Ticket #863 (closed maintenance: wontfix)

Opened 17 months ago

Last modified 11 months ago

BOA-2.4.4

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: Live server Keywords:
Cc: ade, paul, sam, annesley Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.31

Description

Last Friday a new version of BOA came out (for unknown reason(s) the automatic notification of new versions stopped working some months ago):

### Stable BOA-2.4.4 Release - Full Edition
### Date: Fri Jul  3 12:08:29 PDT 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.4
### Latest hotfix added on: Wed Jul  8 01:28:08 PDT 2015

  @=> Includes Aegir Hostmaster 2.x-head with improvements
  @=> Includes Aegir Provision 3.x-head with improvements
  @=> Includes Drush 7 customized for BOA

# Release Notes:

  This BOA release includes several important system upgrades and bug fixes.

  All supported Aegir platforms have been updated with latest Drupal cores.

  This version automatically switches all hosted sites to PHP 5.5 on systems
  hosted and managed remotely by Omega8.cc support team, unless you have
  explicitly switched your Octopus instance to use PHP version you prefer.
  Using PHP older than 5.5 is strongly discouraged, for security, stability and
  performance reasons.

# Changes:

  * Do not change mysql root password by default -- workaround for #642
  * Enable advagg_async_generation by default
  * Logic update for /root/.high_traffic.cnf
  * Redis Integration Module: Update to version mod-26-06-2015
  * Use modern ssl_ciphers in all templates by default

# System upgrades:

  * cURL 7.43.0 (if installed from sources)
  * Drush mini-7-30-06-2015 -- fixes #734
  * MariaDB 5.5.44
  * MariaDB Galera Cluster 10.0.20
  * Nginx 1.9.1
  * OpenSSH 6.9p1 (if installed from sources)
  * OpenSSL 1.0.1o (if installed from sources)
  * PHP 5.4.42
  * PHP 5.5.26
  * PHP 5.6.10
  * PHPRedis master-27-06-2015
  * Pure-FTPd 1.0.41
  * vnStat 1.14

# Fixes:

  * Add 'grep' to overssh -- a list of commands allowed to execute over SSH
  * Broken pdnsd configuration breaks DNS resolver -- fixes #701
  * Do not force update_agents()
  * Do not modify rkey/debug args in barracuda log/system upgrade mode
  * Don't remove Drupal 6 core themes -- fixes #738
  * Fix for legacy vnStat config
  * Fixed backboa/duobackboa retrieve from remote host -- fixes #741
  * Improve system cron tasks queue
  * Incorrect permissions on /usr/bin/optipng - fixes #722
  * Mitigate LOGJAM - fixes #723
  * Restart Postfix after system DNS update -- #701
  * Skip daily reload on high traffic instances
  * Sync SQL connection limits with _PHP_FPM_WORKERS variable - fixes #699
  * Use _AWS_URL to properly handle us-east-1 exception
  * Use 2048 bit where possible - see #723
  * Use better default value for advagg_cache_level - fixes #726

I no longer know what the Transition Network policy is regarding BOA updates, the last one BOA 2.4.3, on ticket:854 was never applied and as far as I'm aware there is no agreement / policy regarding what to do regarding PHP 5.3, see ticket:754.

Change History

comment:1 Changed 17 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.0 to 0.1

comment:2 Changed 17 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.02
  • Total Hours changed from 0.1 to 0.12

Looks like another BOA release is imminent:

Security upgrade for all supported PHP versions #750

We need an urgent upgrade and thus also new BOA release.

https://github.com/omega8cc/boa/issues/750

comment:3 Changed 17 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.06
  • Total Hours changed from 0.12 to 0.18

Looks like this is due to these security fixes:

comment:4 follow-up: ↓ 5 Changed 17 months ago by sam

Hi all

So it looks like they have just updated the ticket here:
https://github.com/omega8cc/boa/issues/750

Seems like it might be related to this OpenSSL issue
https://www.openssl.org/news/secadv_20150709.txt

Which states "an attacker could cause certain checks on untrusted certificates
to be bypassed, such as the CA flag, enabling them to use a valid leaf
certificate to act as a CA and "issue" an invalid certificate."

So a worst case scenario is that someone could set up a site with a
certificate that seems to be a valid TN.org certificate?

If that is the case I'd be inclined not to worry about it too much.

I can't imagine why anyone would bother doing that? it's not like we're
Paypal..

Unless I have misunderstood?

Thanks

Sam



On 10 July 2015 at 13:42, Transition Technology Trac <
trac@tech.transitionnetwork.org> wrote:

> #863: BOA-2.4.4
> -------------------------------------+-------------------------------------
>            Reporter:  chris          |                      Owner:  chris
>                Type:  maintenance    |                     Status:  new
>            Priority:  major          |                  Milestone:
>           Component:  Live server    |  Maintenance
>            Keywords:                 |                 Resolution:
> Add Hours to Ticket:  0.06           |  Estimated Number of Hours:  0.0
>         Total Hours:  0.12           |                  Billable?:  1
> -------------------------------------+-------------------------------------
> Changes (by chris):
>
>  * hours:  0.0 => 0.06
>  * totalhours:  0.12 => 0.18
>
>
> Comment:
>
>  Looks like this is due to these security fixes:
>
>  * PHP 5.6.11 is available https://php.net/archive/2015.php#id2015-07-10-3
>  * PHP 5.5.27 released https://php.net/archive/2015.php#id2015-07-10-2
>  * PHP 5.4.43 Released https://php.net/archive/2015.php#id2015-07-09-1
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/863#comment:3>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>

comment:5 in reply to: ↑ 4 Changed 17 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.18 to 0.28

Replying to sam:

Seems like it might be related to this OpenSSL issue
https://www.openssl.org/news/secadv_20150709.txt

Thanks, I hadn't seen that, I was reading this (which is rather amusing) http://backronym.fail/ which is one of the reasons for the PHP update (but this doesn't effect us).

So a worst case scenario is that someone could set up a site with a
certificate that seems to be a valid TN.org certificate?

I think it's more obscure than that -- it's a client issue, so it would effect the server connecting to a encrypted site. I think the interesting thing to watch will be the if there are any updates to the Debian Squeeze LTS PHP 5.3 packages as a result.

comment:6 Changed 17 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.03
  • Total Hours changed from 0.28 to 0.31

Should we mark these tickets as won't fix and only open a new BOA ticket if there is a security issue that does directly effect us -- am I right in understanding that we have given up on updating BOA on PuffinServer?

comment:7 Changed 11 months ago by chris

  • Status changed from new to closed
  • Resolution set to wontfix

Closing BOA 2.4.7 ticket:889, BOA 2.4.6 ticket:872, BOA 2.4.5 ticket:864, BOA 2.4.4 ticket:863
and BOA 2.4.3 ticket:854 as wontfix -- we have stopped updating BOA, the last update was ticket:844, we have commented out all the BOA root cron jobs, see wiki:PuffinServer#LoadSpikes, the plan is to switch to WordPress around April 2016, see ticket:846#comment:86

Note: See TracTickets for help on using tickets.