Ticket #864 (closed maintenance: wontfix)

Opened 17 months ago

Last modified 11 months ago

BOA 2.4.5

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: Live server Keywords:
Cc: ade, sam, paul, annesley Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.3

Description

A new version of BOA came out on Friday:

### Stable BOA-2.4.5 Release - Full Edition
### Date: Fri Jul 10 11:25:43 PDT 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.5
### Latest hotfix added on: Fri Jul 10 14:49:11 PDT 2015

  @=> Includes Aegir Hostmaster 2.x-head with improvements
  @=> Includes Aegir Provision 3.x-head with improvements
  @=> Includes Drush 7 customized for BOA

# Release Notes:

  This BOA release includes PHP security upgrade for versions 5.6, 5.5 and 5.4
  plus security upgrade for Redis server and four updated Octopus platforms.

  Support for Drupal 8 is temporarily removed, because now it would require
  an upgrade to Drush 8, which in turn completely removes support for PHP 5.3,
  while it's still more important to support legacy Pressflow 6 sites, if they
  are not ready to move beyond PHP 5.3 yet, than trying to support some
  (too fast) moving targets like Drupal 8 beta, and Drush 8 head.

# Updated Octopus platforms:

  Commerce 2.26 ---------------- https://drupal.org/project/commerce_kickstart
  Commons 3.28 ----------------- https://drupal.org/project/commons
  OpenAtrium 2.43 -------------- https://drupal.org/project/openatrium
  Panopoly 1.25 ---------------- https://drupal.org/project/panopoly

# Changes:

  * Drupal 8 is not supported until we can switch to Drush 8 and remove PHP 5.3

# System upgrades:

  * Nginx 1.9.2
  * PHP 5.4.43
  * PHP 5.5.27
  * PHP 5.6.11
  * Redis 3.0.2

See also:

Change History

comment:1 Changed 17 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.3
  • Total Hours changed from 0.0 to 0.3

The security upgrade for Redis server is referenced in Redis 3.0 release notes:

--[ Redis 3.0.2 ] Release date: 4 Jun 2015

Upgrade urgency: HIGH for Redis because of a security issue.
                 LOW for Sentinel.

* [FIX] Critical security issue fix by Ben Murphy: http://t.co/LpGTyZmfS7
* [FIX] SMOVE reply fixed when src and dst keys are the same. (Glenn Nethercutt)
* [FIX] Lua cmsgpack lib updated to support str8 type. (Sebastian Waisbrot)

* [NEW] ZADD support for options: NX, XX, CH. See new doc at redis.io.
        (Salvatore Sanfilippo)
* [NEW] Senitnel: CKQUORUM and FLUSHCONFIG commands back ported.
        (Salvatore Sanfilippo and Bill Anderson)

Reading the Redis EVAL Lua Sandbox Escape blog post it is clear that to exploit this someone would have to run the attack via another vulnerability, Redis only listens on 127.0.0.1 and in addition they would have to brute force the password, so this isn't a critical issue for us.

I am however concerned that since we now appear to have adopted a policy of not updating BOA that if there is a future issue we will have to skip lots of versions when we upgrade and this, in itself, could cause problems, see:

Should this ticket and all three linked above be marked won't fix to reflect the policy decisions to not upgrade BOA?

comment:2 Changed 11 months ago by chris

  • Status changed from new to closed
  • Resolution set to wontfix

Closing BOA 2.4.7 ticket:889, BOA 2.4.6 ticket:872, BOA 2.4.5 ticket:864, BOA 2.4.4 ticket:863
and BOA 2.4.3 ticket:854 as wontfix -- we have stopped updating BOA, the last update was ticket:844, we have commented out all the BOA root cron jobs, see wiki:PuffinServer#LoadSpikes, the plan is to switch to WordPress around April 2016, see ticket:846#comment:86

Note: See TracTickets for help on using tickets.