v15.x - Updated apps, plus new Redis appliance

Bugfixes and Updates

We have published a number of updated appliances since my last appliance updates blog post (all the way back in February!?). This post is well overdue and in fact a few of the appliances have been updated multiple times... Please read on about the new Redis appliance. And/or read about the updated appliances and the relevant changes of significance.

All of these appliances are now available to download from their relevant appliance pages (links provided in each entry). They are also available to run in the cloud from the TurnKey Hub and/or for Proxmox within the storage templates section. The most June updates will also be available from AWS Marketplace ASAP; the earlier updates should be available already.

v15.x - 12 Updated Appliances, plus New OpenCart Appliance

Bugfixes and Updates

There are 13 12 Appliances that have recently been updated, and one new appliance; OpenCart.

Some appliances include security related updates, some include bugfixes, some include both.

Security Vulnerabilities: SA-CORE-2019-003 - Drupal 8 Core, Drupal 7 plugins

SA-CORE-2019-003 - Highly critical - Remote Code Execution

Popular CMS platform Drupal recently announced a highly critical security vulnerability: SA-CORE-2019-003. This vulnerability allows for remote code execution on an exploited server. It is rated Highly Critical and mass exploits are now being reported in the wild!

Security Vulnerabilities: SA-CORE-2018-006 - Drupal 7.x & Drupal 8.x

SA-CORE-2018-006 - Multiple Vulnerabilities in Drupal 7 & 8

Popular CMS platform Drupal have just announced that versions of Drupal 7 prior to 7.60 and Drupal 8 prior to 8.5.8 and/or 8.6.2 are affected by SA-CORE-2018-006. For more info on the vulnerabilities, please see the relevant Drupal advisory.

Drupal SA-CORE-2018-002 - Highly critical - Remote Code Execution vulnerability

Late last week, the Drupal Security Team announced a "Highly critical" remote code execution vulnerability that affects Drupal 6 (EOL), Drupal 7 and Drupal 8. SA-CORE-2018-002 dubbed "Drupalgeddon2" was discovered by Jasper Mattsson. Drupal scores it a whopping 21 (out of a possible 25) "Security Risk Level". All users are recommended to update their Drupal sites immediately.

Blog Tags: 

Meltdown and Spectre: What TurnKey users need to know

By now, I'm sure that you've already heard of the latest vulnerabilities doing the rounds; tagged Meltdown and Spectre. As seems to be the fashion, these new vulnerabilities have cool names, their own website, and the funky looking logos, just below.

I'll provide some more specific details and links for further reading below. I'll also cover checking that you are running a patched kernel, as well as some notes for AWS users.

Blog Tags: 

Stack-Clash vulnerability - Reboot to enable new patched kernel

Once again, thanks to community member John Carver for highlighting a new Linux vulnerability. Qualys Security Labs discovered and demonstrated the vulnerability, and have named it "Stack-Clash".

Blog Tags: 

CVE-2016-5195: Dirty COW - Privilege escalation kernel vulnerability

Thanks to TurnKey community member John Carver it has come to our attention that all existing deployments of TurnKey Linux are potentially vulnerable to CVE-2016-5195. As reported by Andrej Nemec last week on the Red Hat bugtracker "An unprivileged local user could use this flaw to gain write access to otherwise read only memory mappings and thus increase their privileges on the system."

Pages