TurnKey Linux Virtual Appliance Library

All TurnKey Servers potentially vulnerable to Dirty COW (CVE-2016-5195) and other news


All current version of TurnKey Linux are potentially vulnerable to CVE-2016-5195, a kernel privilege escalation bug tagged "Dirty COW".

GitLab & Magento security, new MediaServer app, other updates

TurnKey GitLab was vulnerable to CVE-2016-4340. Privilege escalation via "impersonate" feature. We fixed the app but existing deployments require manual update:


TurnKey Magento IS NOT vulnerable to CVE-2016-4010 remote PHP code execution


v14.1 Maintenance release:


New MediaServer app by Jonathan Struebel:

v14.0 Optimised Builds, New App: Odoo & TurnKey needs a Drupal Expert

Since our v14.0 stable release (of ISOs) back in mid September[1]; we've been madly working to finalise v14.0. I am pleased to announce that all of the TurnKey build types you've come to expect are now available:

CVE-2015-8103: TurnKey Jenkins critical security hole

Existing deployments of TurnKey Jenkins are still vulnerable to CVE-2015-8103, a critical issue that allows remote code execution by unauthenticated users.

Due to the seriousness of the issue new builds of TurnKey Jenkins have been published today so new deployments are not vulnerable.

Unfortunately pre-existing deployments still need to be updated manually:


v14.0 stable release - Massive Community Effort

The wait is over: TurnKey v14.0 is now available.

  • massive community involvement; biggest ever
  • Debian Jessie (8.2) based
  • appliances refreshed with the latest upstream software versions

New features include:

  • new lightweight DB management tool (Adminer)
  • hardened default SSL/TLS config
  • security & system email alerts

New appliances include:

TurnKey v14.0 RC1 based on Debian 8 ready for testing & development

Ahoy free software mateys! Debian 8 AKA Jessie came out last month and we've been super busy working on version 14 of the TurnKey GNU/Linux library of apps which will be based on it. We're working hard to make this release kick ass, but we're a small crew so every bit of help we get from the community really puts in the wind in our sails!

With that in mind, we've created release candidates for two basic building blocks:

CVE-2014-0235 GHOST: reboot or restart services

A remotely exploitable, 14 year old bug in glibc has reared its ugly head: CVE-2014-0235

Security updates have been pushed out automatically, courtesy of Debian to TurnKey 13 installations. TurnKey 12 installations that have enabled Squeeze LTS support have also received an update.

The catch is that running services need to be restarted for the security update to take effect.

Read more:


SSH security issue, new apps, BitKey for Bitcoin, an epiphany on values and other stories

Round of announcements:

  1. Security update regenerates stale SSH ECDSA host key

    Thanks to Peter Lieven from KAMP.de for discovering a stale ECDSA host key which was leftover from the build process. We've issued a security update to regenerate it automatically within the next 24 hours:


  2. We have 16 new apps lined up for the upcoming 13.1 release: