Wednesday, May 24, 2017

Introducing ksonnet, an Open Source configuration experience for Kubernetes


We are pleased to announce ksonnet today, an open source tool for configuring applications running on Kubernetes clusters that we have built in collaboration with our friends from Box, Microsoft and Heptio.

Bitnami's mission is to make awesome software available to everyone. We originally started providing easy to use native installers for popular open source server software. We've quickly expanded into providing virtual machines, cloud images and, more recently, containers.

Kubernetes has emerged as the leader in deploying production container workloads. Though Kubernetes can be thought of as an orchestration system, it has turned into a full-fledged platform that others can build on. A large ecosystem of contributors has emerged, providing tooling around monitoring, security, management and any other aspect of building and maintaining Kubernetes clusters. In particular, Bitnami has been involved with the Helm package manager and related projects such as Monocular and Kubeless, the Kubernetes-native serverless framework.

Internally, we have been early adopters of Kubernetes ourselves. In the process of migrating all of our infrastructure to Kubernetes, we ran into scenarios that pushed the limits of what current solutions could deal with. As a result, we have ended up creating our own tooling to help define and manage complex Kubernetes deployments. Around the same time, Heptio was working on a similar project and approached us to combine efforts, resulting in ksonnet.

ksonnet is an open source configuration tool for configuring applications in Kubernetes based on the jsonnet templating library. It is designed to be easy to use, yet extensible and powerful enough so it can cover as many scenarios as possible.

Our goal is that ksonnet will help lower the barrier of adoption for Kubernetes and will continue to evolve and integrate with the rest of the Kubernetes ecosystem. Though it has just been released, it is already being worked on by an active group of contributors that includes Red Hat, CoreOS, Box and Microsoft. We are particularly excited about the integration with the Helm project, allowing the generation of Helm charts that support ksonnet as an alternative to existing templates.

Heptio and us are excited to share ksonnet with the community, helping push Kubernetes further into the mainstream. Give it a try today and let us know what you think!

Thursday, May 18, 2017

Security Release: Joomla! 3.7.1


A critical SQL Injection vulnerability for Joomla! has been recently identified within version 3.7.0.  Joomla! version 3.7.1 is now published and available to address this vulnerability and other bug fixes.  You can find more information in regards to version 3.7.1 and the security vulnerability within version 3.7.0 in this Joomla! blog post.

The Joomla! team strongly encourages users to update their Joomla! site(s) to the version 3.7.1.  Bitnami has released Bitnami Joomla! 3.7.1 installers, virtual machines and cloud images for all platforms. You can find instructions on how to upgrade your Bitnami Joomla! application here.

Have questions about Bitnami Joomla! or the Joomla! security vulnerability? Post to our Community Forum, and we will be happy to help you.

Wednesday, May 10, 2017

Newly Released Open edX Ficus Now Available in Bitnami

We are happy to announce the release of Ficus, the latest version of the popular Open edX online learning platform. Conceived by edX, a nonprofit online learning destination founded by Massachusetts Institute of Technology and Harvard University, Open edX is the chosen online learning solution for a wide variety of educational institutions, non-profits, and corporate training departments.
/Users/bradatbitnami/Desktop/Screen Shot 2017-05-08 at 10.33.21 AM.png
Bitnami’s Open edX package contains everything you need to run online learning courses out of the box. Some of the application’s main features include:
  • Open edX Studio to create the course structure and add content, including problems, videos, and other resources. Studio is also used to manage the course schedule and team, set grading policies, publish each part of a course, and more.
  • A Learning Management System (LMS) that learners use to access course content, including videos, textbooks, and problems, and to check their progress in the course. The LMS includes forum and wiki functionality for both learners and instructors.
  • Full customization, with themes that incorporate an organization’s logos, images, and color schemes. Themes for Open edX Studio and LMS can incorporate custom page templates and CSS for a truly unique look.

/Users/bradatbitnami/Desktop/Screen Shot 2017-05-08 at 10.34.19 AM.png
What’s New in Ficus

The latest version of Open edX includes many new features centered around the LMS, the studio, and course author tools. The edX team has also added enhanced course data for instructors and students, new third party authentication capability, and accessibility improvements.

For a complete list of new features in Ficus, take a look at the Open edX release blog post.
Interested in trying Open edX? You can launch a one-hour demo in the cloud, absolutely free! See how easy it is to get started with an Open edX cloud image by taking a free test drive.



You can also launch Open edX Ficus in your own cloud account, download a Virtual Machine, or download a native installer for Linux.

Visit our documentation to learn how to manage your installation. Still have questions? Head to our community pages for expert advice from our team.

Thursday, May 4, 2017

WordPress security issue: Unauthenticated Remote Code Execution (RCE)

A critical security WordPress vulnerability was recently published. The Remote Code Execution PoC exploit described in this advisory is based on version 4.6. However, other versions of WordPress prior to 4.7.1 may also be affected.

The WordPress team strongly encourages their users to update their Wordpress site(s) to the most recent version: 4.7.4.  If you already have a running version of Bitnami WordPress, the application can be updated from the admin panel. Note that the Automatic Background Upgrades functionality is enabled by default but upgrading from 4.6.x to 4.7.y is not automatic. You can confirm that the update has been done by checking the version from within your admin panel.

We have released Bitnami WordPress 4.7.4 (and Multisite version) installers, virtual machines and cloud images for all platforms.

Have questions about Bitnami WordPress or the security issue? Post to our Community Forum, and we would be happy to help you.

Friday, April 28, 2017

Security Release: Jenkins 2.57/2.46.2

The Jenkins project has released a new version that fixes multiple Cross-Site Request Forgery vulnerabilities, along with an unauthenticated remote code execution vulnerability & an impersonation issue.

It is strongly suggested that you update your Jenkins installations to the latest version. You can follow our documentation to learn how to upgrade your application. If you are using the Bitnami Jenkins Docker container image, please follow the documentation in our GitHub repository.

You can find more information about the Jenkins security issues in the Jenkins Security Advisory.


Bitnami has released Jenkins 2.57 containers, and Jenkins 2.46.2 installers, virtual machines and cloud images that address these vulnerabilities.

https://bitnami.com/stack/jenkins

The Bitnami Jenkins offered on Bitnami.com and on our cloud-specific launchpads has been updated to version 2.46.2. New launches of Bitnami Jenkins via our launchpad are secure and do not need to be further updated.

Users launching Bitnami Jenkins via a cloud marketplace are advised to select version 2.46.2 of Bitnami Jenkins, once it is published. Installations based on previous versions will need to be upgraded as described above.

If you have further questions about Bitnami Jenkins or this security issue, please post to our community forum and, we will be happy to help you.

Thursday, April 20, 2017

Drupal Security Issue SA-CORE-2017-002


Drupal’s core security team has discovered a new critical security vulnerability in the RESTful Web Services (rest) module, SA-CORE-2017-002.

This module is not enabled by default in the Bitnami Drupal application. If you do not use the RESTful Web Services module, you do not need to take any action.

If you have the RESTful Web Services module enabled, your Drupal application is affected if all of the following conditions are met:
  • The version of the application is prior to 8.3.1 (Drupal 7.x is not affected).
  • The site allows PATCH requests.
  • An attacker can get or register a user account on the site.
If your Drupal installation meets those requirements it is recommended to update your Drupal application to the latest version, Drupal 8.3.1. You can follow our documentation to learn how to upgrade your application and ensure its security.

For new application deployments, Bitnami has released Drupal 8.3.1 containers, installers, virtual machines and cloud images that address this vulnerability. If you deploy Bitnami Drupal via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Drupal via one of our cloud partner marketplaces and it is not yet updated to version 8.3.1, you will need to upgrade your application using the documentation linked above.

If you have further questions about Bitnami Drupal or this security issue, please post to our  community forums, and we will be happy to help you.

Tuesday, April 18, 2017

Drupal Security Issue SA-CONTRIB-2017-38

A new critical security vulnerability in the References module has been discovered by Drupal's core security team as SA-CONTRIB-2017-38. Although this module is no longer maintained, it is currently used within over 120,000 installations.

If you use the References module, it is advised to uninstall it. In order to maintain equivalent functionality, it is recommended to try the Entity Reference module. If you do not use the References module, you do not need to take any action.

The References module is only supported by Drupal 7.x versions. The Bitnami Drupal stack does not include the References module by default.  Therefore, it is not affected by this issue.

If you have further questions about Bitnami Drupal or this security issue, please post to our community forum, and we will be happy to help you.

Wednesday, March 22, 2017

Moodle Security Issue CVE-2017-2641

[UPDATE 2017-03-23]

For new application deployments, Bitnami has released Moodle 3.2.2 installers, containers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami Moodle via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Moodle via one of our cloud partner marketplaces and it is not yet updated to version 3.2.2, you should apply the workaround explained below.

----

The Moodle project has just released new versions that contain an important security fix for a SQL injection vulnerability via user preferences that can lead to remote code execution (CVE-2017-2641).

Moodle has released versions 3.2.2, 3.1.5, 3.0.9 and 2.7.19 that fix the issue. We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working to update all of the affected Moodle packages available through Bitnami as quickly as possible.

Workaround


In the meantime, we strongly encourage all Moodle administrators to apply the security patch published by the Moodle maintainers. In order to do so, log in to your Moodle installation and run the following commands:

$ curl -L -o /tmp/security.path 'https://git.moodle.org/gw?p=moodle.git;a=patch;h=6e65554ea19f4e90c09864081e47424f8efca02e'
$ cd /opt/bitnami/apps/moodle/htdocs
$ sudo patch -p1 < /tmp/security.patch
$ rm /tmp/security.patch

If you have further questions about Bitnami Moodle or this security issue, please post to our community forum, and we will be happy to help you.

Thursday, March 16, 2017

Security Release: Drupal 8.2.7



Drupal has released a new version that fixes three security vulnerabilities.

It is recommended that you update your Drupal application to the latest version, Drupal 8.2.7. You can follow our documentation to learn how to upgrade your application and ensure its security.

The vulnerabilities fixed in the latest version of Drupal are the following:

  • Editor module incorrectly checks access to inline private files - Access Bypass - Critical - CVE-2017-6377
  • Some admin paths were not protected with a CSRF token - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379
  • Remote code execution - Moderately Critical - CVE-2017-6381


For new application deployments, Bitnami has released Drupal 8.2.7 containers, installers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami Drupal via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Drupal via one of our cloud partner marketplaces and it is not yet updated to version 8.2.7, you will need to upgrade your application using the documentation linked above.

If you have further questions about Bitnami Drupal or this security issue, please post to our community forum, and we will be happy to help you.

Tuesday, March 7, 2017

Security release: WordPress 4.7.3

WordPress has released a new version that fixes six security vulnerabilities.

It is recommended that you update your WordPress application to the latest version, Wordpress 4.7.3. You can follow our documentation to learn how to upgrade your application and ensure its security.

For new application deployments, Bitnami has released WordPress 4.7.3 containers, installers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami WordPress via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami WordPress via one of our cloud partner marketplaces and it is not yet updated to version 4.7.3, you will need to upgrade your application using the documentation linked above.

If you have further questions about Bitnami WordPress or this security issue, please post to our community forum, and we will be happy to help you.

Bitnami Announces Skippbox Acquisition

Those of you who follow Bitnami closely may have noticed that Bitnami has been ramping up our development of container-based applications, and, more recently, our efforts to make Kubernetes-based application deployment easier via Helm Charts and the Monocular project.

Thus, it’s probably not a big surprise that we are enthusiastic about the future of containers, and when it comes to orchestration, very excited about the momentum that has built around Kubernetes as the leading solution for running containers in production.

Therefore, we’re happy to announce the acquisition of Skippbox, Ltd.

With the Skippbox acquisition, we’re vastly upgrading our container and Kubernetes expertise.  While much is still in the “stay tuned” category, some immediate announcements include:

  • We’re now offering Kubernetes training, the first session of which will be at KubeCon EU, in Berlin.  For additional information on future training offerings, please check out our new training page.
  • Our new Senior Director of Cloud Technologies, Sebastien Goasguen, will be speaking on “Scheduling Containers with Kubernetes” at the upcoming O’Reilly Velocity Conference, June 21, 2017.
  • Bitnami has joined the Cloud Native Computing Foundation (CNCF), which is a perfect fit for our increased investments in containers and Kubernetes.

If you have any questions, we love to hear from you.  In the meantime, stay tuned for more container and Kubernetes developments in the very near future. 

Monday, February 27, 2017

Security notification: XSS and sandbox escape vulnerability in Plone

The Plone project has released a new patch that fixes a XSS and a sandbox escape vulnerability in the application.

You can find more info about these issues on the Plone Security Announcements page.

All supported Plone versions (4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version) are affected. Previous versions could be affected but have not been fully tested. We highly recommend patching your existing Plone sites by following the steps below:

1. Create a backup of your current installation of the application

https://docs.bitnami.com/?page=apps&name=plone&section=how-to-create-a-full-backup-of-plone

2. Download the available patch at the security page

https://plone.org/security/hotfix/20170117

3. Unpack the zip file at /opt/bitnami/apps/plone/zeocluster/products

4. Modify the permissions of the files

    sudo chown -R plone:plone /opt/bitnami/apps/plone/zeocluster/products

5. Restart the Plone service

    sudo /opt/bitnami/ctlscript.sh restart plone

6. Check that the application has been restarted properly. You should see these lines in the /opt/bitnami/apps/plone/zeoclustervar/client1/event.log file

------
2017-02-27T11:04:58 INFO Products.PloneHotfix20170117 Applied zmi patch
------
2017-02-27T11:04:58 INFO Products.PloneHotfix20170117 Applied strformat patch
------
2017-02-27T11:04:58 INFO Products.PloneHotfix20170117 Hotfix installed

Do you have additional questions about Bitnami Plone or the security vulnerability? Please post to our community forum and we will be happy to help you.

Chat Securely with Mattermost Team Edition, Now in Bitnami!


We are excited to announce our newest ISV partnership with Mattermost, the open source Slack-alternative you can run in your own cloud account!

Modern chat tools have taken the world by storm with a variety of features like search, archiving, and extensibility that make them extremely useful to almost any type of organization. However, when chat is only available as a service it can run afoul of' IT security policies that require full control over sensitive files and data. With a seemingly endless procession of data breaches, it is no surprise that many companies and organizations are unable to use chat tools that only run in servers they cannot control or audit.


That's why Mattermost Team Edition presents such a great opportunity: it comes loaded with all the features that make contemporary chat tools great while giving the organization complete ownership of all its conversations, shared files, images, and other data generated in the course of routine chat operations. Mattermost integrates with the other tools that teams depend on such as a version control system, CRM, help desk, continuous integration/delivery, bug tracker, and countless other technologies that can generate a tremendous amount of sensitive, business-critical data. It also has the features that endear modern chat tools to users, such as slash commands for GIFs (and other useful functions) and customized emojis.

Bitnami Mattermost Team Edition can be launched in your organization's cloud account on all the most popular platforms like Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Oracle Cloud Platform through the Bitnami Launchpads or third party marketplaces. Government entities will be delighted to know that they can launch Mattermost Team Edition in Azure's Government Cloud in just a few clicks through the Gov Cloud Marketplace. There is also a Mattermost Virtual Machine that can be used in the enterprise datacenter, with or without a connection to the internet.

Powerful Features Include:
  • One-to-one and group messaging, file sharing, and unlimited search history
  • Advanced communication features including markdown support, threaded messaging, custom emoji, and emoji reactions
  • Ability to connect to mobile apps in iTunes and Google Play, or to compile your own mobile apps from provided source code
  • Ability to connect to desktop apps for Windows, Mac, and Linux 
  • Highly customizable third party bots, integrations and command line tools 
  • Languages include English, Chinese (Simplified & Traditional), Dutch, French, German, Japanese, Korean, Portuguese, Russian, Spanish
  • Easily scales from dozens to hundreds of users
  • Supports upgrade to Mattermost Enterprise Edition with advanced security, configuration and scalability benefits. Learn more at https://mattermost.com
Mattermost Team Edition is now available in Bitnami to launch in just a few clicks in all your favorite cloud platforms, as a virtual machine, and as a native installer for Linux. Interested in a quick test drive? Try our one-hour cloud demo and get familiar with the intuitive interface, absolutely free!



Visit our docs to learn how to manage and configure your installation. Still have questions? Head to the Mattermost Team Edition product page or Mattermost Help page for more information.

Wednesday, February 22, 2017

Security notification: DCCP double-free kernel vulnerability (CVE-2017-6074)


[UPDATE 2017-02-28]


Updated blog post with the steps to update CentOS and Oracle Linux kernels

----

[UPDATE 2017-02-23]

Updated blog post with the steps to update Debian and RedHat kernels

----

A new security vulnerability in the Linux kernel has been discovered. You can find more information about this vulnerability in the following research report: "DCCP double-free vulnerability".

Even though the Linux kernel code affected was implemented before 2006, it is not a remotely exploitable vulnerability. Therefore, you can continue using any of the Bitnami Cloud Images or Virtual Machines without being affected. We also want to let you know that our containers offering is not affected by this security vulnerability.

At the time of this post, a new patched kernel has only been released for Ubuntu. We will update this blog post as kernel patches for other distributions become available. You can update your appropriate kernel by running the following commands (you must run the command specific to your distribution):

Ubuntu 


sudo apt-get update && sudo apt-get dist-upgrade 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux ip-172-31-32-244 3.13.0-110-generic #157-Ubuntu SMP Mon Feb 20 11:54:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Debian


sudo apt-get update && sudo apt-get dist-upgrade 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux bitnami-wordpress-dm-1d22 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u1 (2017-02-22) x86_64 GNU/Linux

RedHat


sudo yum update 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux ip-10-99-173-165.ec2.internal 3.10.0-514.6.2.el7.x86_64 #1 SMP Fri Feb 17 19:21:31 EST 2017 x86_64 x86_64 x86_64 GNU/Linux

CentOS


sudo yum update 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux localhost.localdomain 3.10.0-514.6.2.el7.x86_64 #1 SMP Thu Feb 23 03:04:39 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Oracle Linux


sudo yum update 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux bitnami-wordpress-0 4.1.12-61.1.28.el6uek.x86_64 #2 SMP Thu Feb 23 20:03:53 PST 2017 x86_64 x86_64 x86_64 GNU/Linux

If you have any questions about this process, please post to our community support forum and we will be happy to help!