Okay so that was a bit of a stressful afternoon,
So, got cracking, was bored for a long while because I had made a backup first, took a while to upload to Dropbox where we stash our backups for great justice (they recently increased pro members' storage space tenfold, so I should tweak the backup settings a bit so we can keep backups for longer - but I digress).
Then I did the ol' do-release-upgrade command, which will trigger the Ubuntu update mechanism. When I started we were at Ubuntu 11.04 I think, some version from 2011, which wasn't maintained anymore - regular Ubuntu versions are supported for about a year, I believe. The first upgrade went to 12.04, from 2012, which is an LTS release (long-term support) which gets security updates for five years. The main reason I started this project, the Bash exploit, would have been covered under that release.
Anyway, did the thing, twiddled my thumb, and wonder of wonders after about half an hour, it was done. The server restarted and... well, that was kind of the anticlimax of my day, since everything seemed to be working fine. The upgrade process did indicate there was a difference between config files between the ones we had and the ones that it wanted to install, but most of that configuration were attempted performance tweaks I did myself, things like allowing mysql to use more memory - I figured those were easy enough to redo.
Of course, I wasn't content - I figured since I'm at it, why not keep upgrading to (eventually) the 14.04 version, this year's long-term support version. So I did another do-release-upgrade because the other one seemed to be easy enough,
Might've had a more relaxed afternoon if I hadn't done that, lol. The site didn't work out of the box anymore after the update, and I had to spend some time trying to figure out what was wrong. The first issue was that there was some changes in how the webserver (Apache) communicates with PHP, something having to do with a socket file (everything's a file in linux) having changed permission. After some and editing configuration files, I managed to fix it - had to redo the basic webserver -> php configuration, and change the configuration given by every tutorial ever to look for a socket instead of a HTTP server somewhere. TL;DR stuff.
I think that's when the front page was back online, fhtagn! However, the forums weren't; it gave me the 'database error' screen, and since vB sucks, it didn't give me any clue what was actually wrong. However, after some googling, I quickly discovered that the version of vBulletin we're on - 3.8.4 I believe - isn't compatible with the newer versions of PHP or MySQL. The last upgrade apparently upgraded php to 5.5 and MySQL to 5.5, and it is said our version of vB doesn't support those. TBF, PHP made some pretty big changes in those versions, apparently.
Anyway, so first I went like "Oh that's okay we'll just downgrade php, easy right?". Well not rly, apparently; I lost my cool and started to blindly follow instructions on the internets, removing php and apache, etc. Didn't make it easier. I eventually just reinstalled apache and mysql, but that caused other problems - the front page gave a big-ass FORBIDDEN error, mainly.
I did some googling and tried a lot of shit, but eventually it turned out that the problem was in Apache, which was upgraded from 2.2 to 2.4. It seems that in that update, the configuration for granting or denying access to folders had changed. In the webserver configuration, there's a few blocks that go like this:
Code:
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
deny from 80.82.65.17
<!-- list of other banned IP addresses-->
</Directory>
But that Order / allow thing had apparently changed. It took me far too long to find out that every instance of 'Order allow, deny allow from all' had to be changed to 'Require all granted' and similar statements.
Anyway, sorted that out, and I got the front page back online at least. The forums were still down though, so I should get to downgrading php / mysql again.
But then I went "fuck it". My nerves were already frayed by then, I knew our version of vB was outdated, and it was advertised that vB 3.8.8 would work with the newest versions of PHP and MySQL. So I took a gamble and decided to just renew our license and upgrade. I spent $200 - which was in my PayPal account, so we had that in accumulated donations at least - and renewed the license.
Downloaded vB 3.8.8, the latest (and probably last) of the 3.x versions, uploaded it, ran the install scripts, and... whoa, it just works!1one. TIL shelling out $200 to renew our vB license and upgrading vB is probably easier than downgrading php / mysql,
.
Fangu reported that some of the images were borked though, but that's because we customized the images (icons and the like) by simply overwriting them; I don't know if that can be done on a per-theme basis actually. But I copied those over and they look fine again.
Let me know if something's still broken; I've only done a quick scan of things. I think FTP access isn't working right, I'll need to check that.
Also, since I bought the license, we should probably discuss upgrading to vBulletin 5; I don't know anything about it, but if I were to guess I'd say we'd have to redo the forum styling. But I'll have to dig into that I guess.
edit: sorry about that other downtime, I was making a post-update backup.
. I don't think TLS is directly vulnerable, at least not yet, but it might just be a matter of time before someone finds out a way to abuse the Shellshock bug.
