Wednesday, May 18, 2016

Security Release: Magento 2.0.6


The Magento project has released a new update that fixes several security vulnerabilities. A few of the notable fixes include:
  • APPSEC1420: Magento no longer permits an unauthenticated user to remotely execute code on the server through APIs.
  • APPSEC1421: The Magento installation code is no longer accessible once the installation process has completed.
  • APPSEC1422: Magento no longer allows authenticated customers to change other customers' account information using either SOAP or REST calls.

We highly recommend upgrading your existing Magento Community Edition 2.0 sites. For more information about the security issues fixed with this recently released update, please check out Magento's Security Center.

We have released Bitnami Magento 2.0.6 installersvirtual machines and cloud images that fix the security issues.

If you already have a running version of Bitnami Magento, you can upgrade the application by following the detailed steps on our wiki page:

https://wiki.bitnami.com/Applications/BitNami_Magento#How_to_upgrade_Magento.3f

Do you have additional questions about Bitnami Magento? Post to our community forum, and we will be happy to help you.

Wednesday, May 11, 2016

Security Release: Gitlab 8.7.4

The Gitlab project released a new update that contains security fixes, including one for an XSS vulnerability via faulty URI scheme sanitization, and we strongly recommend that all GitLab installations be upgraded to the new version immediately.

We released new versions of Bitnami Gitlab 8.7.4 installers, virtual machines and cloud images that fix the security issues.

Additional information regarding XSS vulnerability via faulty URI scheme sanitization:

The URI scheme of user-supplied links was not being properly sanitized. Please see the GitHub issue for more details. Additional information regarding the additional changes is available in the official security advisory.

Do you have questions about Bitnami Gitlab or the security issue? Please post to our community forum, and we will be happy to help you.

PHP Security Issue: libgd CVE-2016-3074

A PHP security issue that affects previous versions of PHP was recently announced. A signedness vulnerability (CVE-2016-3074) exists in libgd 2.1.1, which may result in a heap overflow when processing compressed gd2 data.

[Update: 2016/05/11]

We want to let you know that the Bitnami Team worked on updating all the native installers, virtual machines and the cloud providers images of all the affected applications and all of them are already available. We will continue working on updating the Bitnami Cloud Hosting base image.

If for any reason you are not able to update your application, follow the instructions below:

  • Disable the following PHP functions (imagecreatefromgd2, imagecreatefromgd2part, imagegd2) in the php.ini file.
disable_functions = imagecreatefromgd2, imagecreatefromgd2part, imagegd2

  • In Windows systems, the gd extension can be disabled easily. Comment out this line in the php.ini file:
;extension=php_gd2.dll

More information about the fixed version can be found on the GD Graphics GitHub page: https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19

Do you have questions about the security issue? Post to our community forum, and we will be happy to help you.

[Update: 2016/05/12]

The Bitnami Cloud Hosting base image was released today so all of the new servers launched using our platform will include the latest security update.

Tuesday, May 10, 2016

Security Release: WordPress 4.5.2

The WordPress project has just released a new version due to two security vulnerabilities:

  • WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. 
  • WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players.


The WordPress team strongly encourages their users to update their site to version 4.5.2. For more details please check the official announcement. Bitnami users who are already running a version of Bitnami WordPress will not be affected, as their application will be automatically updated. If you are using Bitnami WordPress, you can confirm that the update has been done by checking the version from your admin panel.

We have released Bitnami WordPress 4.5.2 (and Multisite version) installers, virtual machines and cloud images that fix these issues.

Do you have questions about Bitnami WordPress or the security issue? Post to our community forum, and we will be happy to help you.

WordPress Stack with PHP7

WordPress announced a few months ago that it is fully compatible with the latest version of the PHP framework, PHP7. Nowadays most of the popular plugins are already compatible and WordPress has also published a developer guide about how to update WordPress plugins to support PHP7.

Here, at Bitnami, we baked a new WordPress stack based on PHP7 to help you run the latest, shiniest and fastest software. WordPress + PHP7 is faster than ever before.

But that's not all. If you still want to run WordPress on PHP 5.6, now you can. Use the Bitnami LAMP Stack and install the WordPress module on it, or use the WordPress Legacy Stack. The WordPress Legacy Stack will have the same and latest version of WordPress but will ship with PHP 5.6

Both new WordPress versions are available as installers, virtual machines, and cloud images on the Bitnami WordPress Stack page.

If you have questions about Bitnami WordPress or the advantages of using PHP7 over PHP5.6, please post to our community forum, and we will be happy to help you.

Monday, May 9, 2016

Zero to Clustered Application on Kubernetes with Bitnami

Kubernetes, a popular Docker container orchestration platform, promises to make deploying and managing containerized applications simple. This post walks through configuring and deploying a widely used web application, the Redmine issue tracking application, packaged as Docker containers.

This tutorial is aimed at developers and operators interested in learning about containerizing applications on Kubernetes and looking for solutions to common concerns including configurability, application state, and health monitoring.


Before you get started

You’ll need to setup a Kubernetes cluster. There are many deployment options for Kubernetes as documented here (http://kubernetes.io/docs/getting-started-guides/binary_release/) Particularly if you’re new to Kubernetes we recommend starting with Google Container Engine (https://cloud.google.com/container-engine/)

You’ll need a copy of the helm package manager for Kubernetes for your platform. Helm can be downloaded directly from https://helm.sh. Version 0.5.0 or higher is required.

Deploying Redmine

1. Helm uses charts to describe how to deploy a particular applications and their metadata. Collections of charts are organized into repositories so our first step is to add the Bitnami chart repository to helm:

helm repo add bitnami http://github.com/bitnami/charts.git 




2. First we'll create an MariaDB database instance for Redmine to use:

helm install bitnami/mariadb

Once MariaDB has been deployed we can deploy the Redmine application

helm install bitnami/redmine

Redmine will take a minute or two to start, the ready count shows when the application has started:

kubectl get po




The Redmine pod will show a ready count of 1 / 1, as shown above,  when redmine has finished launching.

To access the running Redmine application we need to know the IP address of the Kubernetes load balancer:

kubectl describe service redmine





To access Redmine type the “Load Balancer Ingress” address into your web browser:




The default username and password are "user" and "bitnami"

Digging Deeper - customizing your application deployment

One of the great features of Kubernetes and Helm is the ability to customize and configure each application deployment. Helm supports customizing applications by editing and regenerating them before installing. The Bitnami Redmine chart has been designed with this in mind and provides a range of customization options including:


  • Changing the default MariaDB password
  • Setting the Redmine admin user and password
  • Configuring Redmine to use SMTP (email) 
  • Configuring the Redmine UI language


Note: When modifying the default values in values.toml remember to run "helm generate redmine" before installing. Remember to make sure the MariaDB database password matches the Redmine.

A full walkthrough including advanced configuration topics can be found here:

https://github.com/bitnami/charts/tree/master/_docs/redmine

Let us know in the comments which other applications you want to deploy on Kubernetes.

Tuesday, May 3, 2016

ImageMagick: Remote execution vulnerability (CVE-2016–3714)

Several security vulnerabilities have been recently discovered for certain ImageMagick coders. Specifically, the vulnerabilities include possible remote code execution and the ability to render files on the local system.

A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP’s Imagick, Ruby’s RMagick and Paperclip, and nodejs’s imagemagick.

More information about the vulnerability can be found on the ImageMagick website. (Updated 05/05 The issue has been named as ImageTragick.)


If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities by doing this:

1. Edit the policy.xml file of ImageMagick:
/opt/bitnami/common/lib/ImageMagick-6.7.5/config/policy.xml
2. Add the following policy rules (updated 05/05):
<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />
</policymap>

3. Verify your policies with the following command:
convert -list policy
Below is an example policy output:
Path: [built-in]
  Policy: Undefined
    rights: None 
Path: /opt/bitnami/common/lib/ImageMagick-6.7.5/config/policy.xml
  Policy: Coder
    rights: None 
    pattern: EPHEMERAL
  Policy: Coder
    rights: None 
    pattern: URL
  Policy: Coder
    rights: None 
    pattern: HTTPS
  Policy: Coder
    rights: None 
    pattern: MVG
  Policy: Coder
    rights: None 
    pattern: MSL
...

The Bitnami Team is working hard on updating the library to its latest version in order to fix this issue in our future releases. If you have questions about ImageMagick or the security vulnerability, please post to our community forum, and we will be happy to help you.

Security notification: OpenSSL 1.0.2h / 1.0.1t

A new security vulnerability was recently discovered in certain versions of OpenSSL. More information about the vulnerability is available on the OpenSSL website: https://www.openssl.org/news/secadv/20160503.txt

There are two high security issues that do not affect Bitnami installations:

1. Memory corruption in the ASN.1 encoder (CVE-2016-2108).

  • All of the currently released Bitnami stacks use an OpenSSL version greater than the affected versions: 1.0.2c or 1.0.1o.

2. Padding oracle in AES-NI CBC MAC check (CVE-2016-2107). 

  • The OpenSSL we ship with the Bitnami installers, virtual machines and cloud images does not enable AES-NI encryption.

The Bitnami team will continue working on updating OpenSSL to 1.0.2h for all Bitnami apps, however, to be clear, the two security issues above do not affect our applications that are currently available.

Critical Security Release for GitLab (CVE-2016-4340)


The Gitlab project released a new update that contains a number of important security fixes, including one for a critical privilege escalation, and we strongly recommend that all GitLab installations be upgraded to the new version immediately.

We released new versions of Bitnami Gitlab 8.7.1 installersvirtual machines and cloud images that fix the security issues.


Critical Security Issue: Privilege escalation via "impersonate" feature

Added in GitLab 8.2, this feature was intended to allow an administrator to simulate being logged in as any other user.

Part of this feature was not properly secured and it was possible for any authenticated user, administrator or not, to "log in" as any other user, including administrators. Please see the GitLab website for more details. Additional information regarding the additional changes is available in the official security advisory.

Workarounds

If you are unable to upgrade right away, you can secure your GitLab installation against this vulnerability using one of the workarounds outlined below until you have time to upgrade:

Securing via web server configuration

1. Add the following text at the end of the httpd-app.conf file of Gitlab
<LocationMatch "^/admin/users/stop_impersonation">
  Order Deny,Allow
  Deny from all
</LocationMatch>
2.  Restart Apache
sudo /opt/bitnami/ctlscript.sh restart apache

Securing via patch

1. Create a patch file at /opt/bitnami/apps/gitlab/htdocs
diff --git a/app/controllers/admin/impersonation_controller.rb b/app/controllers/admin/impersonation_controller.rb
index bf98af7..8790018 100644
--- a/app/controllers/admin/impersonation_controller.rb
+++ b/app/controllers/admin/impersonation_controller.rb
@@ -1,4 +1,5 @@
 class Admin::ImpersonationController < Admin::ApplicationController
+  before_action :render_403, only: :destroy
   skip_before_action :authenticate_admin!, only: :destroy

   before_action :user

2. Apply the path
sudo git apply -v path.diff
The following output will appear:
Checking patch app/controllers/admin/impersonation_controller.rb...
Applied patch app/controllers/admin/impersonation_controller.rb cleanly.

Recover the permissions of the modified file:
sudo chown git:git /opt/bitnami/apps/gitlab/htdocs/app/controllers/admin/impersonation_controller.rb

Verifying the workaround


  1. In an Incognito Window, login as an administrator
  2. Go to the Admin section
  3. Click on "Users"
  4. Select any user
  5. Click "Impersonate"
  6. Click on the "Stop Impersonation" icon in the upper right:



      7. Verify you receive a 403 Forbidden error

Do you have questions about Bitnami Gitlab or the security issue? Please post to our community forum, and we will be happy to help you.

Friday, April 29, 2016

Open edX "Dogwood" Is Now Available from Bitnami!


We're happy to announce a new version of the Bitnami Open edX stack!

Open edX is the open-source online learning platform originally conceived by edX, a nonprofit online learning destination founded by Massachusetts Institute of Technology and Harvard University that offers courses from the world’s best universities and institutions. The Open edX platform provides development tools to create, teach, and manage courses, student experiences, and learning outcomes at Internet scale.


Some of the new features in this new version are:
  • Partial credit
  • Open edX Analytics Developer Stack
  • Initial Version of Comprehensive Theming
  • Additional File Types for Open Response Assessments
  • Timed Exams
  • LTI XBlock
  • Otto Ecommerce Service





Several features are deprecated as of the Open edX Dogwood release:
  • Original ORA ("ORA1") Problems
  • Legacy Instructor Dashboard
  • Studio Checklist page
  • Certain XModules and Tools, including the graphical_slider_tool and the FoldIt protein simulator
  • The psychometrics and licenses Django apps

With Bitnami, developers can deploy a ready-to-run Open edX Stack with just one click. To get started, choose from our all-in-one free native installers, virtual machines or cloud images.

If you have questions about Bitnami Open edX Stack, please post to our community forum and we will be happy to help.

Wednesday, April 27, 2016

Jenkins 2.0

We're happy to announce a new version of the Bitnami Jenkins Stack:

Jenkins is an open source continuous integration server built with Java that supports building and testing virtually any project. It supports different SCM tools, can execute Apache Ant and Apache Maven-based projects as well as arbitrary shell scripts and Windows batch commands. Additionally, Jenkins can monitor executions of remote tasks and much more. Hundreds of plugins are also available for configuring your own system based on your specific requirements.

The highlights of Jenkins 2 are:
  • Built-in support for delivery pipelines
  • Improved usability
  • Fully backwards compatible
The new Jenkins pipeline enables the ability to define workflows by describing them in a domain-specific language. The pipelines are durable, versatile and extensible, with all of their functionality designed to meet the needs of a continuous delivery system. To learn more information about this release, visit the Jenkins 2 overview page.

With Bitnami, you can deploy a ready-to-run Jenkins Stack with just one click. To get started, choose from our all-in-one free native installers (for Linux, Windows and OS X), virtual machines and Cloud Images.

Friday, April 15, 2016

Bitnami Parse Server Stack now includes Parse Dashboard!

We are happy to announce a new feature available in the Bitnami Parse Server Stack:

Following the suggestions made by the users of the original stack, we have included the Open Source project named Parse-Dashboard, which we believe will improve the overall user experience of this stack. 

The Parse Dashboard is a web interface that helps developers interact with the Parse Server API in a graphic way. With the dashboard, developers will be even closer to the experience available before migrating from the original Parse Hosting Services. 


With Bitnami, developers can easily deploy a ready-to-run Parse Server Stack, now including a beautiful web GUI, with just one click. To get started, choose from our all-in-one free native installers (for Linux), virtual machines and Cloud Images.

If you have questions about Bitnami Parse Server Stack, please post to our community forum and we will be happy to help.


Wednesday, April 13, 2016

WordPress 4.5 "Coleman" now available from Bitnami!


We're happy to announce a new version of Bitnami Wordpress Stack:

WordPress is a popular blogging software and powers more than 10% of all websites globally. Developed by Automattic, WordPress rose to popularity quickly because of it’s up-to-date development framework, extensive feature set, multilingual publishing ability, multi-author support, and thriving community. Thousands of free and commercial themes and plugins are available to extend and personalize WordPress for just about anyone who needs a website.


A few of the major changes in this new version include:
  • Finer points: Customizer improvement
  • Finer points: Visual Editor improvement
  • Finer points: Comment refinement
  • Finer points: Optimization of image generation
  • Developers: Selective refresh
  • 
Developers: Backbone and underscore update

  • Developers: Embed templates 
  • Developers: Term edit page changes 


What's new?
  • Posts: Inline link editing

  • Posts: Additional editor shortcuts
  • 
Comments: Moderate comment screen refresh

  • Comments: Max length for comment form fields
  • 
Comments: Comment error page navigation

  • Appearance: Responsive preview of your site

  • Appearance: Theme logo support
  • 
Appearance: Selective refresh

  • Appearance: Easy of use


Under the hood:
  • Bug fix: Support Windows shares/DFS roots in wp_normalize_path()
  • Bug fix: OPTIONS request to REST API does not return correct Accept header
  • Smart Image resizing
  • JavaScript library updates
  • Script Loader improvements
You can learn more information about this release in the WordPress blog.



With Bitnami, you can deploy a ready-to-run Wordpress Stack with just one click. To get started, choose from our all-in-one free native installers (for Linux, Windows and Mac OS X), virtual machines and Cloud Images for Amazon EC2, Azure, CenturyLink, Digital Ocean, Google Cloud Platform, vCloud Air and 1&1 Cloud Platform.


Monday, April 11, 2016

Solr 6 now available from Bitnami!


We're happy to announce a new version of Bitnami Solr Stack:

Apache Solr is a fast search platform from the open source Apache Lucene project. Solr makes use of Lucene, a powerful search engine framework, and includes an http-wrapper around the robust framework so it is ready-to-use out of the box. Features include full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is used by some of the largest companies in the world to power search on their public projects.


A few of the major changes in this new version include:
  • Improved defaults for "Similarity" used in Solr, in order to provide a better default experience for new users.
  • Improved "Similarity" defaults for users upgrading: DefaultSimilarityFactory has been removed, the implicit default Similarity has been changed to SchemaSimilarityFactory, and SchemaSimilarityFactory has been modified to use BM25Similarity as the default for field types that do not explicitly declare a Similarity.
  • Deprecated GET methods for the schema are now accessible through the bulk API. The output has less details and is not backward compatible.
  • Users should set useDocValuesAsStored="false" to preserve sort order on multi-valued fields that have both stored="true" and docValues="true".
  • Deprecated SolrServer and subclasses have been removed, use SolrClient instead.
  • Filter support added to Real-time get.
  • Column alias support added to the Parallel SQL Interface.
  • New command added to switch between secure/non-secure mode in zookeeper.
  • Now possible to use IP fragments in replica placement rules.

  • And many more features that you can find on the Solr Website.


With Bitnami, you can deploy a ready-to-run Solr 6 Stack with just one click. To get started, choose from our all-in-one free native installers (for Linux, Windows and MacOSX), virtual machines and Cloud Images for Amazon EC2, Azure, Digital Ocean, vCloud, 1&1 and Google Cloud Platform.