TurnKey Linux Virtual Appliance Library

Important security notice: Your TurnKey system may no longer be receiving automatic security updates

I have some bad news and some good news. The bad news is that if your TurnKey installation is older than 2 weeks you may no longer be receiving security updates.

The good news is that you are reading this and there is a very easy fix. Either reboot your system, or log in and restart the cron service:

/etc/init.d/cron start

Until you start recron, security updates and other scheduler related services (e.g., daily backups) will not work.

What happened?

Ubuntu screwed up a recent security update. There was a nasty bug. When installed, the update breaks cron, the scheduling daemon TurnKey uses to auto-install security updates. Not good.

According to a routine report generated from the access logs on our security repository, there are currently thousands of TurnKey installations affected by this issue. Those systems are not getting automatic security updates. There's no immediate risk, but that could quickly change if a remote vulnerability is discovered in the time it takes whomever is responsible for the server to figure this out.

Make sure we can always reach you

There's moral in all of this: make sure we can always reach you somehow.

Sure, usually we don't need to get your attention regarding security issues because TurnKey is configured to auto-install updates, but as this incident shows, we can't rely on that always working.

This time we can't fix the issue on our side, since it effects the very auto-update mechanism that's usually used to fix security issues.

The best we can do is try to reach out to users and inform them that there is an issue that they need to manually intervene to resolve. Hopefully we can get through to anyone subscribed to this blog or the News and Security announcements newsletter, or that has a Hub account.

In any case, we'll soon find out from the logs on the security repository just how many of our users we can or can't reach.

You can get future posts delivered by email or good old-fashioned RSS.
TurnKey also has a presence on Google+, Twitter and Facebook.

Comments

phillip bailey's picture

Hi Liraz, very appreciated

Hi Liraz,

very appreciated for this update, this  approach  shows transparency
and prove another time how crystal clear models works much better
than ones using security through obscurity. Keep going !

Phillip

Liraz Siri's picture

I agree. We've never believed

I agree. We've never believed in security through obscurity. Everything is increasingly becoming transparent whether we like it or not, so there's really little point in sticking your head in the sand if you know what's good for you. IMHO, it's far more useful to try and educate users so that the understand the risks lucidly than try to cover them up.
Jeremy's picture

Good idea on the blog post

Hopefully we can get as many TKL users sorted out as possible, before anything nasty happens.

Also I have read (although haven't confirmed it) that simply upgrading all the packages will also solve it:

apt-get update && apt-get upgrade

Although obviously this will upgrade all packages (even those that haven't received auto security updates). This may have unintended and perhaps unwanted side effects so make sure you do a backup first.

Liraz Siri's picture

How to get just the security updates

If you're worried about breaking something, there is an easy, less risky way to get just the security updates:
cron-apt
Which is essentially the very same script invoked from cron daily to install the security updates automatically.

You can also manually invoke the inithook script that installs all the security updates on firstboot:

FORCE=y /usr/lib/inithooks/firstboot.d/95secupdates
Hmm... maybe this should go into the documentation...
Liraz Siri's picture

I've updated the security updates documentation

Thanks for the comments guys. In the interests of improved transparency I've updated the documentation (automatic security updates) so that it cautions users not to rely on auto-updates being 100% full-proof and recommending that users make sure we can reach them somehow if necessary (e.g., exactly what the announcements newsletter is for).

Also, I've included a little snippet that clarifies how to install just the security updates at any time via the cron-apt script (the same thing that cron usually executes every night).

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)