Security and News Announcements

v17.0 stable on it's way

Jeremy Davis — Mon, 31 Jan 2022 05:53:42 +0000

Not displaying properly? Please read online: https://www.turnkeylinux.org/newsletter/v17.0-on-the-way

Hi there,

A couple of quick updates and a tease about the upcoming v17.0 release. Including an important announcement for early adopters of (the upcoming, as yet not officially released) v17.0/Debian Bullseye/11 based systems.

Core & TKLDev v17.0 Release Candidates - ready for battletesting

We published v17.0 release candidates of Core and TKLDev in December 2021. If you get a chance, please do not hesitate to download the ISO, give it a spin and share your feedback. Hopefully v17.0 stable releases won't be too far away...

Upcoming TurnKey v17.0/Bullseye apt repo changes - Bullseye users may need to manually clear caches

I plan to push potentially breaking updates to the TurnKey 'bullseye' and 'bullseye-testing' apt repositories early this week (Tue, 1st Feb 2022 am AEDT - UTC+11). Hopefully none of you are yet running a Debian Bullseye/11 based system in production. But if you are (or if you have a dev system that is), then you'll want to clear your apt cache(s) after I've pushed the updates. Please check the first line of the blog post announcement to be sure that I've completed the works before clearing the caches. (No harm done if you do it before I've completed the work, but little value as it needs to be cleared afterwards...).

v17.0 stable appliances coming soon...

Whilst we don't release until ready, fingers crossed, we should be ready to start publishing stable v17.0 appliances soon! I'll put up new blog post announcements as they are published and ready for use. I also intend to publish monthly roundups of appliances published to date.

Cheers,

Jeremy Davis
TurnKey GNU/Linux
Cell: +61 497-084-807
PGP fingerprint: 6EAF 8CC7 9E00 2BA5 CE5B 4580 6D0C A24B 0C5C C21B

Automated 'grub-pc' security update failing on some platforms

Jeremy Davis — Tue, 16 Mar 2021 06:55:49 +0000

A recent Debian security update for the 'grub-pc' package may be failing on some platforms.

If you are running TurnKey Linux v16.x on AWS EC2 (i.e. from AMI) or a local VM - installed from OVA or VMDK, then this likely affects you.

If you installed from ISO, or are using LXC (e.g. via Proxmox) then you are NOT affected.

For further info on diagnosing the issue and how to resolve it, please visit the Automated 'grub-pc' security update failing on some platforms blog post.

If you have further concerns or questions, please do not hesitate to post in the comments, or open your own new thread in the support section of the forums.

Regards,
Jeremy
TurnKey Linux

Debian security update breaks v15.x LAMP based servers

Jeremy Davis — Tue, 20 Nov 2018 08:26:34 +0000

An automatically installed Debian MariaDB (drop-in replacement for MySQL) security update, has broken all v15.x appliances that rely on MariaDB database engine. That means that all LAMP based appliances, such as WordPress, Drupal, Joomla and about 70% of the library will not have a functioning MySQL-compatible DB engine running.

The good news is that it's really easy to fix. Simply reinstall the 'default-mysql-server' package like this:

apt update
apt install default-mysql-server

For more info, or if you have any questions, please check out the blog post

Regards,
Jeremy
TurnKey Linux

Drupal - Highly Critical Security Issue (SA-CORE-2018-002)

Jeremy Davis — Wed, 04 Apr 2018 05:16:30 +0000

DRUPAL SECURITY ALERT

Drupal 7 & 8 (as well as 6) are vulnerable to a highly critical security issue known as SA-CORE-2018-002.

A brief overview with links to additional information can be found on our blog:

https://www.turnkeylinux.org/blog/drupal-sa-core-2018-002-remote-code-execution

The blog post also provides information on updating and/or patching v14.x appliances.

Please post any questions or feedback in the comments on the blog post. Alternatively, please start a new thread on the forums:

https://www.turnkeylinux.org/forum

Also a reminder to any users still on v13.x; that the Wheezy LTS period will end next month (May 2018). That will mean no further Debian security updates from then on. It is HIGHLY recommended that all TurnKey users who still have v13.x instances running, do a TKLBAM data migration to v14.2 or a Debian in-place upgrade to Jessie ASAP! There are some notes regarding TKLBAM data migration in our docs:

https://www.turnkeylinux.org/docs/tklbam-migrate-to-v14

Cheers,

Jeremy Davis
TurnKey GNU/Linux
Cell: +61 497-084-807
PGP fingerprint: 6EAF 8CC7 9E00 2BA5 CE5B 4580 6D0C A24B 0C5C C21B

All TurnKey Servers potentially vulnerable to Dirty COW (CVE-2016-5195) and other news

Jeremy Davis — Fri, 21 Oct 2016 07:05:23 +0000

SECURITY ALERT

All current version of TurnKey Linux are potentially vulnerable to CVE-2016-5195, a kernel privilege escalation bug tagged "Dirty COW".

TurnKey versions 13.x and 14.x should have already auto installed the updated kernel, however users need to manually reboot their servers for the patched kernel to be applied.

Users of earlier versions of TurnKey (i.e. v11.x & v12.x) are strongly urged to upgrade their systems to a supported version of TurnKey ASAP.

https://www.turnkeylinux.org/blog/dirty-cow-kernel-privilege-escalation-...

In other news:

All your computers are belong to us: the dystopian future of security is now

https://www.turnkeylinux.org/blog/all-your-computers-are-belong-to-us

Reflections on PWN2Own 2016: the state and future of computer security

https://www.turnkeylinux.org/blog/pwn2own-2016-state-of-computer-security

ZeroNet and IPFS: uncensorable auto-scaling BitTorrent powered websites

https://www.turnkeylinux.org/blog/p2p-web-hosting

Heroku is dead – no-one uses it anymore. You need to use Docker now

https://www.turnkeylinux.org/blog/you-need-to-use-docker

Comparing Debian vs Alpine for container & Docker apps

https://www.turnkeylinux.org/blog/alpine-vs-debian

Cheers,
Jeremy Davis
TurnKey GNU/Linux
Cell: +61 497-084-807
PGP fingerprint: 6EAF 8CC7 9E00 2BA5 CE5B 4580 6D0C A24B 0C5C C21B

GitLab & Magento security, new MediaServer app, other updates

Liraz Siri — Fri, 27 May 2016 14:07:04 +0000

TurnKey GitLab was vulnerable to CVE-2016-4340. Privilege escalation via "impersonate" feature. We fixed the app but existing deployments require manual update:

https://www.turnkeylinux.org/blog/gitlab-privilege-escalation

TurnKey Magento IS NOT vulnerable to CVE-2016-4010 remote PHP code execution

https://www.turnkeylinux.org/blog/magento-remote-code-execution

v14.1 Maintenance release:

https://www.turnkeylinux.org/blog/14.1-bugfixes-maintenance-and-more

New MediaServer app by Jonathan Struebel:

https://www.turnkeylinux.org/mediaserver

In non-TurnKey related news: Binary options scam - hundreds of thousands are being defrauded by sophisticated online organized crime rings and there's something we can do about it:

https://www.turnkeylinux.org/blog/binary-options-scam

Cheers,
Liraz Siri
TurnKey GNU/Linux
GnuPG KeyID: 0xB06780D9
Fingerprint: 1B4D 4827 A06E 440F 74B8 8334 6DEC 96D3 B067 80D9
Cell: +972 54-201-3512

v14.0 Optimised Builds, New App: Odoo & TurnKey needs a Drupal Expert

Jeremy Davis — Wed, 02 Dec 2015 23:54:59 +0000

Since our v14.0 stable release (of ISOs) back in mid September[1]; we've been madly working to finalise v14.0. I am pleased to announce that all of the TurnKey build types you've come to expect are now available:

hybrid ISO[1]
OVA & VMDK[2]
Docker[3]
Proxmox & OpenNode (inc LXC/OVZ)[3]
Xen[4]
OpenStack[4]

I am happy (and somewhat relieved) to say that we're nearly done with 14.0. Nearly you say? Yes; a significant remaining job is to finalise the LXC host appliance. Then it'll be time to start work on v14.1!

We are also really proud to announce a truly community built appliance: TurnKey Odoo[5]. The TurnKey Community power dev combo of Landis Arnold and Ken Robinson (based on the work of Carlos Vercelino) worked hard to build a fantastic new Odoo (formerly OpenERP) appliance. Get it while it's hot!

Last but certainly not least: We need an Expert Drupal Consultant[6] to take over the website. If you know Drupal inside-out and want to become part of the TurnKey team we need to hear from you ASAP! Please see the blog post and apply now!

[1] https://www.turnkeylinux.org/blog/turnkey-14-0-release

[2] https://www.turnkeylinux.org/blog/14.0-optimized-builds-pt1-vmdk-ova

[3] https://www.turnkeylinux.org/blog/14.0-optimized-builds-pt2-proxmox-open...

[4] https://www.turnkeylinux.org/blog/14.0-optimised-builds-pt3-xen-openstack

[5] https://www.turnkeylinux.org/blog/community-built-odoo-appliance

[6] https://www.turnkeylinux.org/blog/expert-drupal-consultant-needed

Until next time...

Cheers,
Jeremy Davis
TurnKey GNU/Linux
GnuPG KeyID: 0x0C5CC21B
Fingerprint: 6EAF 8CC7 9E00 2BA5 CE5B 4580 6D0C A24B 0C5C C21B
Phone: +61 497-084-807

CVE-2015-8103: TurnKey Jenkins critical security hole

Liraz Siri — Thu, 26 Nov 2015 20:14:59 +0000

Existing deployments of TurnKey Jenkins are still vulnerable to CVE-2015-8103, a critical issue that allows remote code execution by unauthenticated users.

Due to the seriousness of the issue new builds of TurnKey Jenkins have been published today so new deployments are not vulnerable.

Unfortunately pre-existing deployments still need to be updated manually:

https://www.turnkeylinux.org/blog/jenkins-remote-code-execution

Cheers,
Liraz Siri
TunKey GNU/Linux
GnuPG KeyID: 0xB06780D9
Fingerprint: 1B4D 4827 A06E 440F 74B8 8334 6DEC 96D3 B067 80D9
Cell: +972 54-201-3512

v14.0 stable release - Massive Community Effort

Jeremy Davis — Wed, 23 Sep 2015 12:51:43 +0000

The wait is over: TurnKey v14.0 is now available.

massive community involvement; biggest ever
Debian Jessie (8.2) based
appliances refreshed with the latest upstream software versions

New features include:

new lightweight DB management tool (Adminer)
hardened default SSL/TLS config
security & system email alerts

New appliances include:

Ansible
EspoCRM
Foodsoft
Laravel
SuiteCRM
Drupal8 (beta)
Joomla 3.x

Download ISOs or launch via the Hub (other build types coming soon)

Cheers,
Jeremy Davis
TurnKey GNU/Linux
GnuPG KeyID: 0x0C5CC21B
Fingerprint: 6EAF 8CC7 9E00 2BA5 CE5B 4580 6D0C A24B 0C5C C21B
Phone: +61 497-084-807

TurnKey v14.0 RC1 based on Debian 8 ready for testing & development

Liraz Siri — Thu, 28 May 2015 09:38:02 +0000

Ahoy free software mateys! Debian 8 AKA Jessie came out last month and we've been super busy working on version 14 of the TurnKey GNU/Linux library of apps which will be based on it. We're working hard to make this release kick ass, but we're a small crew so every bit of help we get from the community really puts in the wind in our sails!

With that in mind, we've created release candidates for two basic building blocks:

TurnKey Core: the common base system for all TurnKey apps
TKLDev: the TurnKey development toolchain and build system

How you can help:

Jessie comes with some significant changes (e.g., systemd) that increase the likelihood of unintended mischief so we want to encourage as much testing by the community as possible. Report any bugs you find to the issue tracker so we can squash them.

Beyond that the sky's the limit. TurnKey GNU/Linux is 100% free software and the development toolchain is well documented. All of the "official" development happens out in the open on GitHub, and we invite everyone to explore, tinker and share what you come up with.

http://www.turnkeylinux.org/14-rc1-aka-we-need-you

Cheers,
Liraz Siri
TurnKey GNU/Linux
GnuPG KeyID: 0xB06780D9
Fingerprint: 1B4D 4827 A06E 440F 74B8 8334 6DEC 96D3 B067 80D9
Cell: +972 54-201-3512

CVE-2014-0235 GHOST: reboot or restart services

Liraz Siri — Sat, 31 Jan 2015 13:56:25 +0000

A remotely exploitable, 14 year old bug in glibc has reared its ugly head: CVE-2014-0235

Security updates have been pushed out automatically, courtesy of Debian to TurnKey 13 installations. TurnKey 12 installations that have enabled Squeeze LTS support have also received an update.

The catch is that running services need to be restarted for the security update to take effect.

http://www.turnkeylinux.org/blog/ghost-cve-2015-0235

Cheers,
Liraz Siri
TurnKey GNU/Linux
GnuPG KeyID: 0xB06780D9
Fingerprint: 1B4D 4827 A06E 440F 74B8 8334 6DEC 96D3 B067 80D9
Cell: +972 54-201-3512

SSH security issue, new apps, BitKey for Bitcoin, an epiphany on values and other stories

Liraz Siri — Wed, 13 Aug 2014 16:54:40 +0000

Round of announcements:

Security update regenerates stale SSH ECDSA host key

Thanks to Peter Lieven from KAMP.de for discovering a stale ECDSA host key which was leftover from the build process. We've issued a security update to regenerate it automatically within the next 24 hours:

http://www.turnkeylinux.org/blog/ssh-ecdsa-security-update
We have 16 new apps lined up for the upcoming 13.1 release:

http://www.turnkeylinux.org/apps-in-development

These were all contributed by the community. Many thanks to Eric Young, John Carver, Martin Verwijmeren, Rik Goldman, Dave Samojlenko, Kevin Destrem, Foodsoft and OwnTracks upstream. You rock!

The docs for the build system have been getting a lot of love, so developing more new apps should be much easier now.
We publicly released a private Bitcoin side-project called BitKey:

http://bitkey.io/

It's a self-contained Live CD/USB key with everything you need to perform highly secure air-gapped Bitcoin transactions. Like all other TurnKey creations it is built with TKLDev - the TurnKey toolchain.

You can use BitKey to get as close as you can get to perfectly secure Bitcoin transactions without doing them in your head:

http://www.turnkeylinux.org/blog/secure-bitcoin-transactions
Top 3 most interesting blog posts (out of 22)

A practical intelligence amplification hack that really works: how to use your phone's TTS engine to give your brain a boost

http://www.turnkeylinux.org/blog/practical-intelligence-amplification

Chromebook Acer C720 review: the browser is the operating system and it doesn't suck

http://www.turnkeylinux.org/blog/chromebook-acer-c720-review

Backdoor in my Medialink router

http://www.turnkeylinux.org/blog/backdoor-in-my-medialink-wireless-router
We renamed TurnKey Linux to emphasize free software values

It's now TurnKey GNU/Linux. I kid you not. We had an epiphany (or a brain stroke). The sky opened up, the saints of free software revealed themselves to us and we experienced a spiritual awakening.

We immediately started growing our hair out and proselytizing:

Standing up for free software, a free Internet and a free society

http://www.turnkeylinux.org/blog/standing-up-for-freedom

Ubuntu's Not Invented Here syndrome

http://www.turnkeylinux.org/blog/ubuntu-not-invented-here-syndrome

Cheers,
Liraz Siri
TurnKey GNU/Linux
GnuPG KeyID: 0xB06780D9
Fingerprint: 1B4D 4827 A06E 440F 74B8 8334 6DEC 96D3 B067 80D9
Cell: +972 54-201-3512