New TurnKey MediaWiki version (17.0)

Changes:

  • Update to latest upstream stable LTS version - v1.37.1.
  • Updated all relevant Debian packages to Bullseye/11 versions; including PHP 7.4.
  • Provide predefined dh_params (via 'turnkey-make-ssl-cert' where relevant) as per RFC7919 - part of #1653.
  • Updated version of mysqltuner script.
  • Enable HTTP/2 by default (where possible). Note: will not actually work until a CA signed cert is generated or installed.
  • Configure OCSP stapling (will only work once a valid cert is configured).
  • Enable HSTS by default (only effects HTTPS traffic - full implementation also requires HTTP redirect to HTTPS and valid cert).
  • Enable Apache mod-headers by default (required for HSTS).
  • Disable cipher order in default ssl.conf (no longer required with the secure cipher suites we use; mild improvement in cpu resources).
  • Note: Please refer to turnkey-core's 17.0 changelog for changes common to all appliances. Here we only describe changes specific to this appliance.

Links

New TurnKey Core version (17.0)

Changes:

  • Upgraded base distribution to Debian 11.1/Bullseye.
  • Configuration console (confconsole):
    • Minor packaging changes for Debian Bullseye.
    • Fix warnings on Confconsole when upgrading to Python3.9 - resolved by swapping identity check for equality check - closes #1634.
    • Remove dhparams generation - part of #1653.
    • Move Secupdates_adv_conf.py (confconsole plugin) from "common" into confconsole package. Should have no end user impact.
    • Bugfix & improvements to Let's Encrypt plugin:
      • Fix cert not being used on stand-alone Tomcat appliance - closes #1712.
      • Update to support changed systemd output (fixes stunnel not restarted on Bullseye).
    • Improvements in Keyboard setting plugin - not sure if this is enough to fix it, but it should at least be closer. Related to #1695.
    • General code and documentation improvements.
  • Firstboot Initialization (inithooks):
    • Minor packaging changes for Debian Bullseye.
    • Bugfix typo in firstboot.d/15regen-sslcert.
    • Update the init-fence default html.
    • Update simplehttpd.py cyphers.
    • Remove dhparams generation - part of #1653.
    • Code refactor to provide inithook_lib. [ Stefan Davis ]
  • Web management console (webmin):
    • Upgraded webmin to v1.990.
    • Bugfix, refactor and improve TKLBAM Webmin module. Closes #178, #190, #288, #1065, #1260 & #1680. [ Jeremy Davis ]
    • Include webmin-firewall6 (firewall UI for IPv6) by default - part of #1658. [ Richard van Dijk ]
    • Update individual Webmin stunnel config to support IPv6 - part of #1658. [ Richard van Dijk ]
  • Web shell (shellinabox):
    • Update individual Webshell stunnel config to support IPv6 - part of #1658. [ Richard van Dijk ]
  • Backup (tklbam):
    • Change default NTPSERVER to one that also supports IPv6 - part of #1658. [ Richard van Dijk ]
    • Build specific py2 dependencies previously provided by Debian for Bullseye base (TKLBAM still py2). Ideally it should be updated to py3 (or rewritten) but we don't want to block v17.0 release any further.
    • No longer include live* related packages (e.g. di-live, live-tools, etc) in TKLBAM default package list (pkgs only in ISO and uninstalled on install). Closes #1681.
  • Security hardening & improvements:
    • Generate and use new TurnKey Bullseye keys.
    • Provide predefined dh_params (via 'turnkey-make-ssl-cert' where relevant) as per RFC7919 - part of #1653.
    • Enable TLS by default for use with Postfix.
    • Servers which include Apache|LigHHTTPd|Nginx now have HSTS and OCSP stapling configuration (not fully enabled by default - as requires valid SSL/TLS cert).
  • Misc bugfixes & feature implementations:
    • Remove redundant autologin, singleuser_shell & ssh_emptypw scripts from default common overlay.
    • Cleanup/tweak MOTD.
    • Update vim default conf path (for new version of vim in Bullseye).
    • Move Nginx & LigHTTPd apps from FastCGI to PHP-FPM (apps with Nginx/LigHTTPd only) - closes #1589.

Links

New TurnKey TKLDev version (17.0)

Changes:

  • Upgraded base distribution to Debian 11.1/Bullseye.
  • caching proxy:
    • Switch from Polipo (only cached http and is no longer available in Debian) to Squid. Squid is configured as a caching http/https proxy. Using 'squid-openssl' package, it is configured to act as a MITM (man in the middle) caching proxy - closes #1560.
  • fab:
    • Port code to python3 and major code refactoring.
    • Use new 'turnkey-chroot' library for use in 'fab-chroot'.
    • Use xorriso (instead of genisoimage) for generating ISO. This provides UEFI boot support (note this only supports booting the ISO via UEFI; additional work in di-live required to complete UEFI install support). Part of #1435. NOTE: The UEFI support started for v17.0 di-live and ISO builds has been (temporarily) rolled back and won't be implmented in v17.0.
  • pool:
    • Port code to python3 and major code refactoring. Closes #1272.
    • (Still not pre-installed by default).
  • bootstrap:
    • Include 'ca-certificates' package (to support https apt repos via squid https proxy).
  • corestrap:
    • Support the option of using a "corestrap", rather than a minimalist bootstrap. A corestrap is a bootstrap, but with all core packages (except the kernel) pre-installed. It is larger than the bootstrap, but speeds up builds significantly.
  • Note: Please refer to turnkey-core's 17.0 changelog for changes common to all appliances. Here we only describe changes specific to this appliance.

Links

Pages

more