Page MenuHomePhabricator
Create Task
Maniphest T228533

Fix geoip updaters for new MaxMind hashed keys by 2019-08-15
Closed, DuplicatePublic0 Estimated Story Points
Actions

Description

TL;DR - MaxMind sent us an email, and they're changing how their license keys work for pulling database updates, and they've flagged our account as one that's still using an older version of the updater program itself, which is not compatible with these changes. We need to look into this and update our updaters across our infrastructure before 2019-08-15. There's some refs to this in SRE's puppet repo in modules/geoip, I'm not sure if there's also other updaters being run for e.g. Analytics using the same keys that aren't driven by that puppetization.

MaxMind
Dear Customer,

Soon after August 15, 2019, we will be hashing license keys to enhance the security of MaxMind accounts. However, because you are using an older version of our GeoIP Update program, we are unable to provide this security feature for you. We recommend upgrading your GeoIP Update to our latest release and generating a new license key by following the steps below.

Upgrade your GeoIP Update.
Generate a new license key to use with GeoIP Update.
Make sure to copy down your new license key as it will not be available in full after the initial creation.
If you lose your license key, you can generate a new one on that same page. The newly generated license key will be shown to you in full only once for you to copy it down for safe keeping.

If you have any questions, please do not hesitate to contact us at support@maxmind.com.

Thank you,

MaxMind team

Related Objects

Event Timeline

BBlack triaged this task as Medium priority.Jul 19 2019, 5:22 PM
BBlack created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 19 2019, 5:22 PM
faidon subscribed.Jul 20 2019, 3:34 AM

Note that they do not say that we will stop getting updates but merely that we won't be able to benefit from this "security feature". It does sound scary on a first read, though -- I got confused myself.

We use the v2.5.0 backport of geoipupdate on stretch systems and v3.1.1 on buster. There is a new upstream, v4.0.x, that is a rewrite from C to Go, but that is not yet packaged in Debian (note that I am the Debian maintainer for geoipupdate).

I checked both the git tip of the C and the Go versions and I found no references to any sort of hashing - both seem to use HTTP Basic Auth:

curl_easy_setopt(curl, CURLOPT_USERNAME, account_id);
curl_easy_setopt(curl, CURLOPT_PASSWORD, gu->license.license_key);
if config.AccountID != 0 {
        req.SetBasicAuth(fmt.Sprintf("%d", config.AccountID), config.LicenseKey)
}

I also looked for other branches, searched their documentation, searched at maxmind.com, etc. and found no references of this whatsoever. Perhaps this is for an upcoming release that they haven't released yet?

Also: the server supports HTTPS (and geoipupdate defaults to it), so I'm not sure how the hashing of license keys is going to help with anything...

ema moved this task from Backlog to General on the Traffic board.Jul 22 2019, 9:38 AM
fdans moved this task from Incoming to Radar on the Analytics board.Jul 22 2019, 4:05 PM
Milimetric subscribed.Jul 22 2019, 4:08 PM

@faidon: we don't have any updaters on our end, we just move the databases around and keep backups for historical use. But let us know if you run into any problems.

jbond subscribed.Aug 14 2019, 4:48 PM
jbond added a project: User-jbond.Oct 30 2019, 5:58 PM
jbond moved this task from Unsorted 💣 to Watching 👀 on the User-jbond board.Oct 30 2019, 6:08 PM
Marostegui subscribed.May 13 2020, 12:26 PM

It's been around 10 months since the last update, anything pending here?

Aklapper edited projects, added Analytics-Radar; removed Analytics.Jun 10 2020, 6:33 AM
BBlack moved this task from General to Feature Requests on the Traffic board.Sep 29 2020, 8:45 PM
BBlack edited projects, added Traffic-Icebox; removed Traffic.Sep 1 2021, 11:21 PM

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

Dzahn subscribed.Oct 4 2021, 10:13 PM

Currently working on T288844 and added puppet code that allowed us to use a second, new, license for MaxMind geoip databases. So far evaluating that this new license works and can download databases including GeoIP2-Anonymous-IP.mmdb GeoIP2-Enterprise.mmdb which we did not have previously, but doing so in parallel to the existing setup to be careful.

Dzahn mentioned this in T302864: Maxmind: GeoIP Download Failed.Mar 2 2022, 8:55 PM
BBlack moved this task from Backlog to Complicated on the Traffic-Icebox board.Apr 7 2022, 9:12 PM
Dzahn added a comment.Apr 7 2022, 11:14 PM

@BBlack This sounds like a duplicate of T303464 (and/or /T302864) to me. Maybe you can just merge it.

Dzahn added a comment.May 5 2022, 4:17 PM

I think this can be closed since it's in the past and superseded by T302864.

Dzahn closed this task as a duplicate of T302864: Maxmind: GeoIP Download Failed.May 5 2022, 4:18 PM
Dzahn mentioned this in T366272: Update puppet configuration to use GeoLite2 (free) instead of GeoIP2-Enterprise data.May 31 2024, 7:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits