dweinste1's picture

First, thanks for building these appliances.  I have a Turnkey LAMP appliance installed at VPS.Net and it is working well.  

I'm about to create a new VPS for Drupal 6.  I noticed on the appliance page that the current Drupal 6 appliance is at Drupal release 6.12.  Unfortunately, 6.12 suffers from Cross-site scripting, Input format access bypass, and Password leaked in URL vulnerabilities.

Release 6.13 from July 1 fixes these. Please consider upgrading the Turnkey Appliance to run Drupal 6.13.   I'm hoping to start my new VPS on this release.

Thanks for considering this upgrade,


Liraz Siri's picture

Thanks for the nudge. We're in the middle of a development cycle so things are a bit busy at the moment.

From the changelog it seems that the Debian Security Team opted not to upgrade the Debian package to 6.13 but rather backport the XSS fix to 6.12-1. The patched version is 6.12-1.1 and thats what we should be putting into our security repository. I'll talk to Alon about that today.

dweinste1's picture

Thanks for adding this patch to your list.

I will also try installing Drupal onto my current Turnkey LAMP node.  

What is the difference is between doing my own install on my Turnkey LAMP node vs. using the prepackaged Drupal appliance.  Is there a list of what changes were made to LAMP to turn it into the Drupal appliance?  

When updating my image, is it recommended to get Drupal updates from Debian packages instead of the Drupal website?   I don't want to break your security update process.



Liraz Siri's picture

Currently, we import security updates to Drupal from Debian unstable after manual testing. If your prepared to do the testing yourself, you can install the package yourself. It won't break the security process.

At the moment this type of maintenance is taking longer than we'd like due to limited resources and work on the next batch of releases. Most security updates are applied directly from Debian/Ubuntu's security repositories so this isn't an issue, but Drupal (and Joomla) are exceptions. With regards to Drupal, I think that will change for the next release so you'll be getting security updates straight from Debian by default.

If you want to be on the cutting edge and are ready to apply your own security fixes, feel free to install Drupal on top of TurnKey LAMP. If you like, you can use TurnKey Drupal as reference for the configuration. The web page documents the features and components we integrated.


Alon Swartz's picture

Incase you missed it, we just released package updates for drupal5 and drupal6.

Add new comment