Installing OpenSSH 6.6p1 on Ubuntu 13.10 “Saucy”

Ubuntu 14.04 includes a new version of OpenSSH. Version 6.2, which is present in Saucy has a vulnerability which potentially could lead to it being exploited. If you are doing PCI compliance, then fixing this is a must!

Luckily, replacing OpenSSH is pretty easy. This install assumes you are using 13.10, and that you already have OpenSSH installed and configured, and that you have already installed the Ubuntu 13.10 build dependencies. If you’ve ever compiled something from source, then you will have this. If you don’t, then use  Continue reading →

The following packages have been kept back

If you’ve ever seen the words “The following packages have been kept back” you’ll know it can be pretty frustrating. You’ve told it to update, why isn’t it updating?

This occurs because the package has had it’s dependencies changed. It’s either going to install more or uninstall software the new version doesn’t need. A lot of replies will tell you to do a dist-upgrade.

This is a very bad idea, unless you know what you are doing. This will cause a LOT of changes to your system, and it’s not massively unusual to see it prevent a system running until you sort out a raft of post dist-upgrade issues. Now, some people will argue that you should always dist-upgrade, and deal with issues as they crop up, and while there’s merit to this, you can’t do it on a production system, especially just because you need to upgrade a package.

What’s the solution?


apt-get update
apt-get dselect-upgrade


This will then follow up with the usual explanation of which packages will be added or removed. Type in “y” like you normally do, and it will install/uninstall/upgrade your packages. Done.

Patching a large web application while using svn

When using a large web application such as Magento, sometimes you need to make a large “instant” change to code, such as patching to a later version.
The suggested method is to effectively “reinstall” magento, that is to set up a fresh install, copy any user created modules, and upgrade the database.

If you use svn to manage your source code, this can prove a challenge, with seeming perpetual locks preventing you from committing the patch changes. The following method works on this basis:

1. Site is taken offline, the upgrade cannot progress (or won’t work) if the site is up and attempting to field requests.
2. The code base for the project will be reverted to the new patched version. You need to make changes to any core modules you’ve change again, which is why it’s generally a “very bad idea” to change core magento files. You may find that database errors crop up that you cannot easily overcome.
3. Any modules added later are then copied across.
4. Any files which it is safe to use the old version of, may be copied.

Of course, before applying this patch, you need to apply it to a test environment, and thoroughly test your site for things which break. In upgrading 6 “patches” worth of changes (18 months) there were a number of new features which required code and skin changes to function.

#Take down your site! If you do not, your database will get mangled!
#Back up database, because once you upgrade the site code the first request will trigger a pile of database changes
$mysqldump -uroot -p magento > livedump(date).sql
#backup magento directory
$mv /var/www/magento /var/www/magentobak
#unzip latest magento folder
$cp enterprise-1.11.2.0.tar-2012-01-05-07-40-21.gz /var/www/enterprise.tar.gz
$cd /var/www
$tar -xvf enterprise.tar.gz
#Change permissions to 777 (fine for test environment)
$chmod -R 777 magento
#Use a pre-created script to copy files that need to be copied such as modules and skins
#Access IP address of server to force database update (do it only ONCE!, otherwise it will try and upgrade the database once per request).
$lynx 127.0.0.1 #If you have a catch-all vhost setup
#Once this completes, your /var/www/magento directory will now contain a functioning(hopefully) upgraded version of magento. You can switch it out for magentobak and use mysql to roll back your database if the whole thing doesn't work.

But now subversion is broken, so what’s the solution to that?
This assumes you have rsync installed (and obviously, subversion)

$cd /var/www
#Make a folder to create your new mix of svn and the new live site
$mkdir svnworking
#Copy the root svn files
$cp -r magento/.svn svnworking/
$cd svnworking
#Update to latest version of the repository
$svn up .
#Tell svn to delete all files
$ls . | xargs svn delete
#Commit the changes
$svn commit -m "Armageddon!"
#Copy all files from live site to working directory
$rsync -av --delete --force --exclude=".svn" --exclude="log/*" --exclude="locks/*" --exclude="*cache*" ../magento/ ./
#Add all the files to repository
$svn status | grep -v "^.[ \t]*\..*" | grep "^?" | awk '{print $2}' | xargs svn add
#Commit files to repository
$svn commit -m "Patched magento to 1.11.2.0, code reset for all files"

Now this will do fine in a small environment. By doing this, you effectively cause anyone with a checked out copy untold potential grief.
This is actually a good thing, because they need to “start again” and make sure their code is going to work with the new version of magento. Obviously updating something like magento, is something you do in concert with your developers, rather than without their knowledge.