Ticket #809 (new maintenance)
[Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006
| Reported by: | paul | Owned by: | paul |
|---|---|---|---|
| Priority: | major | Milestone: | Maintenance |
| Component: | Drupal modules & settings | Keywords: | |
| Cc: | ed, ben, sam, annesley | Estimated Number of Hours: | 0.0 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 6.925 |
Description (last modified by paul) (diff)
View online: https://www.drupal.org/SA-CORE-2014-006
- Advisory ID: DRUPAL-SA-CORE-2014-006
- Project: Drupal core [1]
- Version: 6.x, 7.x
- Date: 2014-November-19
- Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
- Vulnerability: Multiple vulnerabilities
.... Session hijacking (Drupal 6 and 7)
A specially crafted request can give a user access to another user's session,
allowing an attacker to hijack a random session.
This attack is known to be possible on certain Drupal 7 sites which serve
both HTTP and HTTPS content ("mixed-mode" [3]), but it is possible there are
other attack vectors for both Drupal 6 and Drupal 7.
.... Denial of service (Drupal 7 only)
Drupal 7 includes a password hashing API to ensure that user supplied
passwords are not stored in plain text.
A vulnerability in this API allows an attacker to send specially crafted
requests resulting in CPU and memory exhaustion. This may lead to the site
becoming unavailable or unresponsive (denial of service).
This vulnerability can be exploited by anonymous users.
- /A CVE identifier [4] will be requested, and added upon issuance, in accordance
with Drupal Security Team processes./
- Drupal core 6.x versions prior to 6.34.
- Drupal core 7.x versions prior to 7.34.
Install the latest version:
- If you use Drupal 6.x, upgrade to Drupal core 6.34. [5]
- If you use Drupal 7.x, upgrade to Drupal core 7.34. [6]
If you have configured a custom password.inc file for your Drupal 7 site you
also need to make sure that it is not prone to the same denial of service
vulnerability. See also the similar security advisory for the Drupal 6
contributed Secure Password Hashes module: SA-CONTRIB-2014-113 [7]
Also see the Drupal core [8] project page.
Session hijacking:
- Aaron Averill [9]
Denial of service:
Session hijacking:
- Klaus Purer [13] of the Drupal Security Team
- David Rothstein [14] of the Drupal Security Team
- Peter Wolanin [15] of the Drupal Security Team
Denial of service:
- Klaus Purer [16] of the Drupal Security Team
- Peter Wolanin [17] of the Drupal Security Team
- Heine Deelstra [18] of the Drupal Security Team
- Tom Phethean [19]
- The Drupal Security Team
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [20].
Learn more about the Drupal Security team and their policies [21], writing
secure code for Drupal [22], and securing your site [23].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [24]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/https-information
[4] http://cve.mitre.org/
[5] https://www.drupal.org/drupal-6.34-release-notes
[6] https://www.drupal.org/drupal-7.34-release-notes
[7] https://www.drupal.org/node/2378367
[8] https://www.drupal.org/project/drupal
[9] https://www.drupal.org/user/1317732
[10] https://www.drupal.org/u/MichaelCu
[11] https://www.drupal.org/u/jnietotn
[12] https://www.drupal.org/u/c0r3dump3d
[13] https://www.drupal.org/u/klausi
[14] https://www.drupal.org/u/David_Rothstein
[15] https://www.drupal.org/u/pwolanin
[16] https://www.drupal.org/u/klausi
[17] https://www.drupal.org/u/pwolanin
[18] https://www.drupal.org/u/Heine
[19] https://www.drupal.org/u/tsphethean
[20] https://www.drupal.org/contact
[21] https://www.drupal.org/security-team
[22] https://www.drupal.org/writing-secure-code
[23] https://www.drupal.org/security/secure-configuration
[24] https://twitter.com/drupalsecurity
Attachments
Change History
comment:1 Changed 2 years ago by paul
- Description modified (diff)
- Summary changed from [Security-news] SA-CONTRIB-2014-115 - Form Builder - Cross-Site Scripting (XSS) to [Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006
comment:2 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 1.25
- Total Hours changed from 0.0 to 1.25
Experiencing problems with Aeigir. Specifically I can't create a new platform (directory not created) or clone a site on an existing platform. Can anyone reproduce these problems? I'll try again later today.
Latest Makefile:
https://raw.githubusercontent.com/paulbooker/transitionnetwork.org-d6.profile/master/transitionnetwork.org-d6.make
comment:3 Changed 2 years ago by chris
- Cc ed, ben, sam, annesley added
Paul, this ticket wasn't CC'd to anyone so nobody else will have seen it unless they do something like visit the timeline and see it there.
I have added some CCs, from the list of usernames at wiki:WikiStart#Tracusernames
I'm sorry I don't know why Aeigir isn't working.
comment:6 follow-up: ↓ 7 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.15
- Total Hours changed from 1.25 to 1.4
I'll pick this up again later today.
It's not clear to me a the moment how to reboot Aeigr or if that's a good idea.
If we can't get Aegir working again. I'll carry out the core update manually.
comment:7 in reply to: ↑ 6 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 1.4 to 1.65
Replying to paul:
It's not clear to me a the moment how to reboot Aeigr or if that's a good idea.
I'm not sure what you mean by "reboot Aeigr"?
I have restarted php-fpm and nginx and could also restart mysql (though I really see what that would change and it takes longer than the other two restarts).
comment:9 follow-up: ↓ 10 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 1.65 to 1.775
Chris,
Darn. Still not working. Is this problem something you can troubleshoot?
When we apply updates to Aegir: does Aeigr run any tests to see if it can build platforms, ..
Let me know if you can't fix. I'll then need to get clearance from Ed to carry out the update manually?
comment:10 in reply to: ↑ 9 Changed 2 years ago by chris
Replying to paul:
Darn. Still not working. Is this problem something you can troubleshoot?
I can look at it next week but I'm afraid I don't have a lot of spare time today or at the weekend.
comment:11 Changed 2 years ago by paul
I'll try a manual update on my stage site ..
comment:12 follow-up: ↓ 13 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 1.775 to 2.025
I have decided that since the security update looks to only affect Drupal6 sites serving content over both HTTP/HTTPS, and that the file system is different to a normal drupal installation, and that it's Friday, it's probably best to leave this until next week.
comment:13 in reply to: ↑ 12 Changed 2 years ago by chris
Replying to paul:
the security update looks to only affect Drupal6 sites serving content over both HTTP/HTTPS
This is something we do:
comment:14 follow-up: ↓ 15 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 2.025 to 2.15
Sorry, I thought we did.
Could we place the whole site under HTTPS? Would you clarify the reasons for using both?
comment:15 in reply to: ↑ 14 ; follow-up: ↓ 16 Changed 2 years ago by chris
Replying to paul:
Could we place the whole site under HTTPS?
Yes in theory and FWIW I think the time has come when all sites should be HTTPS only with HTTP redirecting to HTTPS.
Would you clarify the reasons for using both?
There were lots of discussions about this, Ed might remember better than me, Jim wanted everything to be HTTP only.
comment:16 in reply to: ↑ 15 Changed 2 years ago by paul
Replying to chris:
Replying to paul:
Could we place the whole site under HTTPS?
Yes in theory and FWIW I think the time has come when all sites should be HTTPS only with HTTP redirecting to HTTPS.
Agreed.
Would you clarify the reasons for using both?
There were lots of discussions about this, Ed might remember better than me, Jim wanted everything to be HTTP only.
comment:17 follow-up: ↓ 19 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 2.15 to 2.275
Still a problem with the platform.
If Aegir is not working perfectly, then it's of no help to us. I think we should ask Chris to propose something better. We could then have an considered exchange of ideas over email. WYT?
comment:18 Changed 2 years ago by paul
We could also put the whole site under HTTPS during the migration.
comment:19 in reply to: ↑ 17 ; follow-up: ↓ 20 Changed 2 years ago by chris
Replying to paul:
If Aegir is not working perfectly, then it's of no help to us. I think we should ask Chris to propose something better. We could then have an considered exchange of ideas over email. WYT?
I don't think we can make decisions of this nature on this ticket, and I doubt Ed would want to make any decisions regarding hosting -- I think this would have to be an item for his replacement to consider. The last non-BOA server, wiki:NewLiveServer took a while to set up and get working well (incidentally it had 3GB of RAM where as the current server has 8GB and a key reason to move to BOA was to reduce the system resources needed...), this is something that would take several days to set up and therefore has a significant cost implication. I think we should probably stick with BOA for the existing Drupal 6 site and if long term support for D6 happens I suspect that the TN site might well stay running on D6 for years...
I'll try to fix BOA later today.
comment:20 in reply to: ↑ 19 Changed 2 years ago by paul
comment:21 Changed 2 years ago by chris
I'm looking at this now...
comment:22 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.65
- Total Hours changed from 2.275 to 2.925
Perhaps our issue is related to Critical: PHP build is broken with latest MariaDB 5.5.40 as we are running 5.5.40-MariaDB, however we have a older version of PHP. I can't see any other recent tickets that might apply to our situation.
Running the updater:
sudo -i screen cd wget -q -U iCab http://files.aegir.cc/BOA.sh.txt bash BOA.sh.txt barracuda up-stable ; octopus up-stable all both .... Barracuda [Mon Nov 24 18:29:39 GMT 2014] ==> INFO: Checking your system version... Barracuda [Mon Nov 24 18:29:39 GMT 2014] ==> Aegir on Debian/wheezy - Skynet Agent v.BOA-2.3.6 Barracuda [Mon Nov 24 18:29:40 GMT 2014] ==> INFO: Updating packages sources list... Barracuda [Mon Nov 24 18:29:40 GMT 2014] ==> INFO: We will use Debian mirror ftp.debian.org Barracuda [Mon Nov 24 18:29:51 GMT 2014] ==> INFO: Downloading little helpers... Barracuda [Mon Nov 24 18:29:54 GMT 2014] ==> INFO: Checking BARRACUDA version... Barracuda [Mon Nov 24 18:29:54 GMT 2014] ==> INFO: BARRACUDA version test: OK Barracuda [Mon Nov 24 18:29:54 GMT 2014] ==> UPGRADE START -> checkpoint: * Your e-mail address appears to be chris@webarchitects.co.uk - is that correct? * Your server hostname is puffin.webarch.net. * Your Aegir control panel is/will be available at https://master.puffin.webarch.net. Do you want to proceed with the upgrade? [Y/n] y Barracuda [Mon Nov 24 18:29:57 GMT 2014] ==> INFO: Cleaning up temp files in /var/opt/ Barracuda [Mon Nov 24 18:29:57 GMT 2014] ==> INFO: Installing extra Drush versions Barracuda [Mon Nov 24 18:30:02 GMT 2014] ==> INFO: Drush mini-4-26-08-2014 installation complete Barracuda [Mon Nov 24 18:30:03 GMT 2014] ==> INFO: Drush mini-6-30-10-2014 installation complete Barracuda [Mon Nov 24 18:30:05 GMT 2014] ==> INFO: Running aptitude update... Barracuda [Mon Nov 24 18:31:00 GMT 2014] ==> INFO: Upgrading required libraries and tools Barracuda [Mon Nov 24 18:31:00 GMT 2014] ==> NOTE! This step may take a few minutes, please wait... Barracuda [Mon Nov 24 18:31:44 GMT 2014] ==> INFO: Testing Nginx version... Barracuda [Mon Nov 24 18:31:44 GMT 2014] ==> INFO: Installed Nginx version nginx/1.7.6, upgrade required Barracuda [Mon Nov 24 18:31:46 GMT 2014] ==> INFO: Upgrading Nginx... Barracuda [Mon Nov 24 18:33:13 GMT 2014] ==> INFO: Running aptitude full-upgrade, please wait... Barracuda [Mon Nov 24 18:33:50 GMT 2014] ==> INFO: Testing Nginx version... Barracuda [Mon Nov 24 18:33:50 GMT 2014] ==> INFO: Installed Nginx version nginx/1.7.7, OK Barracuda [Mon Nov 24 18:33:51 GMT 2014] ==> INFO: Installing MySecureShell 1.33... Barracuda [Mon Nov 24 18:34:18 GMT 2014] ==> INFO: Checking SMTP connections... Barracuda [Mon Nov 24 18:34:18 GMT 2014] ==> INFO: Upgrading a few more tools... Barracuda [Mon Nov 24 18:34:31 GMT 2014] ==> INFO: Checking if PHP upgrade is available Barracuda [Mon Nov 24 18:34:38 GMT 2014] ==> INFO: PHP EXTRA is --with-ldap --with-gmp --with-xpm-dir=/usr Barracuda [Mon Nov 24 18:34:39 GMT 2014] ==> INFO: Installed PHP version 5.3.29, OK Barracuda [Mon Nov 24 18:34:39 GMT 2014] ==> INFO: Installing Zend OPcache upgrade for PHP-FPM 5.3.29... Barracuda [Mon Nov 24 18:35:00 GMT 2014] ==> INFO: Installed Redis version 2.8.17, OK Barracuda [Mon Nov 24 18:35:00 GMT 2014] ==> INFO: Installing Redis update for Debian/wheezy... Barracuda [Mon Nov 24 18:36:15 GMT 2014] ==> INFO: Generating random password for Redis server Barracuda [Mon Nov 24 18:36:15 GMT 2014] ==> INFO: Updating MariaDB and PHP configuration Barracuda [Mon Nov 24 18:36:17 GMT 2014] ==> INFO: OS and services upgrade completed Barracuda [Mon Nov 24 18:36:17 GMT 2014] ==> INFO: Restarting MariaDB server, please wait... Barracuda [Mon Nov 24 18:36:36 GMT 2014] ==> INFO: Upgrading MariaDB tables if necessary, please wait a minute... Do you want to upgrade Aegir Master Instance? [Y/n] y Barracuda [Mon Nov 24 18:37:41 GMT 2014] ==> INFO: Running Aegir Master Instance upgrade Barracuda [Mon Nov 24 18:37:42 GMT 2014] ==> INFO: Syncing provision backend db_passwd... Barracuda [Mon Nov 24 18:37:55 GMT 2014] ==> INFO: Running hosting-dispatch (1/3)... Barracuda [Mon Nov 24 18:38:05 GMT 2014] ==> INFO: Running hosting-dispatch (2/3)... Barracuda [Mon Nov 24 18:38:14 GMT 2014] ==> INFO: Running hosting-dispatch (3/3)... Barracuda [Mon Nov 24 18:38:16 GMT 2014] ==> INFO: Syncing hostmaster frontend db_passwd... Barracuda [Mon Nov 24 18:38:17 GMT 2014] ==> INFO: Testing previous install... Barracuda [Mon Nov 24 18:38:17 GMT 2014] ==> INFO: Test OK, we can proceed with Hostmaster upgrade Barracuda [Mon Nov 24 18:38:17 GMT 2014] ==> INFO: Moving old directories Barracuda [Mon Nov 24 18:38:17 GMT 2014] ==> INFO: Downloading drush... Barracuda [Mon Nov 24 18:38:20 GMT 2014] ==> INFO: Drush seems to be functioning properly Barracuda [Mon Nov 24 18:38:20 GMT 2014] ==> INFO: Installing provision backend in /var/aegir/.drush Barracuda [Mon Nov 24 18:38:21 GMT 2014] ==> INFO: Downloading Drush and Provision extensions... Barracuda [Mon Nov 24 18:38:21 GMT 2014] ==> INFO: Running hostmaster-migrate, please wait... Barracuda [Mon Nov 24 18:39:54 GMT 2014] ==> INFO: Syncing hostmaster frontend db_passwd... Barracuda [Mon Nov 24 18:41:21 GMT 2014] ==> INFO: Aegir Master Instance upgrade completed Barracuda [Mon Nov 24 18:41:22 GMT 2014] ==> INFO: _PHP_CN set to www53 for Chive MariaDB Manager Barracuda [Mon Nov 24 18:41:29 GMT 2014] ==> INFO: _PHP_CN set to www53 for Collectd Graph Panel Barracuda [Mon Nov 24 18:41:33 GMT 2014] ==> INFO: Restarting Redis, PHP-FPM and Nginx Barracuda [Mon Nov 24 18:41:42 GMT 2014] ==> INFO: Restarting MariaDB server Barracuda [Mon Nov 24 18:41:52 GMT 2014] ==> INFO: New secure random password for MariaDB generated and updated Barracuda [Mon Nov 24 18:41:52 GMT 2014] ==> INFO: New entry added to /var/log/barracuda_log.txt Barracuda [Mon Nov 24 18:41:52 GMT 2014] ==> INFO: Cleaning up system swap, it may take a moment, please wait... Barracuda [Mon Nov 24 18:41:57 GMT 2014] ==> CARD: Now charging your credit card for this auto-upgrade magic... Barracuda [Mon Nov 24 18:42:04 GMT 2014] ==> JOKE: Just kidding! Enjoy your Aegir Hosting System :) Barracuda [Mon Nov 24 18:42:04 GMT 2014] ==> Final post-upgrade cleaning, please wait a moment... Barracuda [Mon Nov 24 18:45:22 GMT 2014] ==> BYE! BARRACUDA upgrade completed Bye load is 18 while maxload is 600 Octopus upgrade for User /data/disk/tn Waiting 2 seconds... Octopus [Mon Nov 24 18:45:32 GMT 2014] ==> BOA Skynet welcomes you aboard! Octopus [Mon Nov 24 18:45:35 GMT 2014] ==> INFO: Reading your /root/.tn.octopus.cnf config file Octopus [Mon Nov 24 18:45:36 GMT 2014] ==> NOTE! Please review all config options displayed below ### ### Configuration created on 121215-1617 with ### Octopus version BOA-2.0.4 ### ### NOTE: the group of settings displayed bellow ### will *override* all listed settings in the Octopus script. ### _USER="tn" _MY_EMAIL="chris@webarchitects.co.uk" _PLATFORMS_LIST="D7P OA7" _AUTOPILOT=YES _HM_ONLY=NO _O_CONTRIB_UP=YES _DEBUG_MODE=NO _MY_OWNIP= _FORCE_GIT_MIRROR="" _THIS_DB_HOST=localhost _DNS_SETUP_TEST=NO _HOT_SAUCE=NO _USE_CURRENT=YES _REMOTE_CACHE_IP=127.0.0.1 _LOCAL_NETWORK_IP= _PHP_FPM_VERSION=5.3 _PHP_CLI_VERSION=5.3 ### ### NOTE: the group of settings displayed bellow will be *overriden* ### by config files stored in the /data/disk/tn/log/ directory, ### but only on upgrade. ### _DOMAIN="tn.puffin.webarch.net" _CLIENT_EMAIL="chris@webarchitects.co.uk" _CLIENT_OPTION="SSD" _CLIENT_SUBSCR="Y" _CLIENT_CORES="14" ### ### Configuration created on 121215-1617 with ### Octopus version BOA-2.0.4 ### _STRONG_PASSWORDS=NO _DEL_OLD_EMPTY_PLATFORMS=90 _SQL_CONVERT=NO _DEL_OLD_BACKUPS=0 _DEL_OLD_TMP=0 _PHP_FPM_WORKERS=AUTO _PHP_FPM_TIMEOUT=AUTO _PHP_FPM_DENY="" _RESERVED_RAM=0 Octopus [Mon Nov 24 18:45:42 GMT 2014] ==> UPGRADE in progress... Octopus [Mon Nov 24 18:45:43 GMT 2014] ==> START -> checkpoint: * Your Aegir control panel for this instance is available at https://tn.puffin.webarch.net * Your Aegir system user for this instance is tn * This Octopus will use PHP-CLI 5.3 for all sites * This Octopus will use PHP-FPM 5.3 both for D6 and D7 sites * This Octopus includes platforms: D7P OA7 * This Octopus options are listed as SSD / Y / 14 C Octopus [Mon Nov 24 18:45:43 GMT 2014] ==> 8s before we will continue... Octopus [Mon Nov 24 18:45:58 GMT 2014] ==> UPGRADE A: Aegir automated install script part A Octopus [Mon Nov 24 18:45:58 GMT 2014] ==> UPGRADE A: Checking OCTOPUS version... Octopus [Mon Nov 24 18:45:58 GMT 2014] ==> UPGRADE A: OCTOPUS version test: OK Octopus [Mon Nov 24 18:45:58 GMT 2014] ==> UPGRADE A: Shared platforms code v.010 (hot new) will be created Octopus [Mon Nov 24 18:45:58 GMT 2014] ==> UPGRADE A: Creating directories with correct permissions... Octopus [Mon Nov 24 18:45:59 GMT 2014] ==> UPGRADE A: Syncing provision backend db_passwd... Octopus [Mon Nov 24 18:46:08 GMT 2014] ==> UPGRADE A: Running hosting-dispatch (1/3)... Octopus [Mon Nov 24 18:46:17 GMT 2014] ==> UPGRADE A: Running hosting-dispatch (2/3)... Octopus [Mon Nov 24 18:46:27 GMT 2014] ==> UPGRADE A: Running hosting-dispatch (3/3)... Octopus [Mon Nov 24 18:46:31 GMT 2014] ==> UPGRADE A: Syncing hostmaster frontend db_passwd... Octopus [Mon Nov 24 18:46:31 GMT 2014] ==> UPGRADE A: Switching user and running AegirSetupB... Octopus [Mon Nov 24 18:46:31 GMT 2014] ==> UPGRADE B: Aegir automated install script part B Octopus [Mon Nov 24 18:46:31 GMT 2014] ==> UPGRADE B: Creating directories with correct permissions Octopus [Mon Nov 24 18:46:31 GMT 2014] ==> UPGRADE B: Running standard installer Octopus [Mon Nov 24 18:46:31 GMT 2014] ==> UPGRADE B: Downloading drush... Octopus [Mon Nov 24 18:46:34 GMT 2014] ==> UPGRADE B: Drush seems to be functioning properly Octopus [Mon Nov 24 18:46:34 GMT 2014] ==> UPGRADE B: Installing provision backend in /data/disk/tn/.drush Octopus [Mon Nov 24 18:46:35 GMT 2014] ==> UPGRADE B: Downloading Drush and Provision extensions... Octopus [Mon Nov 24 18:46:39 GMT 2014] ==> UPGRADE B: Testing previous install... Octopus [Mon Nov 24 18:46:56 GMT 2014] ==> UPGRADE B: Hostmaster STATUS: Upgrade start Octopus [Mon Nov 24 18:47:00 GMT 2014] ==> UPGRADE B: Hostmaster STATUS: Running hostmaster-migrate, please wait... Octopus [Mon Nov 24 18:48:52 GMT 2014] ==> UPGRADE B: Hostmaster STATUS: Upgrade completed Octopus [Mon Nov 24 18:48:52 GMT 2014] ==> UPGRADE B: Simple check if Aegir upgrade is successful Octopus [Mon Nov 24 18:48:52 GMT 2014] ==> UPGRADE B: Aegir upgrade test result: OK Octopus [Mon Nov 24 18:48:52 GMT 2014] ==> UPGRADE B: Enhancing Aegir UI, please wait... Octopus [Mon Nov 24 18:51:24 GMT 2014] ==> UPGRADE A: Syncing hostmaster frontend db_passwd... Octopus [Mon Nov 24 18:51:24 GMT 2014] ==> UPGRADE A: Aegir Satellite Instance upgrade completed Octopus [Mon Nov 24 18:52:00 GMT 2014] ==> UPGRADE A: Creating shared directories... Octopus [Mon Nov 24 18:52:22 GMT 2014] ==> UPGRADE A: Running o_contrib modules check and upgrade... Octopus [Mon Nov 24 18:52:22 GMT 2014] ==> UPGRADE A: Switching user and running Platforms build Octopus [Mon Nov 24 18:52:22 GMT 2014] ==> UPGRADE C: Aegir automated install script part C Octopus [Mon Nov 24 18:52:22 GMT 2014] ==> UPGRADE C: Shared platforms code v.010 (hot new) will be created Octopus [Mon Nov 24 18:52:28 GMT 2014] ==> DISTRO: Drupal 7.33.1 P.010 installation in progress... Octopus [Mon Nov 24 18:52:28 GMT 2014] ==> DISTRO: Drupal 7.33.1 P.010 installation completed Octopus [Mon Nov 24 18:52:28 GMT 2014] ==> DISTRO: Open Atrium 2.24 7.33.1 P.010 installation in progress... Octopus [Mon Nov 24 18:53:05 GMT 2014] ==> DISTRO: Open Atrium 2.24 7.33.1 P.010 installation completed Octopus [Mon Nov 24 18:53:05 GMT 2014] ==> UPGRADE C: Removing some unused core files... Octopus [Mon Nov 24 18:53:05 GMT 2014] ==> UPGRADE C: Running Platforms Save & Verify tasks, please wait... Octopus [Mon Nov 24 18:53:11 GMT 2014] ==> UPGRADE A: Platforms installation completed Octopus [Mon Nov 24 18:53:11 GMT 2014] ==> UPGRADE A: Cleaning up various dot files... Octopus [Mon Nov 24 18:53:16 GMT 2014] ==> UPGRADE A: Creating ftp symlinks Octopus [Mon Nov 24 18:53:16 GMT 2014] ==> UPGRADE A: Preparing setupmail.txt Octopus [Mon Nov 24 18:53:16 GMT 2014] ==> UPGRADE A: Resending setup e-mail on upgrade... Octopus [Mon Nov 24 18:53:16 GMT 2014] ==> UPGRADE A: New entry added to /data/disk/tn/log/octopus_log.txt Octopus [Mon Nov 24 18:53:16 GMT 2014] ==> UPGRADE A: Final cleaning, please wait a moment... Octopus [Mon Nov 24 18:55:39 GMT 2014] ==> UPGRADE A: Starting the cron now Octopus [Mon Nov 24 18:55:39 GMT 2014] ==> UPGRADE A: All done! Octopus [Mon Nov 24 18:55:39 GMT 2014] ==> BYE! Waiting 4 seconds... Done for /data/disk/tn OCTOPUS upgrade completed Bye
I did the two fixes, wiki:PuffinServer#Muninconfigchanges and wiki:PuffinServer#nginxconfigchanges.
Paul can you test the site now?
comment:23 follow-up: ↓ 25 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 2.925 to 3.05
No change:
Source directory /data/disk/tn/.tmp/make_tmp_1416861261_5473964db2d0e/build is not readable or does not exist.
Cannot move build into place.
comment:24 Changed 2 years ago by paul
If it's the same before the problem is that build does not exist.
comment:25 in reply to: ↑ 23 Changed 2 years ago by chris
Replying to paul:
No change:
Source directory /data/disk/tn/.tmp/make_tmp_1416861261_5473964db2d0e/build is not readable or does not exist.
The /data/disk/tn/.tmp/ directory does exist:
drwxrwsr-x 3 tn.ftp www-data 4.0K Nov 24 20:46 .tmp/
I don't know what to suggest other than raising an issue?
Perhaps this is related?
comment:26 follow-up: ↓ 27 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 3.05 to 3.8
Still experiencing problems creating platforms. I tried changing the ownership on .tmp to tn and and adding write permissions to "other" but it didn't help.
@Chris
Is it possible to rebuild permissions for BOA / Aegir or to build a new instance of BOA / Aegir and migate platforms/ sites over?
I'll have more time to look into this tomorrow.
comment:27 in reply to: ↑ 26 Changed 2 years ago by chris
Replying to paul:
Is it possible to rebuild permissions for BOA / Aegir
I really think you need to raise this as an issue on the BOA tracking system, as I suggested earlier, see ticket:809#comment:24 -- I don't know how to make BOA work properly again.
or to build a new instance of BOA / Aegir and migate platforms/ sites over?
Yes, but that is basically building a new virtual server -- I don't think I'm in a position to make that decision, and to be honest, I'd suggest that if we are building a new server we might as well ditch BOA since nobody likes using it.
comment:28 follow-up: ↓ 29 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 3.8 to 3.925
I didn't ask you to make the decision. I'm just asking you politely if this is something that you could do.
I agree with your suggestion. Thanks.
comment:29 in reply to: ↑ 28 Changed 2 years ago by chris
Replying to paul:
I didn't ask you to make the decision. I'm just asking you politely if this is something that you could do.
Yes, in theory I could do it (and I'd be happy to do it), but a decision to ditch BOA would need to be made first.
comment:30 follow-up: ↓ 31 Changed 2 years ago by ed
do i need to become involved in this at all?
comment:31 in reply to: ↑ 30 Changed 2 years ago by chris
Replying to ed:
do i need to become involved in this at all?
I guess that is up to you, if you don't want to be then I think this issue would have to be postponed till your replacement is in place to make decisions.
comment:32 follow-up: ↓ 37 Changed 2 years ago by ed
OK so as it's into the tech list I think:
- we need a group skype to assess
- I'm going to see if Jim can dig out some time as the BOA guy
- we're very unlikely to start setting up new VSs
comment:33 Changed 2 years ago by paul
Ed,
I'll have a look to see If I can patch production later today / tomorrow (latest)
comment:36 Changed 2 years ago by paul
Ed, I'll have a look to see If I can patch production later today / tomorrow On Mon, Dec 1, 2014 at 3:24 PM, Transiton Technology Trac < trac@tech.transitionnetwork.org> wrote: > #809: [Security-news] Drupal Core - Moderately Critical - Multiple > Vulnerabilities - SA-CORE-2014-006 > -------------------------------------+------------------------------------- > Reporter: paul | Owner: paul > Type: maintenance | Status: new > Priority: major | Milestone: > Component: Drupal | Resolution: > modules & settings | Estimated Number of Hours: 0.0 > Keywords: | Billable?: 1 > Add Hours to Ticket: 0 | > Total Hours: 3.925 | > -------------------------------------+------------------------------------- > > Comment (by ed): > > OK so as it's into the tech list I think: > > 1. we need a group skype to assess > 2. I'm going to see if Jim can dig out some time as the BOA guy > 3. we're very unlikely to start setting up new VSs > > -- > Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/809#comment:32 > > > Transition Technology <https://tech.transitionnetwork.org/trac> > Support and issues tracking for the Transition Network Web Project. >
comment:37 in reply to: ↑ 32 Changed 2 years ago by chris
Replying to ed:
- we need a group skype to assess
- I'm going to see if Jim can dig out some time as the BOA guy
- we're very unlikely to start setting up new VSs
Due to 3. above I'm not sure 1. is needed and I agree that 2., if possible, would be great.
Also please note this matter hasn't been raised as a BOA issue -- that might also be a route to a solution that doesn't involve ditching BOA, see ticket:809#comment:24. I think Paul or Jim would be best placed to raise a BOA ticket as they are the ones who have been using the BOA web interface (I haven't).
comment:38 follow-up: ↓ 39 Changed 2 years ago by paul
I'll raise a ticket.
comment:39 in reply to: ↑ 38 Changed 2 years ago by chris
comment:40 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 3.925 to 4.175
comment:41 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 4.175 to 4.3
Just confirmed the problem still exists after clearing out failed platforms from yesterday.
comment:43 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 4.3 to 4.8
Investigated the makefile & updated the BOA ticket.
https://github.com/omega8cc/boa/issues/527
I'll follow up as soon as I get a reply.
comment:44 Changed 2 years ago by chris
I don't know anything about the makefile so this might not make any sense, but in reference to "the module is commented out in the makefile" there is still one line that references the breadcrumb module that isn't commented out:
projects[custom_breadcrumb][subdir] = "contrib"
comment:45 Changed 2 years ago by paul
Thanks Chris.
I was searching for the module name custom_breadcrumbs so didn't notice this. Trying to create a new platform ..
comment:46 Changed 2 years ago by paul
After updating the makefile it's still complaining of the same problem. Maybe a cache problem. Investigating ..
comment:47 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 4.8 to 5.3
Still seeing the problem after clearing the custom_breadcrumb cache entry several times. Will try again later.
Updated profile:
https://raw.githubusercontent.com/paulbooker/transitionnetwork.org-d6.profile/master/transitionnetwork.org-d6.make
Platforms page:
https://tn.puffin.webarch.net/hosting/platforms
comment:48 Changed 2 years ago by paul
Just successfully built a new stage platform . Not certain what changed but I suspect some cache somewhere got cleared. I'll see if I can get this ticket resolved ..
comment:49 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 1.5
- Total Hours changed from 5.3 to 6.8
Security updates have been applied to both transitionnetwork.org & news.transitionnetwork.org
Tasks done:
Built a new stage platform
Migrated my stage site to the new platform.
Logged in and checked the site.
Built a new production platform
Migrated transitionnetwork.org & news.transitionnetwork.org to the new production platform.
Logged in and checked the sites.
I noticed when going through the log messages on production that I had missed the warning messages about custom_breadcrumbs. This module was already commented out in the makefile, so hopefully all is good. @Sam Would you have a look over the site to see if everything is ok? I'll try and get back later this evening if there are any problems.
Also deleted all of the failed platforms from the past couple of days.
Best, Paul
comment:50 Changed 2 years ago by sam
Hi Paul
Thanks for this. All the breadcrumbs look OK to me.
Thanks
Sam
comment:51 Changed 2 years ago by paul
Thanks Sam. That's good to hear. Phew!
comment:53 Changed 2 years ago by paul
Thanks Sam. That's good to hear. Phew! On Fri, Dec 5, 2014 at 3:42 PM, Transiton Technology Trac < trac@tech.transitionnetwork.org> wrote: > #809: [Security-news] Drupal Core - Moderately Critical - Multiple > Vulnerabilities - SA-CORE-2014-006 > -------------------------------------+------------------------------------- > Reporter: paul | Owner: paul > Type: maintenance | Status: new > Priority: major | Milestone: > Component: Drupal | Maintenance > modules & settings | Resolution: > Keywords: | Estimated Number of Hours: 0.0 > Add Hours to Ticket: 0 | Billable?: 1 > Total Hours: 6.8 | > -------------------------------------+------------------------------------- > > Comment (by sam): > > Hi Paul > > Thanks for this. All the breadcrumbs look OK to me. > > Thanks > > Sam > > -- > Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/809#comment:50 > > > Transition Technology <https://tech.transitionnetwork.org/trac> > Support and issues tracking for the Transition Network Web Project. >
comment:54 Changed 2 years ago by ed
Good news well done Paul - don't forget to thank the omega8 folks for their support - and close this ticket :)
comment:55 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 6.8 to 6.925
Cheers Ed. I Updated / closed the ticket.
@Chris
Thanks for suggesting working with Omega to fix the problem. That was the right call :) Hope you're feeling better.
Have a great weekend gentleman.
