Drupal6 needs security updates

Asked by barsalou on 2009-07-09

Drupal6 for jaunty seems a few security revs behind. According to the Drupal site, 6.13 is the latest package and fixes 'critical security vulnerabilities'.

What needs to be done in order to upgrade the package in the repository?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu drupal6 Edit question
Assignee:
No assignee Edit question
Last query:
2009-07-15
Last reply:
2010-03-15

You have 2 choices

1) Compile from source (can gt messy)
2) Use a PPA (extra repo) to install the newer version

Johan Van de Wauw (johanvdw) said : #2

This is a known problem:
https://bugs.launchpad.net/ubuntu/+source/drupal6/+bug/395004

Personally, I would advise you to use drupal not from the repository but from the original package. That way updates can be done immeadiately. No compilation is required as it are only scripts. More info on installing drupal w/o repository:
https://help.ubuntu.com/community/Drupal

barsalou (barjunk) said : #3

Quoting actionparsnip <email address hidden>:

> Your question #76464 on drupal6 in ubuntu changed:
> https://answers.launchpad.net/ubuntu/+source/drupal6/+question/76464
>
> Status: Open => Answered
>
> actionparsnip proposed the following answer:
> You have 2 choices
>
> 1) Compile from source (can gt messy)
> 2) Use a PPA (extra repo) to install the newer version
>

Thanks for the suggestions. Do you know of a PPA that currently has
this built for jaunty?

Mike B.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

barsalou (barjunk) said : #4

Quoting Johan Van de Wauw <email address hidden>:

> Your question #76464 on drupal6 in ubuntu changed:
> https://answers.launchpad.net/ubuntu/+source/drupal6/+question/76464
>
> Johan Van de Wauw proposed the following answer:
> This is a known problem:
> https://bugs.launchpad.net/ubuntu/+source/drupal6/+bug/395004
>
> Personally, I would advise you to use drupal not from the repository
> but from the original package. That way updates can be done
> immeadiately. No compilation is required as it are only scripts.
> More info on installing drupal w/o repository:
> https://help.ubuntu.com/community/Drupal
>

Thanks for the suggestion. There seems to already be a solution in
karmic, from what I could find...any chance this will be back ported?

Is it just a matter of time? I'd be willing to spend some of mine
given a little guidance.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

The latest version of Drupal 6 available in Karmic is 6.12. Current available version is 6.13.

For Drupal 5 Karmic has 5.18; current available is 5.19.

You can easily install the current version of Drupal from the repositories and then upgrade manually. Just remember that Ubuntu won't simply drop the files into /var/www as you may be used to.

I'm trying to stay on top of the security situation with Drupal and file bugs for the new versions whenever they are released, which has been fast and furious for the past few weeks. This serves merely to keep the MOTUs abreast of the Drupal situation.

The big drawback with Ubuntu having every single security release of Drupal available in the repositories is that automatic updates have the potential to break lots of packages. Administrators running many servers, or very inaccessible servers, may be enabling the automatic security update feature of Ubuntu Server, and the Drupal security updates could easily break sites running on such servers.

I am also considering creating a PPA that will keep the latest versions of Drupal available for those who would like to avoid the whole install - immediate upgrade process (like me).

barsalou (barjunk) said : #6

Quoting Scott Testerman <email address hidden>:

> Scott Testerman proposed the following answer:
> The latest version of Drupal 6 available in Karmic is 6.12. Current
> available version is 6.13.

So should I be able to just point at that repository and do the upgrade?

>
> For Drupal 5 Karmic has 5.18; current available is 5.19.
>
> You can easily install the current version of Drupal from the
> repositories and then upgrade manually. Just remember that Ubuntu won't
> simply drop the files into /var/www as you may be used to.
>

This is what we ended up doing, but felt somehow 'wrong'. :)

> I'm trying to stay on top of the security situation with Drupal and file
> bugs for the new versions whenever they are released, which has been
> fast and furious for the past few weeks. This serves merely to keep the
> MOTUs abreast of the Drupal situation.
>
<snip>

> I am also considering creating a PPA that will keep the latest versions
> of Drupal available for those who would like to avoid the whole install
> - immediate upgrade process (like me).

This is an idea that seems reasonable. What kind of help would you
need to complete something like that?

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

The problem with using a repository from a different flavor of Ubuntu than the one you're using is that the dependencies may cause a failure. I haven't bothered to look into them, simply because Drupal is such an incredibly simple system to upgrade.

> This is what we ended up doing, but felt somehow 'wrong'. :)
How can anything that feels so wrong possibly not be worth doing just for the fun of it? :-D

Basically, just drop the new files on top of the old ones, taking special care to avoid overwriting any files you've customized in any way (settings.php, etc.), and run the update script just in case.

I've actually already started work on the PPA. I'm hoping to support all four flavors of Drupal5 and the two flavors of Drupal6. Maintaining all the versions isn't nearly as involved as I thought; I just want to ensure I've done everything correctly. The existing packages have some (what I consider to be) oddities so I want to test them before I post them for public consumption. I'm not, after all, wanting to step on the toes of the current Debian maintainers, who did take the time to figure out The Debian Way for Drupal and packaged it all up nicely for us. Fortunately, I have a convenient testing server. :-)

My biggest worry is that making constantly updated packages available will encourage people to upgrade to the latest version of Drupal (generally a Good Thing) without spending the effort to do all the normal Drupal upgrade steps that they would do if they performed the upgrade manually.

barsalou (barjunk) said : #8

Quoting Scott Testerman <email address hidden>:

>
>> This is what we ended up doing, but felt somehow 'wrong'. :)
> How can anything that feels so wrong possibly not be worth doing
> just for the fun of it? :-D

You got me there! :)

>
> Basically, just drop the new files on top of the old ones, taking
> special care to avoid overwriting any files you've customized in any way
> (settings.php, etc.), and run the update script just in case.
>
> I've actually already started work on the PPA. I'm hoping to support
> all four flavors of Drupal5 and the two flavors of Drupal6. Maintaining
> all the versions isn't nearly as involved as I thought; I just want to
> ensure I've done everything correctly. The existing packages have some
> (what I consider to be) oddities so I want to test them before I post
> them for public consumption. I'm not, after all, wanting to step on the
> toes of the current Debian maintainers, who did take the time to figure
> out The Debian Way for Drupal and packaged it all up nicely for us.
> Fortunately, I have a convenient testing server. :-)
>

Thanks.

> My biggest worry is that making constantly updated packages available
> will encourage people to upgrade to the latest version of Drupal
> (generally a Good Thing) without spending the effort to do all the
> normal Drupal upgrade steps that they would do if they performed the
> upgrade manually.

Not sure I understand how upgrading manually has an advantage...is it
because Drupal could easily break? Do you mind sharing some of your
reasons you think a manual upgrade is superior?

Maybe we could add checks in the package that would stop someone from
hurting themselves...or at least warn them that they might.

Mike B.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Before upgrading Drupal it's necessary to turn off all non-core modules since they can easily break the Drupal upgrade. When installing new Drupal packages using the standard apt system, there's no way to check that the modules are, in fact, turned off.

Further, the system in question may be headless, as well as auto-updated, which means that even if there's a way to check and display a message about breakage, it may not be seen. In this instance, it means that the expected auto-upgrades would cease to happen since the system would forever be waiting for somebody to answer a message that couldn't be answered.

This all means Ubuntu will happily break a working Web site, just as it was asked to do. While you and I know that this is simply poor management skills on the part of the admin in question, the net effect is simply going to be, "I refuse to use Ubuntu any more because it broke my site." That's bad for Ubuntu, and very possibly bad for Debian if the user assumes it's a Debian thing rather than something specific to Ubuntu. I don't want the convenience of installing Drupal in under 30 seconds to detract from Ubuntu's reputation.

OTOH, I really would like to see more frequent updates to Drupal in the repositories, especially since this is a Universe -- and therefore, officially unsupported -- package. Ubuntu has traditionally been fairly quick with rolling out security updates, and I believe that unsupported applications are just as important to system security as supported applications. Since Ubuntu now comes with Universe and Multiverse enabled by default, many users probably don't even recognize the difference any more, therefore they won't know that Drupal is from a whole different world.

barsalou (barjunk) said : #10

Quoting Scott Testerman <email address hidden>:

> Your question #76464 on drupal6 in ubuntu changed:
> https://answers.launchpad.net/ubuntu/+source/drupal6/+question/76464
>
> Status: Open => Answered
>
> Scott Testerman proposed the following answer:
> Before upgrading Drupal it's necessary to turn off all non-core modules
> since they can easily break the Drupal upgrade. When installing new
> Drupal packages using the standard apt system, there's no way to check
> that the modules are, in fact, turned off.
>
So that would imply i'd have to come up with a way to check if they
are on or off....that would solve this little headache.

> Further, the system in question may be headless, as well as auto-
> updated, which means that even if there's a way to check and display a
> message about breakage, it may not be seen. In this instance, it means
> that the expected auto-upgrades would cease to happen since the system
> would forever be waiting for somebody to answer a message that couldn't
> be answered.

I wonder how many systems that are headless and auto-updated are using
drupal? I suppose it's quite a few because of the popularity. I
wonder if adding some sort of switch within the drupal update could
account for that?

>
> This all means Ubuntu will happily break a working Web site, just as it
> was asked to do. While you and I know that this is simply poor
> management skills on the part of the admin in question, the net effect
> is simply going to be, "I refuse to use Ubuntu any more because it broke
> my site." That's bad for Ubuntu, and very possibly bad for Debian if
> the user assumes it's a Debian thing rather than something specific to
> Ubuntu. I don't want the convenience of installing Drupal in under 30
> seconds to detract from Ubuntu's reputation.

I'm in agreement here, sullying Ubuntu or Debian for the sake of
convenience isn't a good idea.

This makes me wonder if doing a patch might be a better choice?

>
> OTOH, I really would like to see more frequent updates to Drupal in the
> repositories, especially since this is a Universe -- and therefore,
> officially unsupported -- package. Ubuntu has traditionally been fairly
> quick with rolling out security updates, and I believe that unsupported
> applications are just as important to system security as supported
> applications. Since Ubuntu now comes with Universe and Multiverse
> enabled by default, many users probably don't even recognize the
> difference any more, therefore they won't know that Drupal is from a
> whole different world.

This is especially true of the crowd that says 'I refuse to use Ubuntu
...' as mentioned above. Additionally, I've hear folks say ' no use
in using the Ubuntu package because security updates don't come out
very fast..'

There may not be a way to win in this particular arena.

Mike B.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

I just wanted to let you know that I've started a PPA with the currently-released versions of Drupal5 and Drupal6. They appear to install correctly, and they upgrade existing installations correctly. If you're interested in taking a look at them, they're here:

https://launchpad.net/~scott-testerman/+archive/ppa

Andrew Stromme (astromme) said : #12

@Scott

Thanks for the repository. Browsing it on launchpad it seems to only have i386 builds. Any chance for amd64 builds too?

Thanks

The packages are copied directly from the Ubuntu repositories and simply updated with the latest available Drupal releases. There's actually no architecture; architecture in the packages is set to "all." They should install fine on any machine.

matthewcford (matt-bitzesty) said : #14

for a manual install i extracted the latest drupal to /usr/share/drupal6, then replaced profiles and sites with the correct symlinks (/etc/drupal/6/), then ran /update.php

Can you help with this problem?

Provide an answer of your own, or ask barsalou for more information if necessary.

To post a message you must log in.