Thursday, July 20, 2017

Security Release: GitLab 9.3.8

[Update 2017-07-21]

GitLab 9.3.8 was affected by an infinite loop bug with the mudge/re2 library. The GitLab project released GitLab 9.3.9 that solves that issue.

Bitnami GitLab 9.3.9 virtual machines and cloud images are already available in Bitnami.

----

The GitLab project released a new update that contains several security fixes, including an important security fix for two authorization bypass vulnerabilities (post-authentication). We recommend that all GitLab installations be upgraded to GitLab's new version (GitLab 9.3.8) immediately.

We released new versions of Bitnami GitLab 9.3.8 virtual machines and cloud images that fix the following security issues.
  • Projects in subgroups authorization bypass with SQL wildcards (CVE-2017-11438)
    • An authenticated user could take advantage of a badly written SQL query to add themselves to any project inside a subgroup. Versions from 9.0 are affected but 9.3 and above are not vulnerable, so this issue does not affect the latest versions we released in bitnami.com.
  • Unauthorized repository access by using project mirrors and CI (GitLab EE only) (CVE-2017-11437)
    • This vulnerability affects all versions of GitLab except GitLab 9.3.8 or newer.
More information about the issue can be found in the official blog post. There is not an available workaround for these vulnerabilities at the time.  Therefore, if you are running a GitLab instance with a version prior to 9.3.8, you will need to upgrade GitLab to its latest version by following this documentation (https://docs.bitnami.com/?page=apps&name=gitlab&section=how-to-upgrade-gitlab).

Do you have questions about Bitnami GitLab or the security issue? Please post to our community forum, and we will be happy to help you.

Wednesday, July 19, 2017

Meet the Bitnami team: Simon Bennett

The Bitnami team is a diverse group of talented people distributed all over the world. Get to know them better through this series of blog posts.

Simon Bennett is our VP of Product, leading our product vision, engaging with customers and helping the engineering team deliver awesome product to our customers.

A brief bio

I originally hail from the UK where I studied computer science and began my professional career working on projects in retail, financial services and a long-extinct category of company called “dotcoms” 

The picture to the left was one of the first projects I worked on while finishing my degree at the University of Southampton. It felt very futuristic at the time.

I moved to the San Francisco Bay Area in 2002, lured by the huge number of software companies and the freedom to snowboard or surf at the weekend depending on the season.

Somewhere along the way I got interested in the “business side” and switched from pure engineering management to product management. I really enjoy working on building durable businesses that produce valuable software products for lots of people.

Why you joined Bitnami and what excites you about working here?

During my time at VMware working on the personal desktop products I loved being able to make hundreds of thousands of developers and professionals more productive. Working for large, well-known company has many benefits, but I missed the dynamic nature of smaller companies where an individual team’s results directly affects the health of the business as a whole.

At Bitnami, I feel like I have the best of both worlds - the ability to reach hundreds of thousands of users to make them more productive, plus, a dynamic and passionate team willing to experiment, execute, and learn what our users and partners need every single day.

The caliber and passion of the people at Bitnami means I’m always learning something new - whether it’s “how to run an excellent meetup” from our operations team, or “the latest trends in immutable software infrastructure” from our globally distributed team of architects and engineers.

What are you working on?

One of my current projects is analysing the results from our annual user survey. I’m trying to understand what our users love about Bitnami today and where we can improve. Our industry is being revolutionized by the move to cloud computing and it’s a privilege to have the insights from over 17,000 survey respondents to guide our strategy and investments.

I’m also spending time getting hands on with our automated packaging system, which has been significantly upgraded in the last few months. We intend to make parts of that system available outside Bitnami to tackle new use-cases. In doing so I’m learning that having a team distributed throughout the world means that Bitnami, in a literal sense, never sleeps.

                                                                               
What do you like to do for fun?

I typically have 3-4 different projects on the go at any given time, often an art, building or electronics project with one of my boys. When time permits, I’m likely to be outside - exploring the city, heading to the mountains or the beach.









Interested in working with Simon at Bitnami? Apply for one of our open positions!


Friday, July 14, 2017

Switching the Bitnami Launchpad for Microsoft Azure from Classic Deployment to ARM Deployments

Two weeks ago, the new Bitnami Launchpad for Microsoft Azure was made available to new Bitnami users.  The new Bitnami Launchpad for Microsoft Azure is based on the Azure Resource Manager (ARM) deployment model. For existing users, they were still redirected to the previous version of the Bitnami Launchpad for Microsoft Azure, which uses the classic Azure deployment model.

Although the web interface and the user experience for these two versions of the Bitnami Launchpad for Microsoft Azure are identical, the backend deployment technology in each launchpad version is thoroughly different and incompatible one with the other.

While Azure still supports classic model deployment, the ARM deployment model is the recommended option. The main benefit of the ARM deployment model is that ARM sees the infrastructure components for running the applications as part of a single entity (resource group) and allows you to deploy, manage and monitor them as a group. You can learn more about these technologies differences here.

On July 17th, all users will have access to the new Bitnami Launchpad for Microsoft Azure (ARM) at https://azure.bitnami.com. However, the Bitnami Launchpad for Microsoft Azure (Classic) will still be accessible at https://classic.azure.bitnami.com for current users until September 5th to ensure a seamless off-boarding.

On September 5th, the Bitnami Launchpad for Microsoft Azure (Classic) will be shutdown. After this date, users will no longer be able to manage their classic deployments through the Bitnami Launchpad for Microsoft Azure (Classic).  However, all the resources will still be accessible directly through the Azure Portal.

Please note: Below is the process and dates we will be working toward for the shutdown of the Bitnami Launchpad for Microsoft Azure (Classic):

Milestone
Date
Bitnami Launchpad for Microsoft Azure (ARM) available for all users
Monday, July 17th
Disable adding new subscriptions in the Bitnami Launchpad for Microsoft Azure (Classic)
Tuesday, July 25th
Disable the creation of new servers in the Bitnami Launchpad for Microsoft Azure (Classic)
Thursday, August 3rd
Bitnami Launchpad for Microsoft Azure (Classic) shutdown
Tuesday, September 5th

In order to use the Bitnami Launchpad for Microsoft Azure (ARM), users are required to connect their Azure and Bitnami accounts in the new launchpad. This process is outlined here.

FAQ

Q1. When do I need to take action by?
Even though the Bitnami Launchpad for Microsoft Azure (Classic) will be available until September 5th, we encourage users to start using the new ARM one as soon as possible. After that date, the VMs launched with the classic deployment model will only be accessible through the Azure Portal.

After July 25th,  adding new Azure subscriptions for managing your servers through the Bitnami Launchpad for Microsoft Azure will only be supported through the ARM based launchpad. After that day, an account in the new Bitnami Launchpad for Microsoft Azure (ARM) will be required for adding new subscriptions.

After August 3rd, launching new servers through the Bitnami Launchpad for Microsoft Azure will only be supported through the ARM based launchpad. After that day, an account in the new Bitnami Launchpad for Microsoft Azure (ARM) will be required for launching new servers.

After September 5th,  An account for the new Bitnami Launchpad for Microsoft Azure (ARM) will be required in order to use the Bitnami Launchpad for Microsoft Azure. 

Q2. How does this affect my running instances launched through the Bitnami Launchpad for Azure?
Your current virtual machines are not affected by this switch-over.  They will continue to run as expected and can be started, stopped and deleted through the Azure Portal.

Q3. Can I still access my instances through the Azure portal without re-authenticating in Bitnami?
Yes.

Q4. How does this affect my Azure subscription accounts?
No changes are being made to your Azure account. Your subscription will be unaffected. However in order to continue using them with Bitnami, you will need to connect your Azure and Bitnami accounts in the new ARM based launchpad.

Q5. Will I be able to access existing VMs through the Bitnami Launchpad for Azure after re-authenticating?
Existing VMs deployed with the classic deployment model will be shown in the new version of the launchpad until the Bitnami Launchpad for Microsoft Azure (Classic) shutdow on September 5th. After that, the Azure console within the Azure Portal must be used in order to stop or delete your VMS. 

Newly created VMs which use the ARM deployment model will have full functionality through the Bitnami Launchpad for Microsoft Azure after the shutdown.

Q6. Where can I get help?
If you need find any issue with your account or have further questions about the Bitnami Launchpad for Microsoft Azure switch-over, please contact the Bitnami helpdesk.

As always, for any questions related to the deployment or our Bitnami applications, we are glad to help through our community site.