attack and other related XML payload attacks which
can cause CPU and memory exhaustion and the site's database to reach the
maximum number of open connections. Any of these may lead to the site
becoming unavailable or unresponsive (denial of service).

All Drupal sites are vulnerable to this attack whether XML-RPC is used or
not.

In addition, a similar vulnerability exists in the core OpenID module (for
sites that have this module enabled).

This is a joint release as the XML-RPC vulnerability also affects WordPress
(see the announcement [3]).



  • /A CVE identifier [4] will be requested, and added upon issuance, in

accordance
with Drupal Security Team processes./



  • Drupal core 7.x versions prior to 7.31.
  • Drupal core 6.x versions prior to 6.33.


Install the latest version:

  • If you use Drupal 7.x, upgrade to Drupal core 7.31 [5].
  • If you use Drupal 6.x, upgrade to Drupal core 6.33 [6].

If you are unable to install the latest version of Drupal immediately, you
can alternatively remove the xmlrpc.php file from the root of Drupal core (or
add a rule to .htaccess to prevent access to xmlrpc.php) and disable the
OpenID module. These steps are sufficient to mitigate the vulnerability in
Drupal core if your site does not require the use of XML-RPC or OpenID
functionality. However, this mitigation will not be effective if you are
using a contributed module that exposes Drupal's XML-RPC API at a different
URL (for example, the Services module); updating Drupal core is therefore
strongly recommended.

Also see the Drupal core [7] project page.



  • Willis Vandevanter [8]
  • Nir Goldshlager [9]


  • Andrew Nacin [10] of the WordPress Security Team
  • Michael Adams [11] of the WordPress Security Team
  • Frédéric Marand [12]
  • David Rothstein [13] of the Drupal Security Team
  • Damien Tournoud [14] of the Drupal Security Team
  • Greg Knaddison [15] of the Drupal Security Team
  • Stéphane Corlosquet [16] of the Drupal Security Team
  • Dave Reid [17] of the Drupal Security Team




The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [20].

Learn more about the Drupal Security team and their policies [21], writing
secure code for Drupal [22], and securing your site [23].

[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] https://wordpress.org/news/2014/08/wordpress-3-9-2/
[4] http://cve.mitre.org/
[5] http://drupal.org/drupal-7.31-release-notes
[6] http://drupal.org/drupal-6.33-release-notes
[7] http://drupal.org/project/drupal
[8] https://www.drupal.org/user/1867894
[9] https://www.drupal.org/user/2891345
[10] http://profiles.wordpress.org/nacin
[11] http://profiles.wordpress.org/mdawaffe
[12] https://www.drupal.org/user/27985
[13] https://www.drupal.org/user/124982
[14] https://www.drupal.org/user/22211
[15] https://www.drupal.org/u/greggles
[16] https://www.drupal.org/user/52142
[17] https://www.drupal.org/user/53892
[18] http://drupal.org/security-team
[19] http://wordpress.org
[20] http://drupal.org/contact
[21] http://drupal.org/security-team
[22] http://drupal.org/writing-secure-code
[23] http://drupal.org/security/secure-configuration

_
Security-news mailing list
Security-news@…
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

Change History

comment:1 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 0.0 to 0.125

@Annesley

Let me know if you need any help.

comment:2 Changed 2 years ago by chris

  • Cc chris added
  • Owner changed from ed to annesley
  • Priority changed from major to critical
  • Component changed from Unassigned to Drupal modules & settings
  • Milestone set to Maintenance

Annesley this looks like it really needs to be done today, or if you are going to postpone updating Drupal core then you need to add Nginx config to deny access to xmlrpc.php. If you need help with the Nginx config let me know. This also affects WordPress, I'm going to look at the sites on ParrotServer now.

Last edited 2 years ago by chris (previous) (diff)

comment:3 Changed 2 years ago by chris

Note that this issue affects all the Drupal sites on wiki:PuffinServer -- it appear to me that any development sites which are not password protected should also updated.

comment:4 Changed 2 years ago by annesley

does anyone know what is the likelihood of TN.org being the victim of a DDOS or DOS attack?

because DDOS and DOS are not automated, they are individual hackers using it to gain access to banks etc. we are not a target. is this correct? so i put it at 0.00000000001% chance of it happening over the next 5 years.

how long would it take us (downtime) to solve it in the case of a DOS? 5 hours?
do our IP chains / firewall protect against this? (i think not in this case anyway)

if it did we could ignore all further DOS Drupal holes. worth installing IP chains burst protection? (excuse my lack of precise knowledge here but you get what i am saying)

we seem to have OpenID Module there, but not installed.
we are using Services_Links but not Services.

@chris: do we have a dedicated server or virtual? is there risk to the other sites that you host or from?

i am not against deleting the XMLRPC.php file however. i think we are not providing any XML based services anyway...? have i understood it's role correctly?

comment:5 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 0.125 to 0.25

@Annesley

We're not using Services or Open ID contrib modules.
On the stage servers I think we can just remove the xmlrpc.php files.

comment:6 Changed 2 years ago by annesley

hmm... mind you, this sort of attack could certainly be very easily automated. even if it hasn't been. a script kiddy could achieve this XML entity expansion attack because it is so simply to do. it doesn't require multi-threaded requests or normal DOS procedures, it's just a recursive entity definition in the DTD of the XML RPC request.

we should delete XMLRPC.php today then. we have no need to expose Remote Procedure Calls anyway AFAIK. and no intention to do this.

comment:7 Changed 2 years ago by annesley

@chris: could you handle the deletion of this file? is that within your role?

thanks :)

comment:8 Changed 2 years ago by annesley

@Paul: we do have OpenID Module on the server though...
it's showing as "not installed" from drush

comment:9 follow-up: ↓ 12 Changed 2 years ago by annesley

ok, it seems that removing XMLRPC.php removes the OpenID core module vulnerability as well. according to my understanding...

comment:10 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 0.25 to 0.375

The security team advice that the module just needs to be disabled on the server:

If you are unable to install the latest version of Drupal immediately, you
can alternatively remove the xmlrpc.php file from the root of Drupal core (or
add a rule to .htaccess to prevent access to xmlrpc.php) and disable the
OpenID module.

comment:11 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 0.375 to 0.625

The security advisory says:

The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

Since this also applies to WordPress it is bound to result in a lot of attention being devoted to any possible automated exploits so it would be sensible to take steps to mitigate the risk. I don't know what the exact potential is for "XML payload attacks" but it is worth noting that we were at the limit of max MySQL connections with the default BOA config until it was increased 6 weeks ago, see ticket:587#comment:17, currently we have 39 with a max of 50:

There are 54 copies of xmlrpc.php on the server. We can't use .htaccess files because we are not using Apache.

It is a virtual server, see: wiki:PuffinServer#Puffin

comment:12 in reply to: ↑ 9 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 0.625 to 0.75

Replying to annesley:

ok, it seems that removing XMLRPC.php removes the OpenID core module vulnerability as well. according to my understanding...

There are two similar vulnerabilities that exists in XML-RPC and the core OpenID module. They probably have some shared code between them.

comment:13 follow-up: ↓ 14 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 0.75 to 0.875

@Annesley @Chris

I think we can just delete all of these xmlrpc.php files?

comment:14 in reply to: ↑ 13 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.05
  • Total Hours changed from 0.875 to 0.925

Replying to paul:

I think we can just delete all of these xmlrpc.php files?

I can do that if you think it is safe to do so, note that some xmlrpc.php files will get recreated by things like the next BOA update, ticket:775

comment:15 Changed 2 years ago by chris

  • Cc ed added

Added Ed as a Cc.

comment:16 follow-up: ↓ 17 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 0.925 to 1.05

Good. Thanks Chris.

@Annesley

Maybe delete the xmlrpc.php file now and then follow up with building a new platform for production?

comment:17 in reply to: ↑ 16 Changed 2 years ago by paul

Replying to paul:

Good. Thanks Chris.

@Annesley

Maybe delete the xmlrpc.php files now (with help from Chris) and then follow up with building a new platform for production?

Last edited 2 years ago by paul (previous) (diff)

comment:18 Changed 2 years ago by annesley

let me run a few checks before we delete it.

i will delete it on staging first and have a browse of course. but also check for references in the codebase.

comment:19 Changed 2 years ago by annesley

grep -rsi xmlrpc.php *
includes/common.inc: * http://www.example.com/xmlrpc.php
modules/blogapi/blogapi.module: $xmlrpc = $base_url .'/xmlrpc.php';
sites/all/modules/contrib/robotstxt/robots.txt:Disallow: /xmlrpc.php

blog api is "not installed"

so i'll go ahead and delete it from staging now.

comment:20 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 1.05 to 1.175

Building a new platform with latest version of core and then migrating the live site over will fix the problem for the live site and will probably not take more than 15 minutes. So we can have this problem resolved for stage / production within the half hour I would say?

comment:21 Changed 2 years ago by annesley

@paul: ok

staging seems fine without it's xmlrpc.php of course. there are no links to it except from blogapi.

comment:22 Changed 2 years ago by paul

Cool. Many drupal sites just delete the xmlrpc.php from the server if it's not being used.

comment:23 follow-up: ↓ 24 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 1.175 to 1.425

@Chris

I think these are the version of xmlrpc.php that are not automatically generated by Aegir:

puffin:~# find / -name xmlrpc.php
/data/disk/tn/static/transition-network-d6-s011/xmlrpc.php
/data/disk/tn/static/transition-network-d6-p010-booker/xmlrpc.php
/data/disk/tn/static/transition-network-d6-s009/xmlrpc.php
/data/disk/tn/static/transition-network-d6-s008/xmlrpc.php
/data/disk/tn/static/transition-network-d6-s012/xmlrpc.php
/data/disk/tn/static/transition-network-d6-p009/xmlrpc.php
/data/disk/tn/static/transition-network-d6-32-p001-booker/xmlrpc.php

/data/disk/tn/static/iirs-d006/xmlrpc.php
/data/disk/tn/static/iirs-d007/xmlrpc.php
/data/disk/tn/distro/007/drupal-7.30.1-prod/xmlrpc.php
/data/disk/tn/distro/007/openatrium-7.x-2.19-7.30.1/xmlrpc.php
/data/disk/tn/distro/006/drupal-7.28.1-prod/xmlrpc.php
/data/disk/tn/distro/006/openatrium-7.x-2.19-7.28.1/xmlrpc.php
/data/disk/tn/distro/005/drupal-7.27.1-prod/xmlrpc.php
/data/disk/tn/distro/005/openatrium-7.x-2.17-7.27.1/xmlrpc.php
/data/disk/tn/distro/004/openatrium-7.x-2.09-7.24.1/xmlrpc.php
/data/disk/tn/distro/004/drupal-7.24.1-prod/xmlrpc.php
...

Do you have any thoughts on dealing with the second block? I'll deal with the first block now ..

comment:24 in reply to: ↑ 23 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 1.425 to 1.525

Replying to paul:

/data/disk/tn/static/iirs-d006/xmlrpc.php
/data/disk/tn/static/iirs-d007/xmlrpc.php
/data/disk/tn/distro/007/drupal-7.30.1-prod/xmlrpc.php
/data/disk/tn/distro/007/openatrium-7.x-2.19-7.30.1/xmlrpc.php
/data/disk/tn/distro/006/drupal-7.28.1-prod/xmlrpc.php
/data/disk/tn/distro/006/openatrium-7.x-2.19-7.28.1/xmlrpc.php
/data/disk/tn/distro/005/drupal-7.27.1-prod/xmlrpc.php
/data/disk/tn/distro/005/openatrium-7.x-2.17-7.27.1/xmlrpc.php
/data/disk/tn/distro/004/openatrium-7.x-2.09-7.24.1/xmlrpc.php
/data/disk/tn/distro/004/drupal-7.24.1-prod/xmlrpc.php
...

Do you have any thoughts on dealing with the second block?

I think the simplest and quickest thing would be to delete them. I don't know if they are available to the public and the Nginx config is really hard to follow so it would take a while to work out which, if any, are and then to add rules to deny access to the files and then any changes would probably be clobbered at some point...

comment:25 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 1.525 to 2.275

@Chris

Agreed. I'll do that shortly.

@TN

What I have done so far:

Deleted my earlier stage sites.
Built a new stage platform.
Migrated the latest version of the stage site over to the new platform.
Turned on the database log & checked the site is working.

The new production platform is now scheduled to be built. As soon as the platform is built I'll migrate the live site over to the new production platform...

comment:26 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 2.275 to 2.525

The live site is now migrated to the new production platform & seems to be working fine.

The only xmlrpc.php files that have not been updated or deleted are the aegir versions of the files.

puffin:~# find / -name xmlrpc.php
/data/disk/tn/static/transition-network-d6-33-p001-booker/xmlrpc.php
/data/disk/tn/static/transition-network-d6-33-s001-booker/xmlrpc.php
/data/disk/tn/aegir/distro/009/xmlrpc.php
/data/disk/tn/aegir/distro/011/xmlrpc.php
/data/disk/tn/aegir/distro/010/xmlrpc.php
/data/disk/tn/aegir/distro/008/xmlrpc.php
/data/disk/tn/platforms/transitionnetwork.org/xmlrpc.php
/data/all/000/core/pressflow-6.29.1/xmlrpc.php
/data/all/000/core/drupal-7.23.3/xmlrpc.php
/data/all/000/core/drupal-7.27.1/xmlrpc.php
/data/all/000/core/drupal-7.30.1/xmlrpc.php
/data/all/000/core/pressflow-6.32.2/xmlrpc.php
/data/all/000/core/drupal-7.28.1/xmlrpc.php
/data/all/000/core/drupal-7.24.1/xmlrpc.php
/data/all/000/core/pressflow-6.31.1/xmlrpc.php
/data/all/000/core/pressflow-6.31.2/xmlrpc.php
/data/all/000/core/pressflow-6.28.3/xmlrpc.php
/var/aegir/hostmaster-BOA-2.0.4/xmlrpc.php
/var/aegir/host_master/009/xmlrpc.php
/var/aegir/host_master/001/xmlrpc.php
/var/aegir/host_master/007/xmlrpc.php
/var/aegir/host_master/002/xmlrpc.php
/var/aegir/host_master/003/xmlrpc.php
/var/aegir/host_master/011/xmlrpc.php
/var/aegir/host_master/010/xmlrpc.php
/var/aegir/host_master/013/xmlrpc.php
/var/aegir/host_master/012/xmlrpc.php
/var/aegir/host_master/006/xmlrpc.php
/var/aegir/host_master/005/xmlrpc.php
/var/aegir/host_master/004/xmlrpc.php
/var/aegir/host_master/008/xmlrpc.php
/var/aegir/host_master/014/xmlrpc.php
/var/aegir/host_master/015/xmlrpc.php
/var/backups/trash/drupal-7.22.1/xmlrpc.php
/var/backups/codebases-cleanup/001/pressflow-6.26.2-dev/xmlrpc.php
/var/backups/codebases-cleanup/001/pressflow-6.26.2-stage/xmlrpc.php
/var/backups/codebases-cleanup/001/pressflow-6.26.2-prod/xmlrpc.php
/var/backups/codebases-cleanup/002/drupal-7.22.1-prod/xmlrpc.php
puffin:~#

comment:27 Changed 2 years ago by chris

I think there might now be a few more due to the BOA update:

updatedb
locate xmlrpc.php
/data/all/000/core/drupal-7.23.3/xmlrpc.php
/data/all/000/core/drupal-7.24.1/xmlrpc.php
/data/all/000/core/drupal-7.27.1/xmlrpc.php
/data/all/000/core/drupal-7.28.1/xmlrpc.php
/data/all/000/core/drupal-7.30.1/xmlrpc.php
/data/all/000/core/drupal-7.31.1/xmlrpc.php
/data/all/000/core/pressflow-6.28.3/xmlrpc.php
/data/all/000/core/pressflow-6.29.1/xmlrpc.php
/data/all/000/core/pressflow-6.31.1/xmlrpc.php
/data/all/000/core/pressflow-6.31.2/xmlrpc.php
/data/all/000/core/pressflow-6.32.2/xmlrpc.php
/data/all/000/core/pressflow-6.33.1/xmlrpc.php
/data/disk/tn/aegir/distro/008/xmlrpc.php
/data/disk/tn/aegir/distro/009/xmlrpc.php
/data/disk/tn/aegir/distro/010/xmlrpc.php
/data/disk/tn/aegir/distro/011/xmlrpc.php
/data/disk/tn/aegir/distro/012/xmlrpc.php
/data/disk/tn/distro/008/drupal-7.31.1-prod/xmlrpc.php
/data/disk/tn/distro/008/openatrium-7.x-2.19-7.31.1/xmlrpc.php
/data/disk/tn/platforms/transitionnetwork.org/xmlrpc.php
/data/disk/tn/static/transition-network-d6-33-p001-booker/xmlrpc.php
/data/disk/tn/static/transition-network-d6-33-s001-booker/xmlrpc.php
/var/aegir/host_master/001/xmlrpc.php
/var/aegir/host_master/002/xmlrpc.php
/var/aegir/host_master/003/xmlrpc.php
/var/aegir/host_master/004/xmlrpc.php
/var/aegir/host_master/005/xmlrpc.php
/var/aegir/host_master/006/xmlrpc.php
/var/aegir/host_master/007/xmlrpc.php
/var/aegir/host_master/008/xmlrpc.php
/var/aegir/host_master/009/xmlrpc.php
/var/aegir/host_master/010/xmlrpc.php
/var/aegir/host_master/011/xmlrpc.php
/var/aegir/host_master/012/xmlrpc.php
/var/aegir/host_master/013/xmlrpc.php
/var/aegir/host_master/014/xmlrpc.php
/var/aegir/host_master/015/xmlrpc.php
/var/aegir/host_master/016/xmlrpc.php
/var/aegir/hostmaster-BOA-2.0.4/xmlrpc.php
/var/backups/codebases-cleanup/001/pressflow-6.26.2-dev/xmlrpc.php
/var/backups/codebases-cleanup/001/pressflow-6.26.2-prod/xmlrpc.php
/var/backups/codebases-cleanup/001/pressflow-6.26.2-stage/xmlrpc.php
/var/backups/codebases-cleanup/002/drupal-7.22.1-prod/xmlrpc.php
/var/backups/trash/drupal-7.22.1/xmlrpc.php

I don't know if any of these are available to the public?

comment:28 Changed 2 years ago by paul

Thanks Chris. I'll investigate ..

comment:29 follow-up: ↓ 30 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 2.525 to 3.025

All the sites that are listed on Aegir have had their xmlrpc.php either removed or updated.

However, I had a look over all of the sites and noticed that we have three sites with public domains that are not being updated:

iirs-test.transitionnetwork.org Drupal 7.26
space.transitionnetwork.org Open Atrium 2.0.9 7.24.1 P.004 Drupal 7.24
news.transitionnetwork.org Drupal 6.29

Any thoughts on what should be done with these? Can any of these be deleted? The latest versions of Drupal are 6.33 & 7.31

I deleted the xmlrpc.php from this ghost platform:
/data/disk/tn/platforms/transitionnetwork.org/xmlrpc.php

I think all of the aegir files are just sitting on the server.

Last edited 2 years ago by paul (previous) (diff)

comment:30 in reply to: ↑ 29 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 3.025 to 3.275

Replying to paul:

we have three sites with public domains that are not being updated:

iirs-test.transitionnetwork.org Drupal 7.26
space.transitionnetwork.org Open Atrium 2.0.9 7.24.1 P.004 Drupal 7.24
news.transitionnetwork.org Drupal 6.29

Well spotted!

comment:31 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 3.275 to 3.4

For http://news.transitionnetwork.org/ I just need to migrate it to the new production platform. I'll do that now ..

comment:32 Changed 2 years ago by paul

I'll migrate to stage first ..

comment:33 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 3.4 to 3.65

http://news.transitionnetwork.org/ is now updated to the latest production platform & we now have a clone of this site on a stage platfrom. Looking now into https://space.transitionnetwork.org/ ..

comment:34 follow-up: ↓ 36 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 3.65 to 3.9

Theres appears to be nothing documented about openatrium on the wiki / trac.

The current version of the open atrium site is here:

puffin:/data/disk/tn/distro/004/openatrium-7.x-2.09-7.24.1# ls -la
total 592K
drwxr-xr-x 4 tn users 4.0K Aug 7 19:09 ./
drwx--x--x 5 tn users 4.0K Nov 30 2013 ../
lrwxrwxrwx 1 tn users 46 Nov 30 2013 authorize.php -> /data/all/000/core/drupal-7.24.1/authorize.php
drwxrwsr-x 2 tn.ftp www-data 4.0K Jan 13 2014 cache/
lrwxrwxrwx 1 tn users 41 Nov 30 2013 cron.php -> /data/all/000/core/drupal-7.24.1/cron.php
lrwxrwxrwx 1 tn users 48 Nov 30 2013 crossdomain.xml -> /data/all/000/core/drupal-7.24.1/crossdomain.xml
-r--r--r-- 1 tn users 573K Aug 7 23:13 drushrc.php
lrwxrwxrwx 1 tn users 42 Nov 30 2013 .htaccess -> /data/all/000/core/drupal-7.24.1/.htaccess
lrwxrwxrwx 1 tn users 41 Nov 30 2013 includes -> /data/all/000/core/drupal-7.24.1/includes/
lrwxrwxrwx 1 tn users 42 Nov 30 2013 index.php -> /data/all/000/core/drupal-7.24.1/index.php
lrwxrwxrwx 1 tn users 44 Nov 30 2013 install.php -> /data/all/000/core/drupal-7.24.1/install.php
lrwxrwxrwx 1 root root 39 May 1 16:25 js.php -> /data/all/005/o_contrib_seven/js/js.php
lrwxrwxrwx 1 tn users 37 Nov 30 2013 misc -> /data/all/000/core/drupal-7.24.1/misc/
lrwxrwxrwx 1 tn users 40 Nov 30 2013 modules -> /data/all/000/core/drupal-7.24.1/modules/
lrwxrwxrwx 1 tn users 49 Nov 30 2013 profiles -> /data/all/004/openatrium-7.x-2.09-7.24.1/profiles/
drwxr-x--x 5 tn users 4.0K Jan 12 2014 sites/
lrwxrwxrwx 1 tn users 39 Nov 30 2013 themes -> /data/all/000/core/drupal-7.24.1/themes/
lrwxrwxrwx 1 tn users 43 Nov 30 2013 update.php -> /data/all/000/core/drupal-7.24.1/update.php
lrwxrwxrwx 1 tn users 43 Nov 30 2013 web.config -> /data/all/000/core/drupal-7.24.1/web.config

We need to be using:

/data/disk/tn/distro/008/openatrium-7.x-2.19-7.31.

I'll see if I can build a new openatrium platform with Aegir ..

comment:35 Changed 2 years ago by paul

This latest openatrium platform is automatically built by Aegir. I'll migrate the openatrium site to the new platform ..

comment:36 in reply to: ↑ 34 Changed 2 years ago by chris

Replying to paul:

Theres appears to be nothing documented about openatrium on the wiki / trac.

There are a couple of tickets:

There might be some others.

Perhaps Jim didn't get around to documenting it further than this?

comment:37 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 3.9 to 4.15

Thanks Chris. I'll take a look a these shortly.

@TN

Openatium is now updated.

I'll take a look at IIRs shortly.

I'll also see what platforms can be deleted from Aegir - platforms that are no longer being used as the site(s) that once ran on them have been migrated to a more recent version of the platform

comment:38 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 4.15 to 4.65

The IIRs site is built manually without an external platform file, and outside of version control. It's currently running drupal 7.26 and a collection of modules.

@ Annesley

I have put the site into maintenance mode for now as the site needs to be upgraded. Any thoughts on what to do next?

I have deleted platform / sites that are no longer needed - but have retained the previous version of the platform just in case we need to migrate back to the previous version of the site.

https://tn.puffin.webarch.net/hosting/sites
https://tn.puffin.webarch.net/hosting/platforms

Everything we can do now - to keep our sites/server secure - has been done.

Last edited 2 years ago by paul (previous) (diff)

comment:39 Changed 2 years ago by annesley

hi! iirs-test is nothing to do with me.

i am using an enabled IIRS Module on booker staging https://booker-stage-20140717.transitionnetwork.org/IIRS/registration/
which appears to have disappeared. but i am developing locally so can copy it back no problem.

comment:40 follow-up: ↓ 41 Changed 2 years ago by ed

  1. IIRS-test on D7 is Jim's old work and can be removed
  2. Open Atrium was set up as a trial intranet, got picked up by the international team before we'd trialled it, I'm not sure how much it's being used now, finding out is on my agenda
  3. news.transitionnetwork.org is a news feed aggregator which collects news feeds from TI sites and re-publishes teasers of them on that domain, and into the TI profile pages. It is one of the services that will be de-commissioned this autumn

comment:41 in reply to: ↑ 40 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 4.65 to 4.775

Replying to ed:

  1. IIRS-test on D7 is Jim's old work and can be removed

I'll remove now ..

  1. Open Atrium was set up as a trial intranet, got picked up by the international team before we'd trialled it, I'm not sure how much it's being used now, finding out is on my agenda

Maybe we could trial the software as a basecamp tool while bulding the IIRS?

  1. news.transitionnetwork.org is a news feed aggregator which collects news feeds from TI sites and re-publishes teasers of them on that domain, and into the TI profile pages. It is one of the services that will be de-commissioned this autumn

Thanks

comment:42 follow-ups: ↓ 43 ↓ 44 Changed 2 years ago by ed

  1. Good
  2. Interesting. The national hubs found it cumbersome and it looked like we'd need to do more work to really get it sorted. Staff are about to move to google apps lock stock and barrel I reckon (and now recommend). Tech: atm we're using the wiki pages and emails as agreed. I'm interested in using a use case based tool for TNv3, and not particularly ingterested in doing any dev work on OA.
  3. Good.

comment:43 in reply to: ↑ 42 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 4.775 to 4.9

Replying to ed:

  1. Good

The IIRS site and platform have now been deleted.

  1. Interesting. The national hubs found it cumbersome and it looked like we'd need to do more work to really get it sorted. Staff are about to move to google apps lock stock and barrel I reckon (and now recommend). Tech: atm we're using the wiki pages and emails as agreed. I'm interested in using a use case based tool for TNv3, and not particularly ingterested in doing any dev work on OA.
  2. Good.

comment:44 in reply to: ↑ 42 Changed 2 years ago by chris

Replying to ed:

Staff are about to move to google apps lock stock and barrel I reckon (and now recommend).

Choosing to becoming dependant on one of the planets biggest imperial corporations [1] for internal communications and documentation, when there are Free/libre alternatives which can be self hosted, is not the way to be resilient and autonomous.

[1] https://www.wikileaks.org/Op-ed-The-Banality-of-Don-t-Be.html

comment:45 Changed 2 years ago by annesley

@Chris: do you accept the cost-benefit-politics suggestion?
do you agree that we cannot be perfect politically? and that it's a matter of where we draw the line, not a binary decision?

so, to use an extreme to illustrate the point: if it cost £200,000 / year to avoid using Google and install Free/libre alternatives would you agree that we should use Google?

don't think that i am not with you. i am. i totally reject Capitalism, hierarchy, elites, consumption, etc. but i want you to join us in trying to calculate where to draw the line, instead of repeating this binary idea. Transition lives in Capitalism and it doesn't have endless money. decisions must be made. we cannot run our own copy of the Internet because the Cobolt used in the intermediate machines is mined in oppressive conditions for example.

i think the essential problem here is the fact is that IT software has massive economies of scale. so trying to implement things individually is always going to empty the pockets of the very organisations that are trying to defeat Capitalism.

how much does it cost to run these alternatives? and train people, and maintain them? give us an estimate for a year period.

comment:46 Changed 2 years ago by ed

@Annesley and @Chris - conversations about TN's decisions around intranet software are out of scope here.

Please do not pursue this conversation on this ticket or on TN time. Please feel free to enjoy it down the pub however :)

comment:47 Changed 2 years ago by paul

@TN

Sorry off topic ..

What libre alternatives were considered before choosing Google?

comment:48 Changed 2 years ago by ed

@Paul happy to discuss this with you in your time at another time when I'm not doing other stuff

comment:49 Changed 2 years ago by ed

  • Status changed from new to closed
  • Resolution set to fixed

Closing this ticket for now as before we got side tracked Paul said 'Everything we can do now - to keep our sites/server secure - has been done.'

/trac/ticket/774#comment:38

Note: See TracTickets for help on using tickets.