Ticket #809 (new maintenance)

Opened 2 years ago

Last modified 2 years ago

[Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006

Reported by: paul Owned by: paul
Priority: major Milestone: Maintenance
Component: Drupal modules & settings Keywords:
Cc: ed, ben, sam, annesley Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 6.925

Description (last modified by paul) (diff)

View online: https://www.drupal.org/SA-CORE-2014-006

  • Advisory ID: DRUPAL-SA-CORE-2014-006
  • Project: Drupal core [1]
  • Version: 6.x, 7.x
  • Date: 2014-November-19
  • Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
  • Vulnerability: Multiple vulnerabilities


.... Session hijacking (Drupal 6 and 7)

A specially crafted request can give a user access to another user's session,
allowing an attacker to hijack a random session.

This attack is known to be possible on certain Drupal 7 sites which serve
both HTTP and HTTPS content ("mixed-mode" [3]), but it is possible there are
other attack vectors for both Drupal 6 and Drupal 7.

.... Denial of service (Drupal 7 only)

Drupal 7 includes a password hashing API to ensure that user supplied
passwords are not stored in plain text.

A vulnerability in this API allows an attacker to send specially crafted
requests resulting in CPU and memory exhaustion. This may lead to the site
becoming unavailable or unresponsive (denial of service).

This vulnerability can be exploited by anonymous users.



  • /A CVE identifier [4] will be requested, and added upon issuance, in accordance

with Drupal Security Team processes./



  • Drupal core 6.x versions prior to 6.34.
  • Drupal core 7.x versions prior to 7.34.


Install the latest version:

  • If you use Drupal 6.x, upgrade to Drupal core 6.34. [5]
  • If you use Drupal 7.x, upgrade to Drupal core 7.34. [6]

If you have configured a custom password.inc file for your Drupal 7 site you
also need to make sure that it is not prone to the same denial of service
vulnerability. See also the similar security advisory for the Drupal 6
contributed Secure Password Hashes module: SA-CONTRIB-2014-113 [7]

Also see the Drupal core [8] project page.



Session hijacking:

  • Aaron Averill [9]

Denial of service:

  • Michael Cullum [10]
  • Javier Nieto [11]
  • Andrés Rojas Guerrero [12]


Session hijacking:

  • Klaus Purer [13] of the Drupal Security Team
  • David Rothstein [14] of the Drupal Security Team
  • Peter Wolanin [15] of the Drupal Security Team

Denial of service:

  • Klaus Purer [16] of the Drupal Security Team
  • Peter Wolanin [17] of the Drupal Security Team
  • Heine Deelstra [18] of the Drupal Security Team
  • Tom Phethean [19]


  • The Drupal Security Team


The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [20].

Learn more about the Drupal Security team and their policies [21], writing
secure code for Drupal [22], and securing your site [23].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [24]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/https-information
[4] http://cve.mitre.org/
[5] https://www.drupal.org/drupal-6.34-release-notes
[6] https://www.drupal.org/drupal-7.34-release-notes
[7] https://www.drupal.org/node/2378367
[8] https://www.drupal.org/project/drupal
[9] https://www.drupal.org/user/1317732
[10] https://www.drupal.org/u/MichaelCu
[11] https://www.drupal.org/u/jnietotn
[12] https://www.drupal.org/u/c0r3dump3d
[13] https://www.drupal.org/u/klausi
[14] https://www.drupal.org/u/David_Rothstein
[15] https://www.drupal.org/u/pwolanin
[16] https://www.drupal.org/u/klausi
[17] https://www.drupal.org/u/pwolanin
[18] https://www.drupal.org/u/Heine
[19] https://www.drupal.org/u/tsphethean
[20] https://www.drupal.org/contact
[21] https://www.drupal.org/security-team
[22] https://www.drupal.org/writing-secure-code
[23] https://www.drupal.org/security/secure-configuration
[24] https://twitter.com/drupalsecurity

Attachments

Screen Shot 2014-11-21 at 09.47.26.png (128.3 KB) - added by paul 2 years ago.
Screen Shot 2014-11-24 at 10.29.46.png (172.1 KB) - added by paul 2 years ago.
Screen Shot 2014-12-04 at 15.21.25.png (56.9 KB) - added by paul 2 years ago.

Change History

comment:1 Changed 2 years ago by paul

  • Description modified (diff)
  • Summary changed from [Security-news] SA-CONTRIB-2014-115 - Form Builder - Cross-Site Scripting (XSS) to [Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006

comment:2 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 1.25
  • Total Hours changed from 0.0 to 1.25

Experiencing problems with Aeigir. Specifically I can't create a new platform (directory not created) or clone a site on an existing platform. Can anyone reproduce these problems? I'll try again later today.

Latest Makefile:
https://raw.githubusercontent.com/paulbooker/transitionnetwork.org-d6.profile/master/transitionnetwork.org-d6.make

comment:3 Changed 2 years ago by chris

  • Cc ed, ben, sam, annesley added

Paul, this ticket wasn't CC'd to anyone so nobody else will have seen it unless they do something like visit the timeline and see it there.

I have added some CCs, from the list of usernames at wiki:WikiStart#Tracusernames

I'm sorry I don't know why Aeigir isn't working.

Last edited 2 years ago by chris (previous) (diff)

Changed 2 years ago by paul

comment:4 Changed 2 years ago by paul

Source directory was not created. Investigating ..

comment:5 Changed 2 years ago by paul

@Chris Maybe try rebooting Aegir?

comment:6 follow-up: ↓ 7 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.15
  • Total Hours changed from 1.25 to 1.4

I'll pick this up again later today.

It's not clear to me a the moment how to reboot Aeigr or if that's a good idea.

If we can't get Aegir working again. I'll carry out the core update manually.

Last edited 2 years ago by paul (previous) (diff)

comment:7 in reply to: ↑ 6 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 1.4 to 1.65

Replying to paul:

It's not clear to me a the moment how to reboot Aeigr or if that's a good idea.

I'm not sure what you mean by "reboot Aeigr"?

I have restarted php-fpm and nginx and could also restart mysql (though I really see what that would change and it takes longer than the other two restarts).

Last edited 2 years ago by chris (previous) (diff)

comment:8 Changed 2 years ago by paul

You made a good guess. Thanks Chris.

comment:9 follow-up: ↓ 10 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 1.65 to 1.775

Chris,

Darn. Still not working. Is this problem something you can troubleshoot?

When we apply updates to Aegir? Does Aeigr run any tests to see if it can build platforms, ..

Let me know if you can't fix. I'll then need to get confirmation from Ed to carry out the update manually?

Version 0, edited 2 years ago by paul (next)

comment:10 in reply to: ↑ 9 Changed 2 years ago by chris

Replying to paul:

Darn. Still not working. Is this problem something you can troubleshoot?

I can look at it next week but I'm afraid I don't have a lot of spare time today or at the weekend.

comment:11 Changed 2 years ago by paul

I'll try a manual update on my stage site ..

comment:12 follow-up: ↓ 13 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 1.775 to 2.025

I have decided that since the security update looks to only affect Drupal6 sites serving content over both HTTP/HTTPS, and that the file system is different to a normal drupal installation, and that it's Friday, it's probably best to leave this until next week.

https://www.drupal.org/SA-CORE-2014-006

comment:13 in reply to: ↑ 12 Changed 2 years ago by chris

Replying to paul:

the security update looks to only affect Drupal6 sites serving content over both HTTP/HTTPS

This is something we do:

comment:14 follow-up: ↓ 15 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 2.025 to 2.15

Sorry, I thought we did.

Could we place the whole site under HTTPS? Would you clarify the reasons for using both?

comment:15 in reply to: ↑ 14 ; follow-up: ↓ 16 Changed 2 years ago by chris

Replying to paul:

Could we place the whole site under HTTPS?

Yes in theory and FWIW I think the time has come when all sites should be HTTPS only with HTTP redirecting to HTTPS.

Would you clarify the reasons for using both?

There were lots of discussions about this, Ed might remember better than me, Jim wanted everything to be HTTP only.

comment:16 in reply to: ↑ 15 Changed 2 years ago by paul

Replying to chris:

Replying to paul:

Could we place the whole site under HTTPS?

Yes in theory and FWIW I think the time has come when all sites should be HTTPS only with HTTP redirecting to HTTPS.

Agreed.

Would you clarify the reasons for using both?

There were lots of discussions about this, Ed might remember better than me, Jim wanted everything to be HTTP only.

Changed 2 years ago by paul

comment:17 follow-up: ↓ 19 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 2.15 to 2.275

Still a problem with the platform.

If Aegir is not working perfectly, then it's of no help to us. I think we should ask Chris to propose something better. We could then have an considered exchange of ideas over email. WYT?

comment:18 Changed 2 years ago by paul

We could also put the whole site under HTTPS during the migration.

comment:19 in reply to: ↑ 17 ; follow-up: ↓ 20 Changed 2 years ago by chris

Replying to paul:

If Aegir is not working perfectly, then it's of no help to us. I think we should ask Chris to propose something better. We could then have an considered exchange of ideas over email. WYT?

I don't think we can make decisions of this nature on this ticket, and I doubt Ed would want to make any decisions regarding hosting -- I think this would have to be an item for his replacement to consider. The last non-BOA server, wiki:NewLiveServer took a while to set up and get working well (incidentally it had 3GB of RAM where as the current server has 8GB and a key reason to move to BOA was to reduce the system resources needed...), this is something that would take several days to set up and therefore has a significant cost implication. I think we should probably stick with BOA for the existing Drupal 6 site and if long term support for D6 happens I suspect that the TN site might well stay running on D6 for years...

I'll try to fix BOA later today.

Last edited 2 years ago by chris (previous) (diff)

comment:20 in reply to: ↑ 19 Changed 2 years ago by paul

Replying to chris:

I'll try to fix BOA later today.

Thanks Chris.

comment:21 Changed 2 years ago by chris

I'm looking at this now...

comment:22 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.65
  • Total Hours changed from 2.275 to 2.925

Perhaps our issue is related to Critical: PHP build is broken with latest MariaDB 5.5.40 as we are running 5.5.40-MariaDB, however we have a older version of PHP. I can't see any other recent tickets that might apply to our situation.

Running the updater:

sudo -i
screen
cd
wget -q -U iCab http://files.aegir.cc/BOA.sh.txt
bash BOA.sh.txt
barracuda up-stable ; octopus up-stable all both

....

Barracuda [Mon Nov 24 18:29:39 GMT 2014] ==> INFO: Checking your system version...
 
Barracuda [Mon Nov 24 18:29:39 GMT 2014] ==> Aegir on Debian/wheezy - Skynet Agent v.BOA-2.3.6
 
Barracuda [Mon Nov 24 18:29:40 GMT 2014] ==> INFO: Updating packages sources list...
Barracuda [Mon Nov 24 18:29:40 GMT 2014] ==> INFO: We will use Debian mirror ftp.debian.org
Barracuda [Mon Nov 24 18:29:51 GMT 2014] ==> INFO: Downloading little helpers...
Barracuda [Mon Nov 24 18:29:54 GMT 2014] ==> INFO: Checking BARRACUDA version...
Barracuda [Mon Nov 24 18:29:54 GMT 2014] ==> INFO: BARRACUDA version test: OK
 
Barracuda [Mon Nov 24 18:29:54 GMT 2014] ==> UPGRADE START -> checkpoint: 

  * Your e-mail address appears to be chris@webarchitects.co.uk - is that correct?
  * Your server hostname is puffin.webarch.net.
  * Your Aegir control panel is/will be available at https://master.puffin.webarch.net.

 
Do you want to proceed with the upgrade? [Y/n] y
Barracuda [Mon Nov 24 18:29:57 GMT 2014] ==> INFO: Cleaning up temp files in /var/opt/
Barracuda [Mon Nov 24 18:29:57 GMT 2014] ==> INFO: Installing extra Drush versions
Barracuda [Mon Nov 24 18:30:02 GMT 2014] ==> INFO: Drush mini-4-26-08-2014 installation complete
Barracuda [Mon Nov 24 18:30:03 GMT 2014] ==> INFO: Drush mini-6-30-10-2014 installation complete
Barracuda [Mon Nov 24 18:30:05 GMT 2014] ==> INFO: Running aptitude update...
Barracuda [Mon Nov 24 18:31:00 GMT 2014] ==> INFO: Upgrading required libraries and tools
Barracuda [Mon Nov 24 18:31:00 GMT 2014] ==> NOTE! This step may take a few minutes, please wait...
Barracuda [Mon Nov 24 18:31:44 GMT 2014] ==> INFO: Testing Nginx version...
Barracuda [Mon Nov 24 18:31:44 GMT 2014] ==> INFO: Installed Nginx version nginx/1.7.6, upgrade required
Barracuda [Mon Nov 24 18:31:46 GMT 2014] ==> INFO: Upgrading Nginx...
Barracuda [Mon Nov 24 18:33:13 GMT 2014] ==> INFO: Running aptitude full-upgrade, please wait...
Barracuda [Mon Nov 24 18:33:50 GMT 2014] ==> INFO: Testing Nginx version...
Barracuda [Mon Nov 24 18:33:50 GMT 2014] ==> INFO: Installed Nginx version nginx/1.7.7, OK
Barracuda [Mon Nov 24 18:33:51 GMT 2014] ==> INFO: Installing MySecureShell 1.33...
Barracuda [Mon Nov 24 18:34:18 GMT 2014] ==> INFO: Checking SMTP connections...
Barracuda [Mon Nov 24 18:34:18 GMT 2014] ==> INFO: Upgrading a few more tools...
Barracuda [Mon Nov 24 18:34:31 GMT 2014] ==> INFO: Checking if PHP upgrade is available
Barracuda [Mon Nov 24 18:34:38 GMT 2014] ==> INFO: PHP EXTRA is --with-ldap --with-gmp --with-xpm-dir=/usr
Barracuda [Mon Nov 24 18:34:39 GMT 2014] ==> INFO: Installed PHP version 5.3.29, OK
Barracuda [Mon Nov 24 18:34:39 GMT 2014] ==> INFO: Installing Zend OPcache upgrade for PHP-FPM 5.3.29...
Barracuda [Mon Nov 24 18:35:00 GMT 2014] ==> INFO: Installed Redis version 2.8.17, OK
Barracuda [Mon Nov 24 18:35:00 GMT 2014] ==> INFO: Installing Redis update for Debian/wheezy...
Barracuda [Mon Nov 24 18:36:15 GMT 2014] ==> INFO: Generating random password for Redis server
Barracuda [Mon Nov 24 18:36:15 GMT 2014] ==> INFO: Updating MariaDB and PHP configuration
Barracuda [Mon Nov 24 18:36:17 GMT 2014] ==> INFO: OS and services upgrade completed
 
Barracuda [Mon Nov 24 18:36:17 GMT 2014] ==> INFO: Restarting MariaDB server, please wait...
Barracuda [Mon Nov 24 18:36:36 GMT 2014] ==> INFO: Upgrading MariaDB tables if necessary, please wait a minute...
 
Do you want to upgrade Aegir Master Instance? [Y/n] y
Barracuda [Mon Nov 24 18:37:41 GMT 2014] ==> INFO: Running Aegir Master Instance upgrade
Barracuda [Mon Nov 24 18:37:42 GMT 2014] ==> INFO: Syncing provision backend db_passwd...
Barracuda [Mon Nov 24 18:37:55 GMT 2014] ==> INFO: Running hosting-dispatch (1/3)...
Barracuda [Mon Nov 24 18:38:05 GMT 2014] ==> INFO: Running hosting-dispatch (2/3)...
Barracuda [Mon Nov 24 18:38:14 GMT 2014] ==> INFO: Running hosting-dispatch (3/3)...
Barracuda [Mon Nov 24 18:38:16 GMT 2014] ==> INFO: Syncing hostmaster frontend db_passwd...
Barracuda [Mon Nov 24 18:38:17 GMT 2014] ==> INFO: Testing previous install...
Barracuda [Mon Nov 24 18:38:17 GMT 2014] ==> INFO: Test OK, we can proceed with Hostmaster upgrade
Barracuda [Mon Nov 24 18:38:17 GMT 2014] ==> INFO: Moving old directories
Barracuda [Mon Nov 24 18:38:17 GMT 2014] ==> INFO: Downloading drush...
Barracuda [Mon Nov 24 18:38:20 GMT 2014] ==> INFO: Drush seems to be functioning properly
Barracuda [Mon Nov 24 18:38:20 GMT 2014] ==> INFO: Installing provision backend in /var/aegir/.drush
Barracuda [Mon Nov 24 18:38:21 GMT 2014] ==> INFO: Downloading Drush and Provision extensions...
Barracuda [Mon Nov 24 18:38:21 GMT 2014] ==> INFO: Running hostmaster-migrate, please wait...
Barracuda [Mon Nov 24 18:39:54 GMT 2014] ==> INFO: Syncing hostmaster frontend db_passwd...
Barracuda [Mon Nov 24 18:41:21 GMT 2014] ==> INFO: Aegir Master Instance upgrade completed
 
Barracuda [Mon Nov 24 18:41:22 GMT 2014] ==> INFO: _PHP_CN set to www53 for Chive MariaDB Manager
Barracuda [Mon Nov 24 18:41:29 GMT 2014] ==> INFO: _PHP_CN set to www53 for Collectd Graph Panel
Barracuda [Mon Nov 24 18:41:33 GMT 2014] ==> INFO: Restarting Redis, PHP-FPM and Nginx
Barracuda [Mon Nov 24 18:41:42 GMT 2014] ==> INFO: Restarting MariaDB server
 
Barracuda [Mon Nov 24 18:41:52 GMT 2014] ==> INFO: New secure random password for MariaDB generated and updated
Barracuda [Mon Nov 24 18:41:52 GMT 2014] ==> INFO: New entry added to /var/log/barracuda_log.txt
Barracuda [Mon Nov 24 18:41:52 GMT 2014] ==> INFO: Cleaning up system swap, it may take a moment, please wait...
 
Barracuda [Mon Nov 24 18:41:57 GMT 2014] ==> CARD: Now charging your credit card for this auto-upgrade magic...
Barracuda [Mon Nov 24 18:42:04 GMT 2014] ==> JOKE: Just kidding! Enjoy your Aegir Hosting System :)
 
Barracuda [Mon Nov 24 18:42:04 GMT 2014] ==> Final post-upgrade cleaning, please wait a moment...
Barracuda [Mon Nov 24 18:45:22 GMT 2014] ==> BYE!

BARRACUDA upgrade completed
Bye

load is 18 while maxload is 600
Octopus upgrade for User /data/disk/tn
Waiting 2 seconds...
 
Octopus [Mon Nov 24 18:45:32 GMT 2014] ==> BOA Skynet welcomes you aboard!
 
Octopus [Mon Nov 24 18:45:35 GMT 2014] ==> INFO: Reading your /root/.tn.octopus.cnf config file
Octopus [Mon Nov 24 18:45:36 GMT 2014] ==> NOTE! Please review all config options displayed below

###
### Configuration created on 121215-1617 with
### Octopus version BOA-2.0.4
###
### NOTE: the group of settings displayed bellow
### will *override* all listed settings in the Octopus script.
###
_USER="tn"
_MY_EMAIL="chris@webarchitects.co.uk"
_PLATFORMS_LIST="D7P OA7"
_AUTOPILOT=YES
_HM_ONLY=NO
_O_CONTRIB_UP=YES
_DEBUG_MODE=NO
_MY_OWNIP=
_FORCE_GIT_MIRROR=""
_THIS_DB_HOST=localhost
_DNS_SETUP_TEST=NO
_HOT_SAUCE=NO
_USE_CURRENT=YES
_REMOTE_CACHE_IP=127.0.0.1
_LOCAL_NETWORK_IP=
_PHP_FPM_VERSION=5.3
_PHP_CLI_VERSION=5.3
###
### NOTE: the group of settings displayed bellow will be *overriden*
### by config files stored in the /data/disk/tn/log/ directory,
### but only on upgrade.
###
_DOMAIN="tn.puffin.webarch.net"
_CLIENT_EMAIL="chris@webarchitects.co.uk"
_CLIENT_OPTION="SSD"
_CLIENT_SUBSCR="Y"
_CLIENT_CORES="14"
###
### Configuration created on 121215-1617 with
### Octopus version BOA-2.0.4
###
_STRONG_PASSWORDS=NO
_DEL_OLD_EMPTY_PLATFORMS=90
_SQL_CONVERT=NO
_DEL_OLD_BACKUPS=0
_DEL_OLD_TMP=0
_PHP_FPM_WORKERS=AUTO
_PHP_FPM_TIMEOUT=AUTO
_PHP_FPM_DENY=""
_RESERVED_RAM=0

Octopus [Mon Nov 24 18:45:42 GMT 2014] ==> UPGRADE in progress...

Octopus [Mon Nov 24 18:45:43 GMT 2014] ==> START -> checkpoint:

  * Your Aegir control panel for this instance is available at https://tn.puffin.webarch.net
  * Your Aegir system user for this instance is tn
  * This Octopus will use PHP-CLI 5.3 for all sites
  * This Octopus will use PHP-FPM 5.3 both for D6 and D7 sites
  * This Octopus includes platforms: D7P OA7
  * This Octopus options are listed as SSD / Y / 14 C


Octopus [Mon Nov 24 18:45:43 GMT 2014] ==> 8s before we will continue...
Octopus [Mon Nov 24 18:45:58 GMT 2014] ==> UPGRADE A: Aegir automated install script part A
Octopus [Mon Nov 24 18:45:58 GMT 2014] ==> UPGRADE A: Checking OCTOPUS version...
Octopus [Mon Nov 24 18:45:58 GMT 2014] ==> UPGRADE A: OCTOPUS version test: OK
Octopus [Mon Nov 24 18:45:58 GMT 2014] ==> UPGRADE A: Shared platforms code v.010 (hot new) will be created
Octopus [Mon Nov 24 18:45:58 GMT 2014] ==> UPGRADE A: Creating directories with correct permissions...
Octopus [Mon Nov 24 18:45:59 GMT 2014] ==> UPGRADE A: Syncing provision backend db_passwd...
Octopus [Mon Nov 24 18:46:08 GMT 2014] ==> UPGRADE A: Running hosting-dispatch (1/3)...
Octopus [Mon Nov 24 18:46:17 GMT 2014] ==> UPGRADE A: Running hosting-dispatch (2/3)...
Octopus [Mon Nov 24 18:46:27 GMT 2014] ==> UPGRADE A: Running hosting-dispatch (3/3)...
 
Octopus [Mon Nov 24 18:46:31 GMT 2014] ==> UPGRADE A: Syncing hostmaster frontend db_passwd...
Octopus [Mon Nov 24 18:46:31 GMT 2014] ==> UPGRADE A: Switching user and running AegirSetupB...
Octopus [Mon Nov 24 18:46:31 GMT 2014] ==> UPGRADE B: Aegir automated install script part B
Octopus [Mon Nov 24 18:46:31 GMT 2014] ==> UPGRADE B: Creating directories with correct permissions
Octopus [Mon Nov 24 18:46:31 GMT 2014] ==> UPGRADE B: Running standard installer
Octopus [Mon Nov 24 18:46:31 GMT 2014] ==> UPGRADE B: Downloading drush...
Octopus [Mon Nov 24 18:46:34 GMT 2014] ==> UPGRADE B: Drush seems to be functioning properly
Octopus [Mon Nov 24 18:46:34 GMT 2014] ==> UPGRADE B: Installing provision backend in /data/disk/tn/.drush
Octopus [Mon Nov 24 18:46:35 GMT 2014] ==> UPGRADE B: Downloading Drush and Provision extensions...
Octopus [Mon Nov 24 18:46:39 GMT 2014] ==> UPGRADE B: Testing previous install...
Octopus [Mon Nov 24 18:46:56 GMT 2014] ==> UPGRADE B: Hostmaster STATUS: Upgrade start
Octopus [Mon Nov 24 18:47:00 GMT 2014] ==> UPGRADE B: Hostmaster STATUS: Running hostmaster-migrate, please wait...
Octopus [Mon Nov 24 18:48:52 GMT 2014] ==> UPGRADE B: Hostmaster STATUS: Upgrade completed
Octopus [Mon Nov 24 18:48:52 GMT 2014] ==> UPGRADE B: Simple check if Aegir upgrade is successful
Octopus [Mon Nov 24 18:48:52 GMT 2014] ==> UPGRADE B: Aegir upgrade test result: OK
Octopus [Mon Nov 24 18:48:52 GMT 2014] ==> UPGRADE B: Enhancing Aegir UI, please wait...
Octopus [Mon Nov 24 18:51:24 GMT 2014] ==> UPGRADE A: Syncing hostmaster frontend db_passwd...
Octopus [Mon Nov 24 18:51:24 GMT 2014] ==> UPGRADE A: Aegir Satellite Instance upgrade completed
 
Octopus [Mon Nov 24 18:52:00 GMT 2014] ==> UPGRADE A: Creating shared directories...
Octopus [Mon Nov 24 18:52:22 GMT 2014] ==> UPGRADE A: Running o_contrib modules check and upgrade...
Octopus [Mon Nov 24 18:52:22 GMT 2014] ==> UPGRADE A: Switching user and running Platforms build
Octopus [Mon Nov 24 18:52:22 GMT 2014] ==> UPGRADE C: Aegir automated install script part C
Octopus [Mon Nov 24 18:52:22 GMT 2014] ==> UPGRADE C: Shared platforms code v.010 (hot new) will be created
 
Octopus [Mon Nov 24 18:52:28 GMT 2014] ==> DISTRO: Drupal 7.33.1 P.010 installation in progress...
Octopus [Mon Nov 24 18:52:28 GMT 2014] ==> DISTRO: Drupal 7.33.1 P.010 installation completed
 
Octopus [Mon Nov 24 18:52:28 GMT 2014] ==> DISTRO: Open Atrium 2.24 7.33.1 P.010 installation in progress...
Octopus [Mon Nov 24 18:53:05 GMT 2014] ==> DISTRO: Open Atrium 2.24 7.33.1 P.010 installation completed
 
Octopus [Mon Nov 24 18:53:05 GMT 2014] ==> UPGRADE C: Removing some unused core files...
Octopus [Mon Nov 24 18:53:05 GMT 2014] ==> UPGRADE C: Running Platforms Save & Verify tasks, please wait...
Octopus [Mon Nov 24 18:53:11 GMT 2014] ==> UPGRADE A: Platforms installation completed
Octopus [Mon Nov 24 18:53:11 GMT 2014] ==> UPGRADE A: Cleaning up various dot files...
Octopus [Mon Nov 24 18:53:16 GMT 2014] ==> UPGRADE A: Creating ftp symlinks
Octopus [Mon Nov 24 18:53:16 GMT 2014] ==> UPGRADE A: Preparing setupmail.txt
Octopus [Mon Nov 24 18:53:16 GMT 2014] ==> UPGRADE A: Resending setup e-mail on upgrade...
Octopus [Mon Nov 24 18:53:16 GMT 2014] ==> UPGRADE A: New entry added to /data/disk/tn/log/octopus_log.txt
Octopus [Mon Nov 24 18:53:16 GMT 2014] ==> UPGRADE A: Final cleaning, please wait a moment...
Octopus [Mon Nov 24 18:55:39 GMT 2014] ==> UPGRADE A: Starting the cron now
Octopus [Mon Nov 24 18:55:39 GMT 2014] ==> UPGRADE A: All done!
Octopus [Mon Nov 24 18:55:39 GMT 2014] ==> BYE!
Waiting 4 seconds...
Done for /data/disk/tn



OCTOPUS upgrade completed
Bye

I did the two fixes, wiki:PuffinServer#Muninconfigchanges and wiki:PuffinServer#nginxconfigchanges.

Paul can you test the site now?

comment:23 follow-up: ↓ 25 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 2.925 to 3.05

No change:

Source directory /data/disk/tn/.tmp/make_tmp_1416861261_5473964db2d0e/build is not readable or does not exist.
Cannot move build into place.

comment:24 Changed 2 years ago by paul

If it's the same before the problem is that build does not exist.

comment:25 in reply to: ↑ 23 Changed 2 years ago by chris

Replying to paul:

No change:

Source directory /data/disk/tn/.tmp/make_tmp_1416861261_5473964db2d0e/build is not readable or does not exist.

The /data/disk/tn/.tmp/ directory does exist:

drwxrwsr-x  3 tn.ftp www-data 4.0K Nov 24 20:46 .tmp/

I don't know what to suggest other than raising an issue?

Perhaps this is related?

comment:26 follow-up: ↓ 27 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.75
  • Total Hours changed from 3.05 to 3.8

Still experiencing problems creating platforms. I tried changing the ownership on .tmp to tn and and adding write permissions to "other" but it didn't help.

@Chris
Is it possible to rebuild permissions for BOA / Aegir or to build a new instance of BOA / Aegir and migate platforms/ sites over?

I'll have more time to look into this tomorrow.

comment:27 in reply to: ↑ 26 Changed 2 years ago by chris

Replying to paul:

Is it possible to rebuild permissions for BOA / Aegir

I really think you need to raise this as an issue on the BOA tracking system, as I suggested earlier, see ticket:809#comment:24 -- I don't know how to make BOA work properly again.

or to build a new instance of BOA / Aegir and migate platforms/ sites over?

Yes, but that is basically building a new virtual server -- I don't think I'm in a position to make that decision, and to be honest, I'd suggest that if we are building a new server we might as well ditch BOA since nobody likes using it.

comment:28 follow-up: ↓ 29 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 3.8 to 3.925

I didn't ask you to make the decision. I'm just asking you politely if this is something that you could do.

I agree with your suggestion. Thanks.

comment:29 in reply to: ↑ 28 Changed 2 years ago by chris

Replying to paul:

I didn't ask you to make the decision. I'm just asking you politely if this is something that you could do.

Yes, in theory I could do it (and I'd be happy to do it), but a decision to ditch BOA would need to be made first.

comment:30 follow-up: ↓ 31 Changed 2 years ago by ed

do i need to become involved in this at all?

comment:31 in reply to: ↑ 30 Changed 2 years ago by chris

Replying to ed:

do i need to become involved in this at all?

I guess that is up to you, if you don't want to be then I think this issue would have to be postponed till your replacement is in place to make decisions.

comment:32 follow-up: ↓ 37 Changed 2 years ago by ed

OK so as it's into the tech list I think:

  1. we need a group skype to assess
  2. I'm going to see if Jim can dig out some time as the BOA guy
  3. we're very unlikely to start setting up new VSs

comment:33 Changed 2 years ago by paul

Ed,

I'll have a look to see If I can patch production later today / tomorrow (latest)

comment:36 Changed 2 years ago by paul

Ed,

I'll have a look to see If I can patch production later today / tomorrow



On Mon, Dec 1, 2014 at 3:24 PM, Transiton Technology Trac <
trac@tech.transitionnetwork.org> wrote:

> #809: [Security-news] Drupal Core - Moderately Critical - Multiple
> Vulnerabilities - SA-CORE-2014-006
> -------------------------------------+-------------------------------------
>            Reporter:  paul           |                      Owner:  paul
>                Type:  maintenance    |                     Status:  new
>            Priority:  major          |                  Milestone:
>           Component:  Drupal         |                 Resolution:
>   modules & settings                 |  Estimated Number of Hours:  0.0
>            Keywords:                 |                  Billable?:  1
> Add Hours to Ticket:  0              |
>         Total Hours:  3.925          |
> -------------------------------------+-------------------------------------
>
> Comment (by ed):
>
>  OK so as it's into the tech list I think:
>
>  1. we need a group skype to assess
>  2. I'm going to see if Jim can dig out some time as the BOA guy
>  3. we're very unlikely to start setting up new VSs
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/809#comment:32
> >
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>

comment:37 in reply to: ↑ 32 Changed 2 years ago by chris

Replying to ed:

  1. we need a group skype to assess
  2. I'm going to see if Jim can dig out some time as the BOA guy
  3. we're very unlikely to start setting up new VSs

Due to 3. above I'm not sure 1. is needed and I agree that 2., if possible, would be great.

Also please note this matter hasn't been raised as a BOA issue -- that might also be a route to a solution that doesn't involve ditching BOA, see ticket:809#comment:24. I think Paul or Jim would be best placed to raise a BOA ticket as they are the ones who have been using the BOA web interface (I haven't).

comment:38 follow-up: ↓ 39 Changed 2 years ago by paul

I'll raise a ticket.

comment:39 in reply to: ↑ 38 Changed 2 years ago by chris

Replying to paul:

I'll raise a ticket.

Thanks, post a link to it here when you do?

comment:40 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 3.925 to 4.175

Made the post:

https://github.com/omega8cc/boa/issues/527

I'll follow up later.

comment:41 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 4.175 to 4.3

Just confirmed the problem still exists after clearing out failed platforms from yesterday.

Last edited 2 years ago by paul (previous) (diff)

comment:42 Changed 2 years ago by sam

  • Milestone set to Maintenance

comment:43 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 4.3 to 4.8

Investigated the makefile & updated the BOA ticket.

https://github.com/omega8cc/boa/issues/527

I'll follow up as soon as I get a reply.

comment:44 Changed 2 years ago by chris

I don't know anything about the makefile so this might not make any sense, but in reference to "the module is commented out in the makefile" there is still one line that references the breadcrumb module that isn't commented out:

projects[custom_breadcrumb][subdir] = "contrib"
Last edited 2 years ago by chris (previous) (diff)

comment:45 Changed 2 years ago by paul

Thanks Chris.

I was searching for the module name custom_breadcrumbs so didn't notice this. Trying to create a new platform ..

Changed 2 years ago by paul

comment:46 Changed 2 years ago by paul

After updating the makefile it's still complaining of the same problem. Maybe a cache problem. Investigating ..

comment:47 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 4.8 to 5.3

Still seeing the problem after clearing the custom_breadcrumb cache entry several times. Will try again later.

Updated profile:
https://raw.githubusercontent.com/paulbooker/transitionnetwork.org-d6.profile/master/transitionnetwork.org-d6.make

Platforms page:
https://tn.puffin.webarch.net/hosting/platforms

comment:48 Changed 2 years ago by paul

Just successfully built a new stage platform . Not certain what changed but I suspect some cache somewhere got cleared. I'll see if I can get this ticket resolved ..

comment:49 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 1.5
  • Total Hours changed from 5.3 to 6.8

Security updates have been applied to both transitionnetwork.org & news.transitionnetwork.org

Tasks done:

Built a new stage platform
Migrated my stage site to the new platform.
Logged in and checked the site.
Built a new production platform
Migrated transitionnetwork.org & news.transitionnetwork.org to the new production platform.
Logged in and checked the sites.

I noticed when going through the log messages on production that I had missed the warning messages about custom_breadcrumbs. This module was already commented out in the makefile, so hopefully all is good. @Sam Would you have a look over the site to see if everything is ok? I'll try and get back later this evening if there are any problems.

Also deleted all of the failed platforms from the past couple of days.

Best, Paul

Last edited 2 years ago by paul (previous) (diff)

comment:50 Changed 2 years ago by sam

Hi Paul

Thanks for this. All the breadcrumbs look OK to me.

Thanks

Sam

comment:51 Changed 2 years ago by paul

Thanks Sam. That's good to hear. Phew!

comment:53 Changed 2 years ago by paul

Thanks Sam. That's good to hear. Phew!

On Fri, Dec 5, 2014 at 3:42 PM, Transiton Technology Trac <
trac@tech.transitionnetwork.org> wrote:

> #809: [Security-news] Drupal Core - Moderately Critical - Multiple
> Vulnerabilities - SA-CORE-2014-006
> -------------------------------------+-------------------------------------
>            Reporter:  paul           |                      Owner:  paul
>                Type:  maintenance    |                     Status:  new
>            Priority:  major          |                  Milestone:
>           Component:  Drupal         |  Maintenance
>   modules & settings                 |                 Resolution:
>            Keywords:                 |  Estimated Number of Hours:  0.0
> Add Hours to Ticket:  0              |                  Billable?:  1
>         Total Hours:  6.8            |
> -------------------------------------+-------------------------------------
>
> Comment (by sam):
>
>  Hi Paul
>
>  Thanks for this. All the breadcrumbs look OK to me.
>
>  Thanks
>
>  Sam
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/809#comment:50
> >
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>

comment:54 Changed 2 years ago by ed

Good news well done Paul - don't forget to thank the omega8 folks for their support - and close this ticket :)

comment:55 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 6.8 to 6.925

Cheers Ed. I Updated / closed the ticket.

@Chris
Thanks for suggesting working with Omega to fix the problem. That was the right call :) Hope you're feeling better.

Have a great weekend gentleman.

Note: See TracTickets for help on using tickets.