dweinste1's picture

First, thanks for building these appliances.  I have a Turnkey LAMP appliance installed at VPS.Net and it is working well.  

I'm about to create a new VPS for Drupal 6.  I noticed on the appliance page that the current Drupal 6 appliance is at Drupal release 6.12.  Unfortunately, 6.12 suffers from Cross-site scripting, Input format access bypass, and Password leaked in URL vulnerabilities.

Release 6.13 from July 1 fixes these. Please consider upgrading the Turnkey Appliance to run Drupal 6.13.   I'm hoping to start my new VPS on this release.

Thanks for considering this upgrade,


Liraz Siri's picture

Thanks for the nudge. We're in the middle of a development cycle so things are a bit busy at the moment.

From the changelog it seems that the Debian Security Team opted not to upgrade the Debian package to 6.13 but rather backport the XSS fix to 6.12-1. The patched version is 6.12-1.1 and thats what we should be putting into our security repository. I'll talk to Alon about that today.

dweinste1's picture

Thanks for adding this patch to your list.

I will also try installing Drupal onto my current Turnkey LAMP node.  

What is the difference is between doing my own install on my Turnkey LAMP node vs. using the prepackaged Drupal appliance.  Is there a list of what changes were made to LAMP to turn it into the Drupal appliance?  

When updating my image, is it recommended to get Drupal updates from Debian packages instead of the Drupal website?   I don't want to break your security update process.



Liraz Siri's picture

Currently, we import security updates to Drupal from Debian unstable after manual testing. If your prepared to do the testing yourself, you can install the package yourself. It won't break the security process.

At the moment this type of maintenance is taking longer than we'd like due to limited resources and work on the next batch of releases. Most security updates are applied directly from Debian/Ubuntu's security repositories so this isn't an issue, but Drupal (and Joomla) are exceptions. With regards to Drupal, I think that will change for the next release so you'll be getting security updates straight from Debian by default.

If you want to be on the cutting edge and are ready to apply your own security fixes, feel free to install Drupal on top of TurnKey LAMP. If you like, you can use TurnKey Drupal as reference for the configuration. The web page documents the features and components we integrated.


Alon Swartz's picture

Incase you missed it, we just released package updates for drupal5 and drupal6.
Guest's picture

I downloaded the latest Drupal6.iso. I used SUNs VirtualBox (latest version) to create and mount the VM. I installed drupal. I set the IP address to manual/fixed IP. I installed the 6.12-1.1 package and then completed the update as per the instructions. I logged into the site as admin and added a few modules and some minor site confi from the menu. I created a couple of users and logged int as each and then logged back in as admin. All appeared OK. I logged out. Shutdown the VM, made a snapshot and started then started the  VM again.

All the above appeared to work without issue. However, on startup the IP had reverted back to dynamic and when I try to acces the site (home page) all I can access is the install page!

What am I am doing wrong? All help/ideas appreciated.



Guest's picture

My mistake - I still had the ISO as the default boot and went to a new live version!

Sorry for the mistake.


Rubyoxy's picture

Testing this on a 6.10 site which currently has 87 modules installed, including the core modules. This is largely down to the fact that ubercart is installed.

The site is running on about 512Mb of memory but occasionally reports a fatal error due to running out, so we'll see if this low memery version makes any difference.

Add new comment