Tuesday, May 3, 2016

ImageMagick: Remote execution vulnerability (CVE-2016–3714)

Several security vulnerabilities have been recently discovered for certain ImageMagick coders. Specifically, the vulnerabilities include possible remote code execution and the ability to render files on the local system.

A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP’s Imagick, Ruby’s RMagick and Paperclip, and nodejs’s imagemagick.

More information about the vulnerability can be found on the ImageMagick website. (Updated 05/05 The issue has been named as ImageTragick.)

If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities by doing this:

1. Edit the policy.xml file of ImageMagick:
2. Add the following policy rules (updated 05/05):
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />

3. Verify your policies with the following command:
convert -list policy
Below is an example policy output:
Path: [built-in]
  Policy: Undefined
    rights: None 
Path: /opt/bitnami/common/lib/ImageMagick-6.7.5/config/policy.xml
  Policy: Coder
    rights: None 
    pattern: EPHEMERAL
  Policy: Coder
    rights: None 
    pattern: URL
  Policy: Coder
    rights: None 
    pattern: HTTPS
  Policy: Coder
    rights: None 
    pattern: MVG
  Policy: Coder
    rights: None 
    pattern: MSL

The Bitnami Team is working hard on updating the library to its latest version in order to fix this issue in our future releases. If you have questions about ImageMagick or the security vulnerability, please post to our community forum, and we will be happy to help you.

Security notification: OpenSSL 1.0.2h / 1.0.1t

A new security vulnerability was recently discovered in certain versions of OpenSSL. More information about the vulnerability is available on the OpenSSL website: https://www.openssl.org/news/secadv/20160503.txt

There are two high security issues that do not affect Bitnami installations:

1. Memory corruption in the ASN.1 encoder (CVE-2016-2108).

  • All of the currently released Bitnami stacks use an OpenSSL version greater than the affected versions: 1.0.2c or 1.0.1o.

2. Padding oracle in AES-NI CBC MAC check (CVE-2016-2107). 

  • The OpenSSL we ship with the Bitnami installers, virtual machines and cloud images does not enable AES-NI encryption.

The Bitnami team will continue working on updating OpenSSL to 1.0.2h for all Bitnami apps, however, to be clear, the two security issues above do not affect our applications that are currently available.

Critical Security Release for GitLab (CVE-2016-4340)

The Gitlab project released a new update that contains a number of important security fixes, including one for a critical privilege escalation, and we strongly recommend that all GitLab installations be upgraded to the new version immediately.

We released new versions of Bitnami Gitlab 8.7.1 installersvirtual machines and cloud images that fix the security issues.

Critical Security Issue: Privilege escalation via "impersonate" feature

Added in GitLab 8.2, this feature was intended to allow an administrator to simulate being logged in as any other user.

Part of this feature was not properly secured and it was possible for any authenticated user, administrator or not, to "log in" as any other user, including administrators. Please see the GitLab website for more details. Additional information regarding the additional changes is available in the official security advisory.


If you are unable to upgrade right away, you can secure your GitLab installation against this vulnerability using one of the workarounds outlined below until you have time to upgrade:

Securing via web server configuration

1. Add the following text at the end of the httpd-app.conf file of Gitlab
<LocationMatch "^/admin/users/stop_impersonation">
  Order Deny,Allow
  Deny from all
2.  Restart Apache
sudo /opt/bitnami/ctlscript.sh restart apache

Securing via patch

1. Create a patch file at /opt/bitnami/apps/gitlab/htdocs
diff --git a/app/controllers/admin/impersonation_controller.rb b/app/controllers/admin/impersonation_controller.rb
index bf98af7..8790018 100644
--- a/app/controllers/admin/impersonation_controller.rb
+++ b/app/controllers/admin/impersonation_controller.rb
@@ -1,4 +1,5 @@
 class Admin::ImpersonationController < Admin::ApplicationController
+  before_action :render_403, only: :destroy
   skip_before_action :authenticate_admin!, only: :destroy

   before_action :user

2. Apply the path
sudo git apply -v path.diff
The following output will appear:
Checking patch app/controllers/admin/impersonation_controller.rb...
Applied patch app/controllers/admin/impersonation_controller.rb cleanly.

Recover the permissions of the modified file:
sudo chown git:git /opt/bitnami/apps/gitlab/htdocs/app/controllers/admin/impersonation_controller.rb

Verifying the workaround

  1. In an Incognito Window, login as an administrator
  2. Go to the Admin section
  3. Click on "Users"
  4. Select any user
  5. Click "Impersonate"
  6. Click on the "Stop Impersonation" icon in the upper right:

      7. Verify you receive a 403 Forbidden error

Do you have questions about Bitnami Gitlab or the security issue? Please post to our community forum, and we will be happy to help you.

Friday, April 29, 2016

Open edX "Dogwood" Is Now Available from Bitnami!

We're happy to announce a new version of the Bitnami Open edX stack!

Open edX is the open-source online learning platform originally conceived by edX, a nonprofit online learning destination founded by Massachusetts Institute of Technology and Harvard University that offers courses from the world’s best universities and institutions. The Open edX platform provides development tools to create, teach, and manage courses, student experiences, and learning outcomes at Internet scale.

Some of the new features in this new version are:
  • Partial credit
  • Open edX Analytics Developer Stack
  • Initial Version of Comprehensive Theming
  • Additional File Types for Open Response Assessments
  • Timed Exams
  • LTI XBlock
  • Otto Ecommerce Service

Several features are deprecated as of the Open edX Dogwood release:
  • Original ORA ("ORA1") Problems
  • Legacy Instructor Dashboard
  • Studio Checklist page
  • Certain XModules and Tools, including the graphical_slider_tool and the FoldIt protein simulator
  • The psychometrics and licenses Django apps

With Bitnami, developers can deploy a ready-to-run Open edX Stack with just one click. To get started, choose from our all-in-one free native installers, virtual machines or cloud images.

If you have questions about Bitnami Open edX Stack, please post to our community forum and we will be happy to help.

Wednesday, April 27, 2016

Jenkins 2.0

We're happy to announce a new version of the Bitnami Jenkins Stack:

Jenkins is an open source continuous integration server built with Java that supports building and testing virtually any project. It supports different SCM tools, can execute Apache Ant and Apache Maven-based projects as well as arbitrary shell scripts and Windows batch commands. Additionally, Jenkins can monitor executions of remote tasks and much more. Hundreds of plugins are also available for configuring your own system based on your specific requirements.

The highlights of Jenkins 2 are:
  • Built-in support for delivery pipelines
  • Improved usability
  • Fully backwards compatible
The new Jenkins pipeline enables the ability to define workflows by describing them in a domain-specific language. The pipelines are durable, versatile and extensible, with all of their functionality designed to meet the needs of a continuous delivery system. To learn more information about this release, visit the Jenkins 2 overview page.

With Bitnami, you can deploy a ready-to-run Jenkins Stack with just one click. To get started, choose from our all-in-one free native installers (for Linux, Windows and OS X), virtual machines and Cloud Images.

Friday, April 15, 2016

Bitnami Parse Server Stack now includes Parse Dashboard!

We are happy to announce a new feature available in the Bitnami Parse Server Stack:

Following the suggestions made by the users of the original stack, we have included the Open Source project named Parse-Dashboard, which we believe will improve the overall user experience of this stack. 

The Parse Dashboard is a web interface that helps developers interact with the Parse Server API in a graphic way. With the dashboard, developers will be even closer to the experience available before migrating from the original Parse Hosting Services. 

With Bitnami, developers can easily deploy a ready-to-run Parse Server Stack, now including a beautiful web GUI, with just one click. To get started, choose from our all-in-one free native installers (for Linux), virtual machines and Cloud Images.

If you have questions about Bitnami Parse Server Stack, please post to our community forum and we will be happy to help.

Wednesday, April 13, 2016

WordPress 4.5 "Coleman" now available from Bitnami!

We're happy to announce a new version of Bitnami Wordpress Stack:

WordPress is a popular blogging software and powers more than 10% of all websites globally. Developed by Automattic, WordPress rose to popularity quickly because of it’s up-to-date development framework, extensive feature set, multilingual publishing ability, multi-author support, and thriving community. Thousands of free and commercial themes and plugins are available to extend and personalize WordPress for just about anyone who needs a website.

A few of the major changes in this new version include:
  • Finer points: Customizer improvement
  • Finer points: Visual Editor improvement
  • Finer points: Comment refinement
  • Finer points: Optimization of image generation
  • Developers: Selective refresh
Developers: Backbone and underscore update

  • Developers: Embed templates 
  • Developers: Term edit page changes 

What's new?
  • Posts: Inline link editing

  • Posts: Additional editor shortcuts
Comments: Moderate comment screen refresh

  • Comments: Max length for comment form fields
Comments: Comment error page navigation

  • Appearance: Responsive preview of your site

  • Appearance: Theme logo support
Appearance: Selective refresh

  • Appearance: Easy of use

Under the hood:
  • Bug fix: Support Windows shares/DFS roots in wp_normalize_path()
  • Bug fix: OPTIONS request to REST API does not return correct Accept header
  • Smart Image resizing
  • JavaScript library updates
  • Script Loader improvements
You can learn more information about this release in the WordPress blog.

With Bitnami, you can deploy a ready-to-run Wordpress Stack with just one click. To get started, choose from our all-in-one free native installers (for Linux, Windows and Mac OS X), virtual machines and Cloud Images for Amazon EC2, Azure, CenturyLink, Digital Ocean, Google Cloud Platform, vCloud Air and 1&1 Cloud Platform.

Monday, April 11, 2016

Solr 6 now available from Bitnami!

We're happy to announce a new version of Bitnami Solr Stack:

Apache Solr is a fast search platform from the open source Apache Lucene project. Solr makes use of Lucene, a powerful search engine framework, and includes an http-wrapper around the robust framework so it is ready-to-use out of the box. Features include full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is used by some of the largest companies in the world to power search on their public projects.

A few of the major changes in this new version include:
  • Improved defaults for "Similarity" used in Solr, in order to provide a better default experience for new users.
  • Improved "Similarity" defaults for users upgrading: DefaultSimilarityFactory has been removed, the implicit default Similarity has been changed to SchemaSimilarityFactory, and SchemaSimilarityFactory has been modified to use BM25Similarity as the default for field types that do not explicitly declare a Similarity.
  • Deprecated GET methods for the schema are now accessible through the bulk API. The output has less details and is not backward compatible.
  • Users should set useDocValuesAsStored="false" to preserve sort order on multi-valued fields that have both stored="true" and docValues="true".
  • Deprecated SolrServer and subclasses have been removed, use SolrClient instead.
  • Filter support added to Real-time get.
  • Column alias support added to the Parallel SQL Interface.
  • New command added to switch between secure/non-secure mode in zookeeper.
  • Now possible to use IP fragments in replica placement rules.

  • And many more features that you can find on the Solr Website.

With Bitnami, you can deploy a ready-to-run Solr 6 Stack with just one click. To get started, choose from our all-in-one free native installers (for Linux, Windows and MacOSX), virtual machines and Cloud Images for Amazon EC2, Azure, Digital Ocean, vCloud, 1&1 and Google Cloud Platform.

Tuesday, April 5, 2016

Now on Bitnami: ReportServer Enterprise with Scripting, Crystal Reports Support

Are you looking for an enterprise-grade BI suite for analytics and reporting? Look no further than ReportServer Enterprise Edition, now available on Bitnami for immediate deployment. ReportServer Enterprise Edition expands on all the features of ReportServer Community Edition (also available on Bitnami) and adds a wide range of enterprise functionality that allows for easier integration into almost any environment.

ReportServer takes all the pain out of report generation and analysis by offering a centralized interface to multiple reporting engines, including Jasper, Eclipse BIRT and Mondrian OLAP, and a versatile Dynamic List reporting component. ReportServer Enterprise Edition extends this support to SAP Crystal Reports and also adds pivot and templating capabilities to Dynamic List reports.

Extensive scripting capabilities in ReportServer Enterprise Edition allow you to build powerful, interactive reports customized to your requirements. For example, you can integrate enterprise authentication mechanisms such as LDAP and SSO or use script datasources to integrate data from external web services.

ReportServer-9.pngReportServer Enterprise Edition is also fully themeable, so it can be easily adapted to match your corporate identity and branding. For a complete list of differences between the Community and Enterprise Edition, visit this comparison page on the ReportServer website.

Bitnami ReportServer users get a free 45-day free trial of ReportServer Enterprise Edition, so there's nothing holding you back from trying out all that data-rich, pivot-table goodness. Use our local installers, virtual machines, and cloud images to try ReportServer Enterprise Edition now.

You can also launch an absolutely free one-hour demo server by clicking the button below!

Monday, April 4, 2016

Security Release: Node.js 4.4.2 and 5.10.0

The Node.js project has just released new versions that fix a vulnerability in npm that could cause the unintentional leakage of bearer tokens.

Read more about the security issue on the Node.js blog.

We want to let Bitnami users know that Node.js 4.4.2 and Node.js 5.10.0 installers, virtual machines and cloud images have been updated and released. We strongly suggest that you update your Node.js applications to the latest version.

If you work with containers, Stacksmith already has the latest versions of Node.js available.

Do you have questions about Bitnami Node.js or the security issues? Please post to our community forum and we will be happy to help.

Wednesday, March 23, 2016

Join Bitnami at GCP Next 2016!

GCP NEXT 2016 begins today, and we are excited to announce that we are a proud partner. We will be demoing the latest additions to Stacksmith, which focus on combining easier, up-to-date container creation with integrations to CI systems (such as Jenkins) and container orchestration systems (like Kubernetes).

Stop by our booth (#8), and say hi to our engineers that are behind the project:

More information about GCP NEXT:

At GCP NEXT, you’ll have the opportunity to attend three visionary keynotes presented by GCP with industry leaders, 30 in-depth technical sessions, participate in self paced code labs, and hear how other IT leaders rely on GCP for mission critical cloud solutions.

The 2-day conference includes sessions designed to help you build on your cloud strategy:
  • From idea to market in less than 6 months: Creating a new product with GCP
  • IoT - from small data to big data: Building solutions with connected devices
  • Security analytics for today's cloud-ready enterprise 
  • Your new super power: Using machine learning to build applications that understand the world
Can’t make it to GCP NEXT in person? Don’t worry, you can live stream GCP NEXT for free. Register here: https://goo.gl/lrjTHV

Monday, March 21, 2016

Bitnami-powered Applications are now available through GoDaddy Cloud Servers

GoDaddy, the largest technology provider for small businesses, has announced that they will be expanding their hosting offerings to provide Cloud Servers and Bitnami-powered applications.  GoDaddy Cloud Servers are intended for customers who want to quickly build, test, and scale their cloud solutions. Bitnami’s mission has always been to do the same.  So, we are proud to partner with GoDaddy in order to help execute both our missions and help more customers.

Today, GoDaddy Cloud Servers’ customers will find more than 130 Bitnami-powered applications that are easy to download, configure, and install in just one click.  According to GoDaddy, “Bitnami-powered applications bring one-click optimized installation for application solutions like CMS (eg: Wordpress and Drupal), CRM (Odoo and Open ERP), and eCommerce (eg: OpenCart and Magento).” These customers will now be able to experience Bitnami’s consistent, secure, up-to-date, and optimized end-user experience on any platform.

Want to launch a Bitnami-powered application in GoDaddy’s Cloud Servers? Here’s how:
  1. Login or sign up for a GoDaddy Cloud Servers account
  2. Choose your Bitnami-powered application and configure your server
  3. Click ‘Finish’ and your application will start to build!

Still curious? Click here for more information or watch our quick video to see how to get running on GoDaddy Cloud Servers:

Tuesday, March 15, 2016

Security Release: Moodle


Moodle has just released an update to all supported versions that addresses several security issues. The security vulnerabilities have been discovered and fixed, in addition to a number of bug fixes and small improvements.

Specifically, the update solves the following issues:

  • MDL-48778 - Fixed problems with "assign quick grading" in case of multiple attempts
  • MDL-31635 - Changed course completion "grade" criteria to correctly show grades as points and not percents
  • MDL-21912 - Introduced new setting "Allow admin conflict resolution" for restoring a course from a different Moodle site
  • MDL-51702 - Restored ability to assign roles to blocks in Default Dashboard and My page
  • MDL-49807 - Changed wiki table of contents to correctly display headers created in Atto editor
To read more about these issues, check out Moodle's official announcement.

We have released new versions of Bitnami Moodle installersvirtual machines and Amazon EC2GoogleOracleVMware vCloud AirDigitalOcean and Azure cloud images that fix these issues. 

Do you have questions about Bitnami Moodle or the security issue? Post to our community forum, and we will be happy to help you.

Wednesday, March 2, 2016

Security Release: Django 1.8.10 and 1.9.3

The Django project has released new versions that fix two security issues:

  • CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
  • CVE-2016-2513: User enumeration through timing difference on password hasher work factor upgrade

  • Read more about the security issues on the Django blog.

    We want to let Bitnami users know that Django 1.8.10 and Django 1.9.3 installers, virtual machines and cloud images have been updated and released. We strongly suggest that you update your Django applications to the latest version.

    Do you have questions about Bitnami Django or the security issues? Please post to our community forum and we will be happy to help.