TurnKey Linux Virtual Appliance Library

Drupal 6.13 fixes Multiple vulnerabilities

First, thanks for building these appliances.  I have a Turnkey LAMP appliance installed at VPS.Net and it is working well.  

I'm about to create a new VPS for Drupal 6.  I noticed on the appliance page that the current Drupal 6 appliance is at Drupal release 6.12.  Unfortunately, 6.12 suffers from Cross-site scripting, Input format access bypass, and Password leaked in URL vulnerabilities.

Release 6.13 from July 1 fixes these. Please consider upgrading the Turnkey Appliance to run Drupal 6.13.   I'm hoping to start my new VPS on this release.

Thanks for considering this upgrade,

-Dan 

Liraz Siri's picture

No 6.13 in Debian (6.12-1.1 backports security fix)

Thanks for the nudge. We're in the middle of a development cycle so things are a bit busy at the moment.

From the changelog it seems that the Debian Security Team opted not to upgrade the Debian package to 6.13 but rather backport the XSS fix to 6.12-1. The patched version is 6.12-1.1 and thats what we should be putting into our security repository. I'll talk to Alon about that today.

Is that how I could also update my own appliance node?

Thanks for adding this patch to your list.

I will also try installing Drupal onto my current Turnkey LAMP node.  

What is the difference is between doing my own install on my Turnkey LAMP node vs. using the prepackaged Drupal appliance.  Is there a list of what changes were made to LAMP to turn it into the Drupal appliance?  

When updating my image, is it recommended to get Drupal updates from Debian packages instead of the Drupal website?   I don't want to break your security update process.

Cheers,

-Dan

Liraz Siri's picture

You won't break the process

Currently, we import security updates to Drupal from Debian unstable after manual testing. If your prepared to do the testing yourself, you can install the package yourself. It won't break the security process.

At the moment this type of maintenance is taking longer than we'd like due to limited resources and work on the next batch of releases. Most security updates are applied directly from Debian/Ubuntu's security repositories so this isn't an issue, but Drupal (and Joomla) are exceptions. With regards to Drupal, I think that will change for the next release so you'll be getting security updates straight from Debian by default.

If you want to be on the cutting edge and are ready to apply your own security fixes, feel free to install Drupal on top of TurnKey LAMP. If you like, you can use TurnKey Drupal as reference for the configuration. The web page documents the features and components we integrated.

Cheers!

Alon Swartz's picture

Updated Drupal packages uploaded to the archive

Incase you missed it, we just released package updates for drupal5 and drupal6.

Drupal Site reverts to new install

I downloaded the latest Drupal6.iso. I used SUNs VirtualBox (latest version) to create and mount the VM. I installed drupal. I set the IP address to manual/fixed IP. I installed the 6.12-1.1 package and then completed the update as per the instructions. I logged into the site as admin and added a few modules and some minor site confi from the menu. I created a couple of users and logged int as each and then logged back in as admin. All appeared OK. I logged out. Shutdown the VM, made a snapshot and started then started the  VM again.

All the above appeared to work without issue. However, on startup the IP had reverted back to dynamic and when I try to acces the site (home page) all I can access is the install page!

What am I am doing wrong? All help/ideas appreciated.

Thanks

 

Please Ignore last post!!!

My mistake - I still had the ISO as the default boot and went to a new live version!

Sorry for the mistake.

 

Testing this on a 6.10 site

Testing this on a 6.10 site which currently has 87 modules installed, including the core modules. This is largely down to the fact that ubercart is installed.

The site is running on about 512Mb of memory but occasionally reports a fatal error due to running out, so we'll see if this low memery version makes any difference.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)