You are here
Important security notice: Your TurnKey system may no longer be receiving automatic security updates
I have some bad news and some good news. The bad news is that if your TurnKey installation is older than 2 weeks you may no longer be receiving security updates.
The good news is that you are reading this and there is a very easy fix. Either reboot your system, or log in and restart the cron service:
/etc/init.d/cron start
Until you start recron, security updates and other scheduler related services (e.g., daily backups) will not work.
What happened?
Ubuntu screwed up a recent security update. There was a nasty bug. When installed, the update breaks cron, the scheduling daemon TurnKey uses to auto-install security updates. Not good.
According to a routine report generated from the access logs on our security repository, there are currently thousands of TurnKey installations affected by this issue. Those systems are not getting automatic security updates. There's no immediate risk, but that could quickly change if a remote vulnerability is discovered in the time it takes whomever is responsible for the server to figure this out.
Make sure we can always reach you
There's moral in all of this: make sure we can always reach you somehow.
Sure, usually we don't need to get your attention regarding security issues because TurnKey is configured to auto-install updates, but as this incident shows, we can't rely on that always working.
This time we can't fix the issue on our side, since it effects the very auto-update mechanism that's usually used to fix security issues.
The best we can do is try to reach out to users and inform them that there is an issue that they need to manually intervene to resolve. Hopefully we can get through to anyone subscribed to this blog or the News and Security announcements newsletter, or that has a Hub account.
In any case, we'll soon find out from the logs on the security repository just how many of our users we can or can't reach.
Comments
Hi Liraz, very appreciated
Hi Liraz,
very appreciated for this update, this approach shows transparency
and prove another time how crystal clear models works much better
than ones using security through obscurity. Keep going !
Phillip
I agree. We've never believed
Good idea on the blog post
Hopefully we can get as many TKL users sorted out as possible, before anything nasty happens.
Also I have read (although haven't confirmed it) that simply upgrading all the packages will also solve it:
Although obviously this will upgrade all packages (even those that haven't received auto security updates). This may have unintended and perhaps unwanted side effects so make sure you do a backup first.
How to get just the security updates
You can also manually invoke the inithook script that installs all the security updates on firstboot:
Hmm... maybe this should go into the documentation...I've updated the security updates documentation
Also, I've included a little snippet that clarifies how to install just the security updates at any time via the cron-apt script (the same thing that cron usually executes every night).
Pages
Add new comment