Page MenuHomePhabricator

Seeking Advice and Assistance: Upgrading Debian Buster XHGui Instances
Closed, ResolvedPublicSecurity


Hello everyone, I hope this message finds you well. I am reaching out to seek your valuable advice and assistance regarding a critical issue we are facing in upgrading our Debian Buster XHGui instances to Debian Bookworm.

The main challenge we are encountering stems from the fact that XHGui specifically requires a very old version of the php-twig package. More precisely, XHGui relies on php-twig v1.44.7. However, the available version of php-twig in Bookworm is v3.5.1. Unfortunately, Debian Stretch is the last release where php-twig v1.x.x was available. XHGui is known to be incompatible with versions other than v1.x.x as documented in our puppet repository.

In addition to the php-twig version compatibility issue, I want to highlight a known CVE affecting our current php-twig version, namely (CVE-2022-39261). The vulnerability has a severity score of 7.5 (High severity) according to the Common Vulnerability Scoring System (CVSS) and is remotely exploitable. Regrettably, no php-twig v1.x.x versions with the patch are available for Debian.

Considering these challenges, I would greatly appreciate your expertise and insights on determining the best approach to address this situation. In particular, I would like to hear your recommendations on the following matters:

  1. Handling the php-twig version disparity between XHGui's requirement (v1.44.7) and the available version in Debian Bookworm (v3.5.1).
  2. Mitigating the security risk posed by the known CVE (CVE-2022-39261) affecting our current php-twig version.

Your valuable input will significantly contribute to identifying the most appropriate course of action for us to pursue. Please share your thoughts, suggestions, and any alternative solutions you may have in mind.

Looking forward to your valuable insights and guidance.

Warm regards,
Andrea Denisse.

Event Timeline

I'm adding Performance-Team for guidance too, I'm wondering how much work would it be to adapt xhgui to twig 3 ? If that's a lot of work we can consider having compatible twig in bookworm (cc @Krinkle)

I had a closer look at this: Currently xhgui upstream only supports Twig 1.x. If someone from Perf team can submit patches upstream to move to current API that would be fantastic, but this seems unlikely available as a short term fix for the migration. At the minimum we should file an upstream issue to ask for support for Twig 3.

I did some investigation on the history of the current Twig package. One notable source of confusion is that the Debian source package name changed over time: Currently it's "php-twig", but older versions of Debian used "twig". Digging in Phab history when xhgui was packaged ( Dave imported the last version of Twig 1.x which was in Debian Stretch,

Since upstream xhgui doesn't yet support Twig 3 and Twig 1.x is still supported (1.44.7 came out some months ago), one other option would be to simply take the last package in use and update it to 1.44.7. I did a quick PoC build (I needed to disable the docs building due to some changes in Sphinx due to some changes between Debian 9 and 12, but not important for us) and the result can be found on build2001 in /var/cache/pbuilder/result/bookworm-amd64/php-twig_1.44.7-1_all.deb

Could you test it on the new Bookworm hosts, please? If that works then we can create a repository component component/twig1 for bookworm-wikimedia and update Puppet to use it for Bookworm.

Thanks for you assistance and support, Mortiz. I'm currently testing the changes in the Bookworm hosts and I'll keep you posted.
In the meantime I filed an upstream issue kindly asking the XHGui developers for their assistance in supporting Twig 3.

Warm regards.

As a short-term measure, I recommend we update to Twig 1.44.7 which upstream already supports.

Upstream does not support managing Composer dependencies via Debian packages, and indeed most of its dependencies have no equivalent Debian packages (only php-twig exists, the rest is custom to WMF). As such, the fact that the php-twig package was out of date for a long time, or that XHGui does not support the somewhat arbitrary version Debian happens to package, is not surprising. Indeed, most of the PHP ecosystem does not support managing depencies via Debian. This includes, perhaps most notably MediaWiki, and also WordPress.

I suggest we instead deploy XHGui from Git (initially using Scap, but possibly later using Blubber/Kubernetes like we do with Shellbox and other PHP services). This will effectively undo T254310, as we already deployed XHGui this way before that change.

Record of changes (given that gerritbot can't tag private tasks)

What remains is:

What remains is:

Ready for review at

Done. I've cherry-picked the above to the the local puppetmaster in Beta Cluster (deployment-prep).

  • decom deployment-xhgui03 from beta cluster

Done. Removed via Horizon.

  • decom xhgui1001.eqiad/xhgui2001.codfw from prod

Once the above is deployed and I've verified that we don't need to switch back, the xhgui* Debian 10 Buster hosts can be deleted from Ganeti.

Note that the webperf* hosts already run Debian 11 Bullseye.

  • decom xhgui Puppet provisioning.

Ready for review at

Decommission tasks for the Bookworm hosts: T341160, T341161

andrea.denisse awarded a token.
Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 11 2023, 1:21 AM
Legoktm changed the edit policy from "Custom Policy" to "All Users".