Database server upgrade

33 views
Skip to first unread message

Sam Kottler

unread,
Apr 4, 2013, 10:01:41 AM4/4/13
to rubyge...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

As you may have heard, there is a critical vulnerability in Postgres,
which we use on Rubygems.org [1]. Fortunately, the risk is mitigated
by the fact that the DB server is accessible only from the application
server, therefore prevent arbitrary access from outside that app
machine's security group.

Regardless, we should upgrade the database server ASAP (David and I
are thinking this weekend) to completely prevent any security issues
going forward. This will require a short period - probably less than 5
minutes - of downtime for the application. Gem installation will
continue to function normally during that time, but no new pushes will
be accepted and users won't be able to visit Rubygems.org proper.
Thoughts on an ideal time to do this?

Thanks and let me know if you have any questions!

- -Sam

P.S. If you'd like to provide assistance with the Rubygems.org
infrastructure feel free to reach out to me (samkottler) in
#rubygems-aws on Freenode or emailing me at this address.

1. http://www.postgresql.org/support/security/ - CVE-2013-1899
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRXYfBAAoJEISlqUbIp1ilmAsIAJXw3mO7b2bx5IW6S3+aEKkT
+/58ztN2zAlvsx8IVNHfiCGRg1Ki+03GMlr/XUUGEaqvEwE+EmTzwwcZ4zTMPEzf
iYL0JpjIxahbSDVEt6ReLkEDRGC56BWpeAWhwlqR9MJJDZKECxXA2qht6wpvy2a0
okIsvsK86cNi4lxHNffgrXjn2r4ouSz0ZAeSaaGit169gpQFGMPeMIYuARBnW5E/
d8v7nS9of5qzQJfe8IOKfsllNfMqGr6pfiZQBZUfYIjxD1maRpfyuDNddrv0GTEw
D5u8EdNQnOgZ90RhvfEhXxpAIes1e98eX4V5v/lpzwFHk9qIJ/+ynDsQ6CBbn3Y=
=JbWo
-----END PGP SIGNATURE-----

Nick Quaranto

unread,
Apr 4, 2013, 1:40:09 PM4/4/13
to rubyge...@googlegroups.com
Yes! Let's do it. Just flip the site into maintenance mode and keep moving forward.



--
You received this message because you are subscribed to the Google Groups "rubygems.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubygems-org...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.



Evan Phoenix

unread,
Apr 4, 2013, 1:42:13 PM4/4/13
to rubyge...@googlegroups.com
Agreed! Just let us know when we should switch to maint mode.

-- 
Evan Phoenix // ev...@phx.io

Sam Kottler

unread,
Apr 5, 2013, 4:03:32 PM4/5/13
to rubyge...@googlegroups.com
How does 8pm eastern US time sound?

David Radcliffe

unread,
Apr 5, 2013, 6:01:49 PM4/5/13
to rubyge...@googlegroups.com
Tonight?

Sam Kottler

unread,
Apr 5, 2013, 6:12:40 PM4/5/13
to rubyge...@googlegroups.com

Sorry - I meant tomorrow.

Reply all
Reply to author
Forward
0 new messages