Low-traffic Security and News Announcements: up to one email a month (usually less). Leave this checked if you subscribed your email address to the newsletter before creating a user account.

Jeremy Davis's picture

v17.0 stable on it's way

Not displaying properly? Please read online: https://www.turnkeylinux.org/newsletter/v17.0-on-the-way

Hi there,

A couple of quick updates and a tease about the upcoming v17.0 release. Including an important announcement for early adopters of (the upcoming, as yet not officially released) v17.0/Debian Bullseye/11 based systems.

Jeremy Davis's picture

Automated 'grub-pc' security update failing on some platforms

A recent Debian security update for the 'grub-pc' package may be failing on some platforms.

If you are running TurnKey Linux v16.x on AWS EC2 (i.e. from AMI) or a local VM - installed from OVA or VMDK, then this likely affects you.

If you installed from ISO, or are using LXC (e.g. via Proxmox) then you are NOT affected.

For further info on diagnosing the issue and how to resolve it, please visit the Automated 'grub-pc' security update failing on some platforms blog post.

Jeremy Davis's picture

Debian security update breaks v15.x LAMP based servers

An automatically installed Debian MariaDB (drop-in replacement for MySQL) security update, has broken all v15.x appliances that rely on MariaDB database engine. That means that all LAMP based appliances, such as WordPress, Drupal, Joomla and about 70% of the library will not have a functioning MySQL-compatible DB engine running.

The good news is that it's really easy to fix. Simply reinstall the 'default-mysql-server' package like this:

Jeremy Davis's picture

Drupal - Highly Critical Security Issue (SA-CORE-2018-002)


Drupal 7 & 8 (as well as 6) are vulnerable to a highly critical security issue known as SA-CORE-2018-002.

A brief overview with links to additional information can be found on our blog:


The blog post also provides information on updating and/or patching v14.x appliances.

Please post any questions or feedback in the comments on the blog post. Alternatively, please start a new thread on the forums:

Jeremy Davis's picture

All TurnKey Servers potentially vulnerable to Dirty COW (CVE-2016-5195) and other news


All current version of TurnKey Linux are potentially vulnerable to CVE-2016-5195, a kernel privilege escalation bug tagged "Dirty COW".

TurnKey versions 13.x and 14.x should have already auto installed the updated kernel, however users need to manually reboot their servers for the patched kernel to be applied.

Users of earlier versions of TurnKey (i.e. v11.x & v12.x) are strongly urged to upgrade their systems to a supported version of TurnKey ASAP.

Liraz Siri's picture

GitLab & Magento security, new MediaServer app, other updates

TurnKey GitLab was vulnerable to CVE-2016-4340. Privilege escalation via "impersonate" feature. We fixed the app but existing deployments require manual update:


TurnKey Magento IS NOT vulnerable to CVE-2016-4010 remote PHP code execution


Jeremy Davis's picture

v14.0 Optimised Builds, New App: Odoo & TurnKey needs a Drupal Expert

Since our v14.0 stable release (of ISOs) back in mid September[1]; we've been madly working to finalise v14.0. I am pleased to announce that all of the TurnKey build types you've come to expect are now available:

Liraz Siri's picture

CVE-2015-8103: TurnKey Jenkins critical security hole

Existing deployments of TurnKey Jenkins are still vulnerable to CVE-2015-8103, a critical issue that allows remote code execution by unauthenticated users.

Due to the seriousness of the issue new builds of TurnKey Jenkins have been published today so new deployments are not vulnerable.

Unfortunately pre-existing deployments still need to be updated manually:


Jeremy Davis's picture

v14.0 stable release - Massive Community Effort

The wait is over: TurnKey v14.0 is now available.

  • massive community involvement; biggest ever
  • Debian Jessie (8.2) based
  • appliances refreshed with the latest upstream software versions

New features include:

  • new lightweight DB management tool (Adminer)
  • hardened default SSL/TLS config
  • security & system email alerts

New appliances include:

Liraz Siri's picture

TurnKey v14.0 RC1 based on Debian 8 ready for testing & development

Ahoy free software mateys! Debian 8 AKA Jessie came out last month and we've been super busy working on version 14 of the TurnKey GNU/Linux library of apps which will be based on it. We're working hard to make this release kick ass, but we're a small crew so every bit of help we get from the community really puts in the wind in our sails!

With that in mind, we've created release candidates for two basic building blocks: