Ticket #925 (new defect)

Opened 7 weeks ago

Last modified 7 weeks ago

Piwik 2.16.3

Reported by: chris Owned by: chris
Priority: critical Milestone:
Component: Unassigned Keywords:
Cc: sam Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.85

Description

The Changelog contains:

Security release

This release is rated critical.

The Piwik security engineering team has internally identified a critical security issue and has fixed it in Piwik 2.16.3. We recommend all users to upgrade to this latest version.

Database upgrade

Note: This release contains major database upgrades and upgrading your database will take a long time if you have a lot of data in your database.

Please make sure you read the Update Piwik guide for high traffic instances.

Change History

comment:1 Changed 7 weeks ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 0.0 to 0.5

Following the notes at wiki:PiwikServer#Updates

vi /web/stats.transitionnetwork.org/piwik/config/config.ini.php
cd /web/stats.transitionnetwork.org/
cp piwik/config/config.ini.php .
export PIWIK="2.16.3"
wget "https://builds.piwik.org/piwik-$PIWIK.tar.gz"
wget "https://builds.piwik.org/piwik-$PIWIK.tar.gz.asc"
  gpg --verify piwik-$PIWIK.tar.gz.asc
  gpg: Signature made Mon Oct  3 00:38:49 2016 BST using RSA key ID 5590A237
  gpg: Good signature from "Matthieu Aubry <matt@piwik.org>"
  gpg:                 aka "Matthieu Aubry <matt@piwik.pro>"
  gpg:                 aka "Matthieu Aubry <matthieu.aubry@gmail.com>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 814E 346F A01A 20DB B04B  6807 B5DB D592 5590 A237
tar -zxvf piwik-$PIWIK.tar.gz
cp config.ini.php piwik/config/
chown -R www-data:www-data piwik/
php /web/stats.transitionnetwork.org/piwik/console core:update
  
      *** Update ***
  
      Database Upgrade Required
  
      Your Piwik database is out-of-date, and must be upgraded before you can continue.
  
      Piwik database will be upgraded from version 2.16.2 to the new version 2.16.3.
  
      The following dimensions will be updated: log_visit.visit_entry_idaction_url.
  
  
  This is a major update! It will take longer than usual. 
  
      *** Note: this is a Dry Run ***
  
      ALTER TABLE `log_visit` MODIFY COLUMN `visit_entry_idaction_url` INTEGER(11) UNSIGNED NULL  DEFAULT NULL;
  
      *** End of Dry Run ***
  
  A database upgrade is required. Execute update? (y/N) y
  
  Starting the database upgrade process now. This may take a while, so please be patient.
  
      *** Update ***
  
      Database Upgrade Required
  
      Your Piwik database is out-of-date, and must be upgraded before you can continue.
  
      Piwik database will be upgraded from version 2.16.2 to the new version 2.16.3.
  
      The following dimensions will be updated: log_visit.visit_entry_idaction_url.
  
      The database upgrade process may take a while, so please be patient.
  
  WARNING [2016-10-03 10:28:22] /web/stats.transitionnetwork.org/piwik/libs/Zend/Db/Statement/Pdo.php(228): Notice - Array to string conversion - Piwik 2.16.3 - Please report this message in the Piwik forums: http://forum.piwik.org (please do a search first as it might have been reported already)
  WARNING [2016-10-03 10:28:22] /web/stats.transitionnetwork.org/piwik/libs/Zend/Db/Statement/Pdo.php(228): Notice - Array to string conversion - Piwik 2.16.3 - Please report this message in the Piwik forums: http://forum.piwik.org (please do a search first as it might have been reported already)
  WARNING [2016-10-03 10:28:22] /web/stats.transitionnetwork.org/piwik/libs/Zend/Db/Statement/Pdo.php(228): Notice - Array to string conversion - Piwik 2.16.3 - Please report this message in the Piwik forums: http://forum.piwik.org (please do a search first as it might have been reported already)
  WARNING [2016-10-03 10:28:22] /web/stats.transitionnetwork.org/piwik/libs/Zend/Db/Statement/Pdo.php(228): Notice - Array to string conversion - Piwik 2.16.3 - Please report this message in the Piwik forums: http://forum.piwik.org (please do a search first as it might have been reported already)
  WARNING [2016-10-03 10:28:22] /web/stats.transitionnetwork.org/piwik/libs/Zend/Db/Statement/Pdo.php(228): Notice - Array to string conversion - Piwik 2.16.3 - Please report this message in the Piwik forums: http://forum.piwik.org (please do a search first as it might have been reported already)
  WARNING [2016-10-03 10:28:22] /web/stats.transitionnetwork.org/piwik/libs/Zend/Db/Statement/Pdo.php(228): Notice - Array to string conversion - Piwik 2.16.3 - Please report this message in the Piwik forums: http://forum.piwik.org (please do a search first as it might have been reported already)
  WARNING [2016-10-03 10:28:22] /web/stats.transitionnetwork.org/piwik/libs/Zend/Db/Statement/Pdo.php(228): Notice - Array to string conversion - Piwik 2.16.3 - Please report this message in the Piwik forums: http://forum.piwik.org (please do a search first as it might have been reported already)
  WARNING [2016-10-03 10:28:22] /web/stats.transitionnetwork.org/piwik/libs/Zend/Db/Statement/Pdo.php(228): Notice - Array to string conversion - Piwik 2.16.3 - Please report this message in the Piwik forums: http://forum.piwik.org (please do a search first as it might have been reported already)
    Executing ALTER TABLE `log_visit` MODIFY COLUMN `visit_entry_idaction_url` INTEGER(11) UNSIGNED NULL  DEFAULT NULL... 
   Done. [1 / 1]
  
  Piwik has been successfully updated!
  
  It appears you have executed this update with user root:root, while your Piwik files are owned by www-data:www-data. 
  
  To ensure that the Piwik files are readable by the correct user, you may need to run the following command (or a similar command depending on your server configuration):
  
  $ chown -R root:root /web/stats.transitionnetwork.org/piwik

So I have posted the above to the forum.

The web system check looks OK, but there is this warning:

'You must upgrade your PHP version in order to receive the latest Piwik update.'
Piwik cannot be upgraded to the latest major version because your PHP version is too old. Please upgrade your PHP version to at least PHP 5.5.9 so your Piwik analytics data stays secure.

Warning

Piwik will stop supporting PHP 5.4 in the next major version. Upgrade your PHP to at least PHP 5.5.9, before it's too late! The PHP version 5.4 you are using has reached its End of Life (EOL). You are strongly urged to upgrade to a current version, as using this version may expose you to security vulnerabilities and bugs that have been fixed in more recent versions of PHP.

Last edited 7 weeks ago by chris (previous) (diff)

Changed 7 weeks ago by chris

comment:2 Changed 7 weeks ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 0.5 to 0.75

Request from the Piwik developers:

Can you look in PHP info output, what is your PDO and pdo_mysql versions?

So following the link from the documentation at PenguinServer#APCStatsandPHPinfo we have:


The above has been posted in the forum as requested.

comment:4 follow-up: ↓ 5 Changed 7 weeks ago by sam 

Hi Chris

Could you stop working on this ticket please.

We're now using google analytics so it's now a legacy machine.

Would be great to retain access to it for a few days though so I can make
sure all the data we need is out of there/ set up on Google.

Thanks

Sam

On 4 October 2016 at 10:24, Transition Technology Trac <
trac@tech.transitionnetwork.org> wrote:

> #925: Piwik 2.16.3
> ----------------------------------+-----------------------------------
>            Reporter:  chris       |                      Owner:  chris
>                Type:  defect      |                     Status:  new
>            Priority:  critical    |                  Milestone:
>           Component:  Unassigned  |                 Resolution:
>            Keywords:              |  Estimated Number of Hours:  0.0
> Add Hours to Ticket:  0.25        |                  Billable?:  1
>         Total Hours:  0.5         |
> ----------------------------------+-----------------------------------
> Changes (by chris):
>
>  * hours:  0.0 => 0.25
>  * totalhours:  0.5 => 0.75
>
>
> Comment:
>
>  Request [https://forum.piwik.org/t/array-to-string-conversion-
>  piwik-2-16-3/21178/4 from the Piwik developers]:
>
>  > Can you look in PHP info output, what is your PDO and pdo_mysql
>  versions?
>
>  So following the link from the documentation at
>  PenguinServer#APCStatsandPHPinfo we have:
>
>  [[Image(penguin_phpinfo_pdo.png)]]
>
>  The above has been [https://forum.piwik.org/t/array-to-string-conversion-
>  piwik-2-16-3/21178/6 posted in the forum] as requested.
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/925#comment:2>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>

comment:5 in reply to: ↑ 4 Changed 7 weeks ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.75 to 0.85

Replying to sam:

Could you stop working on this ticket please.

OK, but in order to reply to you I have to work on it... but point taken, I won't upgrade the site to the latest version.

We're now using google analytics so it's now a legacy machine.

OK

Would be great to retain access to it for a few days though so I can make
sure all the data we need is out of there/ set up on Google.

How do you not have access to it? Do you need to reset the password? If so there is a link for that at the bottom of the page here:

Changed 7 weeks ago by chris

Changed 7 weeks ago by chris

comment:6 Changed 7 weeks ago by chris

Also note that although you have removed the Piwik webbug from http://transitionnetwork.org/ this server is still collecting data from other sites, Reconomy, the Movie site and archives:


comment:9 Changed 7 weeks ago by sam 

Hi Chris, thanks.

All I meant is it would be great if you could not delete it from your
server until we give you confirmation next week.

Thanks

Sam

On 4 October 2016 at 14:41, Transition Technology Trac <
trac@tech.transitionnetwork.org> wrote:

> #925: Piwik 2.16.3
> ----------------------------------+-----------------------------------
>            Reporter:  chris       |                      Owner:  chris
>                Type:  defect      |                     Status:  new
>            Priority:  critical    |                  Milestone:
>           Component:  Unassigned  |                 Resolution:
>            Keywords:              |  Estimated Number of Hours:  0.0
> Add Hours to Ticket:  0.1         |                  Billable?:  1
>         Total Hours:  0.75        |
> ----------------------------------+-----------------------------------
> Changes (by chris):
>
>  * hours:  0.0 => 0.1
>  * totalhours:  0.75 => 0.85
>
>
> Comment:
>
>  Replying to [comment:4 sam]:
>  >
>  > Could you stop working on this ticket please.
>
>  OK, but in order to reply to you I have to work on it... but point taken,
>  I won't upgrade the site to the [https://piwik.org/changelog/
> piwik-2-16-4/
>  latest version].
>
>  > We're now using google analytics so it's now a legacy machine.
>
>  OK
>
>  > Would be great to retain access to it for a few days though so I can
>  make
>  > sure all the data we need is out of there/ set up on Google.
>
>  How do you not have access to it? Do you need to reset the password? If so
>  there is a link for that at the bottom of the page here:
>
>  * https://stats.transitionnetwork.org/
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/925#comment:5>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>
Note: See TracTickets for help on using tickets.