Re: Security question: are these vulnerabilities addressed?

To: debian-user@lists.debian.org
Subject: Re: Security question: are these vulnerabilities addressed?
From: Scott Gifford <sgifford@suspectclass.com>
Date: Sun, 03 Jun 2007 00:50:51 -0400
Message-id: <[🔎] lyira5r68k.fsf@gfn.org>
In-reply-to: <[🔎] 20070602150845.GC7948@titan> (Douglas Allan Tutty's message of "Sat, 2 Jun 2007 11:08:45 -0400")
References: <ly1wgzie5f.fsf@gfn.org> <f3i2hc$spe$1@sea.gmane.org> <lysl9flz1p.fsf@gfn.org> <20070531041044.GB12900@localhost.localdomain> <[🔎] lyejkwz5ac.fsf@gfn.org> <[🔎] 20070602150845.GC7948@titan>

Douglas Allan Tutty <dtutty@porchlight.ca> writes:

> On Fri, Jun 01, 2007 at 12:07:23AM -0400, Scott Gifford wrote:
>> Andrew Sackville-West <andrew@farwestbilliards.com> writes:
>> > On Wed, May 30, 2007 at 12:23:46AM -0400, Scott Gifford wrote:
>> >> Kamaraju S Kusumanchi <kamaraju@bluebottle.com> writes:
>> >> Our upgrade from Woody to Sarge was so disastrous, I will need more
>> >> time for this client to forget about it before I can propose another
>> >> upgrade.  :-)
>> >
>> > what were the woody -> sarge issues? perhaps they've been addressed...
>> 
>> Postgres completely fell apart, and it took many hours to piece things
>> back together.
>
> Did you have a postgres dump just prior to the upgrade?  In what way did
> it fall apart?  What did you have to do to piece things back together;
> didn't restoring from the dump work?

The data was OK, but it lost all the user accounts.  It's been a few
months now and my memory is a bit hazy, but IIRC, the format of the
Postgres password file changed between versions.  When the upgrade
failed (probably because of our unusual Postgres configuration), the
password file had to be re-created by hand.  Which all sounds pretty
straightforward, except there weren't any clear messages to indicate
this, and it took me quite a few hours to figure out the problem.  The
change in the file format wasn't documented clearly anywhere that I
could find, which I found very frustrating.  Eventually we found the
problem, deleted the password file, and re-created the accounts by
hand (fortunately nobody took our advice to reset their password), but
our server was down for several hours.

There were also a bunch of changes to PHP that wreaked havoc for us.
We were running PHP through CGI (not embedded in the Web server), and
Sarge changed how all that worked, and broke all of our existing
configurations.

If the server hadn't been down and I'd had a paper and pen, I would
have kept better track of exactly what happened.  :-)

This is the only upgrade to Sarge I did that had significant problems,
but I will admit the experience left me much less confident in the
upgrade process.

----Scott.

Reply to:

Follow-Ups:
- Re: Security question: are these vulnerabilities addressed?
  - From: Douglas Allan Tutty <dtutty@porchlight.ca>

References:
- Re: Security question: are these vulnerabilities addressed?
  - From: Scott Gifford <sgifford@suspectclass.com>
- Re: Security question: are these vulnerabilities addressed?
  - From: Douglas Allan Tutty <dtutty@porchlight.ca>

Prev by Date: Re: Have mplayer-586, but need to install mozilla-mplayer
Next by Date: Re: mutt question
Previous by thread: Re: Security question: are these vulnerabilities addressed?
Next by thread: Re: Security question: are these vulnerabilities addressed?
Index(es):
- Date
- Thread