New TurnKey MediaWiki version (18.0)

Changes:

  • Install latest upstream version of MediaWiki: 1.40.1.
  • Update TKL Mediawiki logos (MediaWiki updated their logo in 2020; plus the paths have changed).
  • Enable VisualEditor by default in TKL Mediawiki.
  • Special thanks to UncleDan (Daniele Lolli - https://github.com/UncleDan) for starting work on this (and many other appliances).
  • Ensure hashfile includes URL to public key - closes #1864.
  • Include webmin-logviewer module by default - closes #1866.
  • Upgraded base distribution to Debian 12.x/Bookworm.
  • Configuration console (confconsole):
    • Support for DNS-01 Let's Encrypt challenges. [ Oleh Dmytrychenko github: @NitrogenUA ]
    • Support for getting Let's Encrypt cert via IPv6 - closes #1785.
    • Refactor network interface code to ensure that it works as expected and supports more possible network config (e.g. hotplug interfaces & wifi).
    • Show error message rather than stacktrace when window resized to incompatable resolution - closes #1609. [ Stefan Davis ]
    • Bugfix exception when quitting configuration of mail relay. [ Oleh Dmytrychenko github: @NitrogenUA ]
    • Improve code quality: implement typing, fstrings and make (mostly) PEP8 compliant. [Stefan Davis & Jeremy Davis
  • Firstboot Initialization (inithooks):
    • Refactor start up (now hooks into getty process, rather than having it's own service). [ Stefan Davis ]
    • Refactor firstboot.d/01ipconfig (and 09hostname) to ensure that hostname is included in dhcp info when set via inithooks.
    • Package turnkey-make-ssl-cert script (from common overlay - now packaged as turnkey-ssl). Refactor relevant scripts to leverage turnkey-ssl.
    • Refactor run script - use bashisms and general tidying.
    • Show blacklisted password characters more nicely.
    • Misc packaging changes/improvements.
    • Support returning output from MySQL - i.e. support 'SELECT'. (Only applies to apps that include MySQL/MariaDB).
  • Web management console (webmin):
    • Upgraded webmin to v2.105.
    • Removed stunnel reverse proxy (Webmin hosted directly now).
    • Ensure that Webmin uses HTTPS with default cert (/etc/ssl/private/cert.pem).
    • Disabled Webmin Let's Encrypt (for now).
  • Web shell (shellinabox):
    • Completely removed in v18.0 (Webmin now has a proper interactive shell).
  • Backup (tklbam):
    • Ported dependencies to Debian Bookworm; otherwise unchanged.
  • Security hardening & improvements:
    • Generate and use new TurnKey Bookworm keys.
    • Automate (and require) default pinning for packages from Debian backports. Also support non-free backports.
  • IPv6 support:
    • Adminer (only on LAMP based apps) listen on IPv6.
    • Nginx/NodeJS (NodeJS based apps only) listen on IPv6.
  • Misc bugfixes & feature implementations:
    • Remove rsyslog package (systemd journal now all that's needed).
    • Include zstd compression support.
    • Enable new non-free-firmware apt repo by default.
    • Improve turnkey-artisan so that it works reliably in cron jobs (only Laravel based LAMP apps).
  • Set mod_evasive log location - makes debugging easier. [ Jeremy Davis ]
  • Include and enable mod_evasive and mod_security2 by default in Apache. [ Stefan Davis ]
  • Debian default PHP updated to v8.2.
  • DEV: Add support for setting max_execution_time & max_input_vars in php.ini via appliance Makefile (PHP_MAX_EXECUTION_TIME & PHP_MAX_INPUT_VARS).
  • Use MariaDB (MySQL replacement) v10.11.3 (from debian repos).

Links

New TurnKey MediaWiki version (17.1)

Changes:

  • Updated all Debian packages to latest. [ autopatched by buildtasks ]
  • Patched bugfix release. Closes #1734. [ autopatched by buildtasks ]

Links

New TurnKey MediaWiki version (17.0)

Changes:

  • Update to latest upstream stable LTS version - v1.37.1.
  • Updated all relevant Debian packages to Bullseye/11 versions; including PHP 7.4.
  • Provide predefined dh_params (via 'turnkey-make-ssl-cert' where relevant) as per RFC7919 - part of #1653.
  • Updated version of mysqltuner script.
  • Enable HTTP/2 by default (where possible). Note: will not actually work until a CA signed cert is generated or installed.
  • Configure OCSP stapling (will only work once a valid cert is configured).
  • Enable HSTS by default (only effects HTTPS traffic - full implementation also requires HTTP redirect to HTTPS and valid cert).
  • Enable Apache mod-headers by default (required for HSTS).
  • Disable cipher order in default ssl.conf (no longer required with the secure cipher suites we use; mild improvement in cpu resources).
  • Note: Please refer to turnkey-core's 17.0 changelog for changes common to all appliances. Here we only describe changes specific to this appliance.

Links

Pages