TurnKey Linux Virtual Appliance Library

CVE-2016-4340: Privilege escalation via "impersonate" feature in existing v14.0/1 GitLab deployments

It has come to our attention that existing deployments of TurnKey GitLab (versions 14.0 & 14.1) are vulnerable to CVE-2016-4340, a critical security issue that allows authenticated users to escalate their privileges to that of an Administrator.

This issue has been fixed with many others by the GitLab project, as detailed in the 2016-05-02 GitLab Security Advisory.

Due to the seriousness of the issue, new builds of TurnKey GitLab have been published today so new deployments are not vulnerable.


TurnKey Magento NOT vulnerable to CVE-2016-4010 remote PHP code execution

Thanks to vondrt4 for bringing CVE-2016-4010 to our attention. This was a potentially critical vulnerability in Magento that turns out not to apply to TurnKey Magento, because it only effects Magento versions 2.0 - 2.0.5. The current version of TurnKey Magento is based on Magento 1.9.X.

CVE-2015-8103: Critical remotely exploitable security hole in existing TurnKey Jenkins deployments

Thanks to ElColmo it has come to our attention that existing deployments of TurnKey Jenkins are still vulnerable to CVE-2015-8103, a critical issue that allows remote code execution by unauthenticated users.

This issue has been fixed with many others by the Jenkins project, as detailed in the  2015-11-11 Jenkins Security Advisory.

Securing Firefox, Chrome and Thunderbird against client-side attacks

Imagine someone half-competent wants to hack into your computer. They want to read your e-mail, steal your bitcoins, transfer funds via your PayPal account, etc.

You're behind a firewall (or more commonly a NAT router) and you don't have any open ports / servers running. So you're safe right?

CVE-2015-0235 GHOST: reboot or restart services

A remotely exploitable, 14 year old bug in glibc has reared its ugly head: CVE-2015-0235

Security updates have been pushed out automatically, courtesy of Debian (security tracker) to TurnKey 13 installations. TurnKey 12 installations that have enabled Squeeze LTS support have also received an update.

Security update regenerates stale SSH ECDSA host key

Peter Lieven from KAMP.de discovered a problem with TurnKey 13.0 where the OpenSSH ECDSA key is not regenerated on firstboot like the RSA and DSA host keys.

We've issued a signed hotpatch to TurnKey Core 13.0 that regenerates the ECDSA SSH host key. TurnKey deployments that have not disabled automatic security updates (it's on by default) will have their ECDSA SSH host key regenerated automatically within the next 24 hours.

Backdoor in my Medialink router

Just because you're paranoid doesn't mean they aren't out to getcha.

Here's another example of why we need free software running the Internet. When I bought my Medialink router it was the most popular brand of wireless router on Amazon.com. It is created by a Chinese corporation called Tenda.

And it comes with a root shell backdoor, which I just tested:

The closest you can get to perfectly secure Bitcoin transactions (without doing them in your head)

@pa2013 helpfully posted Alon's BitKey announcement from last week to the Bitcoin Reddit, which sparked an interesting discussion regarding whether or not you can safely trust BitKey to perform air-gapped transactions. I started responding there but my comment got so long I decided to turn it into a blog post.

Enabling Debian 6.0 LTS Security Support

This announcement is for Debian 6.0 (AKA Squeeze / TurnKey 12) users who have not yet upgraded to Debian 7.0 (AKA Wheezy / TurnKey 13):

~# cat /etc/issue.net
Debian GNU/Linux 6.0

Support for security updates to Debian 6.0 officially ended on Saturday May 31 2014.

As you may have heard, for the first time Debian is experimenting with a five year Long Term Support (LTS) program that will extend support until Feb 2016:

TurnKey 13 critical security issue (Heartbleed / CVE-2014-0160)

Without action, your TurnKey 13 installations may remain vulnerable to the critical Heartbleed OpenSSL attack (DSA-2896-1 CVE-2014-0160). This is not a theoretical attack.