Wednesday, June 21, 2017

Meet the Bitnami Team: Tom McCafferty

fishing3.jpg
Tom enjoying one of his favorite hobbies 

Meet one of the newest members of our team, Tom McCafferty, and learn why he choose to join the Bitnami Team as our VP of Marketing. 

Why I joined Bitnami…

I’ve spent the bulk of my career in product marketing which means I’ve spent a lot of time telling stories to customers, prospects, writers, industry analysts and partners (anyone who would listen) about companies, products and technology trends. And most of the time, if done well, the narrative creates a grand perception of whomever/whatever the story is about. I’ve told stories of small startups disrupting industry giants, I’ve told stories of changing infrastructure dynamics, I’ve written extensively on the future of communications and the impact of virtualization, automation and cloud computing. The dirty secret of marketing is that more often than not, the stories are just that….stories. Ok, they are generally rooted in some truth or some future truth (roadmaps) but are rarely representative of the actual state of the product or company.

In the case of a startup, creating a meaningful story can be especially difficult. Most of the time the foundational elements are not fully covered:

1. Do they have proven product(s)?

2. Is there a market for their products? Have they identified it?

3. Do they have customers? Are they meaningful customers?

4. Are they making money? Is it a sustainable business model?

5. Are they innovating? Is there a future opportunity?

When a friend first introduced me to Bitnami, I was absolutely blown away by the story they have to tell. Not only are they the clear leader in application packaging, they’ve applied that expertise to delivering cloud-ready and cloud-native application catalogs for every leading cloud provider (check out the list) in the world driving over 1 million new deployments per month. And they’ve built a profitable and rapidly growing business doing that. They’ve also had the foresight to leverage their internal know-how in building and publishing applications to productize application packaging tools for enterprise developers and system integrators to help businesses on their cloud migration journey. If that weren’t enough, they’re also driving innovations in the container ecosystem with open source kubernetes projects centered on packaging and discovering applications as well. Those are just the things that I can share today, there is so much more to come.

As I complete my second week as VP of Marketing at Bitnami I’m collecting data on products and buyers (there are many), evaluating the landscape of competitors (there are few) and defining ways to hone the story here to continue the momentum and accelerate the success that this team has had to date. I’m used to being in a position where there are gaps in the answers to those 5 questions above, not great answers to all of them. I’m hesitant to say that this makes my job an easy one, but I can confidently say that I am extremely excited about the opportunity to help Bitnami tell their story to the world.

Wednesday, June 14, 2017

Meet the Bitnami Team: Beltran Rueda




The Bitnami team is a diverse group of talented people distributed all over the world. Get to know them better through this series of blog posts.

Beltran is the Engineering Manager for our internal and external Tools team, and works in our Seville office.

A brief bio

I am from a small town near Sevilla, Estepa, which you can see in the picture that includes my dog as well.

I started using computers by accident. When I was 14 I won the football lotto. The money from the lotto wasn’t a lot, but it was enough to buy my first computer. At the time, I was really just going to use the computer for video games. Little did I know this was going to be the start of my career.

I started with Linux when I was in the University. The first program I implemented was in C and I spent days and nights tinkering with it just to make it work properly. I would think about the problems that I needed to solve during the day, and suddenly stop what I was doing just to create a solution. There would even be times that I would stop eating lunch, so I could run to my computer and try out an idea.

Throughout the whole project, I enjoyed working on every aspect of it and I was amazed with all opportunities that coding provided. However, it was really hard to do since I didn’t have Internet when I went back home.

Since I didn’t have Internet all the time, I started learning more about Linux by reading books and running code examples from Linux magazines. One of the first examples was to implement and deploy a Python-based radio server.

Why did you join Bitnami and what excites you about working here?

Daniel Lopez, Bitnami’s founder and CEO, came to my University to talk about Open Source, the Apache Software Foundation and the projects he was working on. I really wanted to work on similar projects, so I took the opportunity to apply for their open position. Since I applied while I was in school, I started working at Bitnami even before finishing my Telecommunication engineering degree.

Bitnami gave me a great opportunity to learn new technologies and to grow professionally. I started simplifying the installation process for some of the first companies in the commercial Open Source ecosystem like MySQL, GroundWork, Zenoss, SugarCRM and more.

After 6 years, I decided to improve my management skills and I started a Master in Business Administration (MBA) in a Spanish Business School. At the same time, Bitnami was starting to grow the company, so I was excited to bring my new skill set to the team by adding more internal structure, teaching new developers and spreading the word about Bitnami at technical conferences.

What are you working on?

I manage the tools team, which focuses on improving our internal tools to ensure that all of our assets are easy to build, tested, and kept up-to-date. They include everything from installers for all operating systems, cloud images for all of our cloud partners, and all of our container/Helm charts. This is quite exciting because of the scale of the tasks (we regularly need to update thousands of apps across all platforms) but also because we get to touch every single technology out there, from system packaging to cloud APIs to Docker. Along with maintaining our internal tools, we also work to continuously simplify the deployment process for each of these target platforms by building out our automation pipeline.

What do you like to do for fun?

I love nature. I usually go to the mountains with my wife, dogs and sometimes with my nephews. I am not a sportsman, but I enjoy hiking or biking. Thanks to the good weather in the south of Spain, I love going out with friends to have some our traditional “tapas” over the weekend.

I usually attend technical meetups in and around Seville, so if you see me in one of them stop by and say hello!

Interested in working with Bitnami and Beltran? Apply for one of our open positions!

Tuesday, June 13, 2017

Now Available in Bitnami: SonarQube!

We are pleased to announce the release of SonarQube, the open source continuous code quality review suite used by enterprise development teams across the globe!

SonarQube is able to deeply analyze code on multiple dimensions for over twenty of the most popular languages such as Java, C, and PHP.

Combining static and dynamic analysis tools, SonarQube continuously monitors code along seven axes such as coding standards, potential bugs, code duplication, and complexity. It has built-in dashboards that enable managers and developers to efficiently find problem areas in their code.


SonarQube is available to launch now in Bitnami. To get started taking your code to the next level in just a few clicks, you can deploy SonarQube in the cloud, as a virtual machine, or with a native installer

You can also launch a one-hour demo in the cloud, absolutely free, by clicking the link below (requires a Bitnami account).



If you have any questions about using SonarQube, check out the Bitnami Documentation or post a message in our Community Forums

Wednesday, June 7, 2017

Meet the Bitnami Team: James Westby

The Bitnami team is a diverse group of talented people distributed all over the world. Get to know them better through this series of blog posts.

James Westby is a Senior Engineer working remotely from Bristol, UK.

James and his wife enjoying a vacation in Iceland
A brief bio

I am always keen to learn new things and I’ve been lucky that my career so far has allowed me to work in different areas of software. Most of my time was spent at Canonical where I started working on Ubuntu itself, dealing more different languages and build systems than I can remember, and on the Bazaar version control system where I was able to learn Python in more depth. Over the next few years I spent time working with Linaro, and then on web service development and deployment, with a couple of spells as a team lead. After Canonical I spent a short time at an ill-fated Docker startup.




Why you joined Bitnami and what excites you about working here?

I joined Bitnami as I am excited by the opportunities that Bitnami has. The technology, partnerships and leadership are almost unrivalled, and that presents a great opportunity for my work to have greater impact. The range of work that Bitnami does also provides a great learning opportunity to me. Since joining I’ve already learned Ruby, nodejs, Go and Kubernetes, and that’s just the beginning. Lastly the capacity for change within the company is huge, it’s always improving in many different ways. This was particularly important to me as when I joined there were few remote employees, but the company has put the time and effort into improving the experience for us. There’s still of course many places we can improve, but every new person that joins brings fresh ideas, and the company is willing to adapt to incorporate them.

What are you working on?

Currently I am working on improving the automation of how we build our containers and cloud images. We need to be able to add more applications to our catalog and produce more types of images for each with sub-linear growth in the manual work that is involved. We are always working on this in some manner, but currently we have a team working on a big change in this area. For me it involves working on many different areas, involving scripts and build systems, web services, docker containers, automated testing and documentation and training.

What do you like to do for fun?

I’m currently spending a lot of time running and cycling as I’m trying to improve my fitness and my 5k and 10k personal bests. Otherwise I really enjoy food, beer, gaming and travel. My wife and I recently travelled to Iceland, which had amazing sights, as well as some great food and beer.

Interested in working with Bitnami and James? Apply for one of our open positions!

Tuesday, June 6, 2017

PostgreSQL supports for Bitnami Docker Redmine


We are thrilled to announce that the Bitnami Docker Redmine container has been recently released with support for PostgreSQL databases. 

Selecting between MariaDB or PostgreSQL is now possible via the following environment variables:

- REDMINE_DB_MYSQL
- REDMINE_DB_POSTGRES

You can use the following docker-compose.yml file to deploy our Bitnami Redmine container using a PostgreSQL database:

version: '2'
services:
  postgresql:
    image: 'bitnami/postgresql:latest'
    volumes:
      - 'postgresql_data:/bitnami/postgresql'
  redmine:
    image: 'bitnami/redmine:latest'
    ports:
      - '80:3000'
    environment:
      - REDMINE_DB_POSTGRES=postgresql
    volumes:
      - 'redmine_data:/bitnami/redmine'
    depends_on:
      - postgresql
volumes:
  postgresql_data:
    driver: local
  redmine_data:
    driver: local

Test it by running the following commands:

$ git clone https://github.com/bitnami/bitnami-docker-redmine
$ cd bitnami-docker-redmine
$ docker-compose -f docker-compose-postgresql.yml up

If you'd like to find the Redmine Docker Compose files for both MariaDB and PostgreSQL databases, please check the Bitnami Docker Redmine repository.

In addition, the stable Redmine Helm chart has also been updated to support this new feature. You can read more on how to deploy your Redmine application on top of a Kubernetes cluster using Helm in the Kubernetes Charts repository.

If you have any other questions in regards to Bitnami containers, Kubernetes, or Helm Charts, feel free to check out or documention at docs.bitnami.com or ask one of our engineers at community.bitnami.com!

Thursday, June 1, 2017

Security Release: Magento 2.1.7



The Magento project has released a new update that fixes several critical vulnerabilities. A few of the notable fixes include:

  • APPSEC-1686: Remote Code Execution in the Admin panel
  • APPSEC-1626: RCE in video upload
  • APPSEC-1746: Zend Mail vulnerability - continued
  • APPSEC-1565: Customer password hash exposed in admin
  • APPSEC-1752: Stored XSS in admin panel
  • APPSEC-1663: Mass actions do not follow ACL
  • APPSEC-1661: UI controllers do not follow ACL
  • APPSEC-1679: APIs vulnerable to CSRF
  • APPSEC-1559: Possible remote code execution in email reminders
  • APPSEC-1699: API tokens not invalidated after disabling admin user

We highly recommend upgrading your existing Magento Community Edition 2.0 sites. For more information about the security issues fixed within recently released update, Magento 2.1.7, please check out Magento's Security Center.

We have released Bitnami Magento 2.1.7 containers, installers, virtual machines and cloud images in order to address these security vulnerabilities. If you already have a running version of Bitnami Magento, you can upgrade the application by following the detailed steps through our documentation.

Users launching Bitnami Magento via a cloud marketplace are advised to select version 2.1.7, once it is published. Installations based on previous versions will need to be upgraded as described above.

If you have additional questions about Bitnami Magento, post to our community forum, and we will be happy to help you.

Meet the Bitnami Team: Angus Lees

The Bitnami team is a diverse group of talented people distributed all over the world. Get to know them better through this series of blog posts.

Angus Lee is one of our Senior Engineers who works remotely from Australia.


A brief bio

I have been lucky enough to spend my entire career working with Linux and Free Software (since 1995), and in a lot of ways Bitnami is a return to my early interests.

From early university days running the Linux user group “installfests”, I have been a proud member of the Debian project since about 2000. From university, I worked for a string of small Australian companies as a sysadmin / programmer / everything-else-guy. One of the more interesting projects involved driving over sand dunes in the hottest Australian desert to install our Linux-based routers on poles with solar panels and a two-way satellite dish.

In 2005, I moved to Ireland to work for Google on one of the original SRE teams. We looked after the main search engine and common networking infrastructure. I and 2 others built ipv6.google.com and as part of the following rollout, my home was the first place to ever receive a AAAA response from www.google.com. I eventually moved back to the new Google Sydney office to work on a new storage system and finally as a team lead and manager for some of the parts of the new Google cloud overlay network.

By this point, it was becoming obvious that a number of the engineering candidates I was interviewing were mentioning projects and tools that I had never heard of. My eldest daughter was about to start university and talked about leaving home soon, and so I took the rather unusual step of leaving Google to work from home on OpenStack with Rackspace. I accidentally got involved in Kubernetes quite early (v0.15) by writing the Kubernetes OpenStack cloud provider plugin and some related pieces and really enjoyed the experience. The opportunity to work on Kubernetes full time for Bitnami came up and I jumped at it.

Why did you join Bitnami and what excites you about working here?


I have always had a fascination with compilers, toolchains, and the low-level details of how applications interact with kernel and hardware. Bitnami has been working in this space for many years, and so it seemed an obvious fit.

For me, Bitnami is almost the perfect combination of: working from home, on free software, on something new and exciting, without big corporate bureaucracy, and with an excellent bunch of colleagues.

What are you working on?

I am currently working on “ksonnet” - a set of related tools to make it easier to manage more complex services on Kubernetes. This grew out of personal experience setting up and managing multiple internal Kubernetes clusters within Bitnami, and a decade of something similar within Google. I feel Kubernetes is rapidly moving from “demo” to “production” for many people, so I am happy to be able to share tools and a workflow that can really take advantage of the Kubernetes design.

What do you like to do for fun?

I like food. I have a small vegetable garden and a few chickens. With no daily commute, I like to spend that little bit of extra time in the evenings cooking and enjoying a nice meal with my family.

I have never been a sporting person, but I have also recently started playing soccer/football.

Interested in working with Bitnami and Angus? Apply for one of our open positions!

Friday, May 26, 2017

Bitnami Announces Kubernetes Training Offerings

Bitnami now offers Kubernetes training programs.

From publicly available sessions for individuals to customized courses for entire teams, we offer many different training options. These include in-person or virtual classes, and range from introductory to expert level curriculum. If you are interested in custom courses, our team would be happy to create curriculum based on your team’s needs.

Bitnami’s Senior Director of Cloud Technology and lead trainer, Sebastien Goasguen, has several years of experience designing and delivering Kubernetes training, as well as authoring the CNCF Kubernetes certification itself. Sebastien is well recognized for writing books such as:

  • Kubernetes Cookbook, O'Reilly Media 
  • Docker in the Cloud, O’Reilly Media 
  • Docker Cookbook, O’Reilly Media 
  • 60 Recipes for Apache CloudStack, O’Reilly Media 

Bitnami is recognized as one of the primary trainers for Kubernetes globally. This includes providing training at CNCF, KubeCon and Open Source Summit events.

During these training sessions, students will have a hands-on tour of Kubernetes core concepts and gain an understanding of how to use Kubernetes primitives to build a distributed application that can scale.

As the course comes to a close, students will have a clear understanding of how to take container images to production, build a complex distributed application, and manage it in the data center. Along with a general understanding of Kubernetes and containers with hands-on demos, they will also learn about real world deployments that Bitnami and other companies are running in production.

In short, they will be well positioned to embark into the world of Kubernetes.

Contact us for a proposal that will suit your needs, or check out the schedule of publicly available training offerings that we provide around the world.

Thursday, May 25, 2017

Meet the Bitnami Team: Sebastien Goasguen

The Bitnami team is a diverse group of talented people distributed all over the world. Get to know them better through this series of blog posts.

Sebastien Goasguen is our Senior Director of Cloud Technologies and an avid outdoor sports enthusiast.

Sebastien and his family enjoying a visit to Camp Nou
A brief bio: 

I am not a freshman anymore so I have done a few things. I spent a long time in academia, not only getting a Ph-D (2001), but after that I stuck around and only left in 2012 when I joined Citrix. I had the chance to work on some big grid computing projects in the US and in Europe, I spent couple summers at CERN working on their first cloud, then I worked on CloudStack for a while, before writing the O’Reilly Docker cookbook. That was the signal for me that it was time to take a chance.

I discovered Kubernetes while writing the book, fell in love with the system and decided to create Skippbox. It was a major challenge doing it out of Europe and with a handful of remote engineers, but I am very proud of what we managed to accomplish with almost nothing. As a fun bio fact, in 2009 , the European Space Agency recruited a new set of Astronauts. I applied and made it to the first selection in Hamburg, unfortunately I stopped there. Imagine, Bitnami could have had an engineer in space, talk about being remote!

Why you joined Bitnami and what excites you about working here? 

I joined Bitnami because it was a perfect fit to get Skippbox to the next level. I knew that we needed to grow to have a more significant impact (4 engineers is not enough). Bitnami has a strong foundation and is focusing on applications. When we look at our industry, I feel that the Cloud is fulfilling its promise to make infrastructure a utility, it is time to go back to applications. Containers and systems like Kubernetes make that switch natural. As you start using them you immediately forget about the infrastructure and think about the apps.

It is this focus on applications that I liked about Bitnami. They have delivered apps on bare-metal, VM, Clouds and now are delivering apps to new formats. I wanted to help them do that as well as pioneer some new applications framework like serverless.

I also have to admit that I liked the fact that Bitnami had strong european DNA and was operating for the long term, helping customers navigate these evolutions of technologies and software practices. It is not just about the latest fancy tech, it is about applications environments for the long term.

What are you working on? 

I lead our container and Kubernetes efforts. This involves everything related to building awesome containers: Make sure that we follow best practices, have small image sizes, are automatically updated and run well on any container platform. It also means all our Kubernetes upstream activities in the open source community, things like our involvement with Helm charts, Monocular, and of course Kubeless. Kubeless is our new serverless framework, that I started with Tuna at Skippbox. Kubeless fits well with the overall apps strategy of Bitnami so we are continuing our effort. We hope to build a solid community around it and stay close to the Kubernetes ecosystem.

Generally speaking, since we see applications moving towards a container format and a Kubernetes deployment environment, I lead all our efforts in that space to make sure we do a great job for our users and also help the community grow by contributing directly to the ecosystem.

What do you like to do for fun? 

I am a sports guy, a bit out of shape these days but sports is my definition of fun. I get out of my house and I go run, bike, hike, camp. I just bought a new mountain bike and I am slowly shaping up to be able to climb the Jura. If everything goes well I will be back in shape to run a half-marathon in the fall. I have ran 6 marathons dating back to Chicago in 2004. I ran the Chamonix Marathon in 2011, which was an 8 hour “fast” hike with 7500 feet of climb (2600+ meters). I also play golf a couple times a year, my wife being a Golf teacher we hang out at golf courses quite a bit, and I usually hit couple buckets of balls every week, it is good to get out of the office (or shall I say basement).

Interested in working with Bitnami and Sebastien? Apply for one of our open positions!

Wednesday, May 24, 2017

Introducing ksonnet, an Open Source configuration experience for Kubernetes


We are pleased to announce ksonnet today, an open source tool for configuring applications running on Kubernetes clusters that we have built in collaboration with our friends from Box, Microsoft and Heptio.

Bitnami's mission is to make awesome software available to everyone. We originally started providing easy to use native installers for popular open source server software. We've quickly expanded into providing virtual machines, cloud images and, more recently, containers.

Kubernetes has emerged as the leader in deploying production container workloads. Though Kubernetes can be thought of as an orchestration system, it has turned into a full-fledged platform that others can build on. A large ecosystem of contributors has emerged, providing tooling around monitoring, security, management and any other aspect of building and maintaining Kubernetes clusters. In particular, Bitnami has been involved with the Helm package manager and related projects such as Monocular and Kubeless, the Kubernetes-native serverless framework.

Internally, we have been early adopters of Kubernetes ourselves. In the process of migrating all of our infrastructure to Kubernetes, we ran into scenarios that pushed the limits of what current solutions could deal with. As a result, we have ended up creating our own tooling to help define and manage complex Kubernetes deployments. Around the same time, Heptio was working on a similar project and approached us to combine efforts, resulting in ksonnet.

ksonnet is an open source configuration tool for configuring applications in Kubernetes based on the jsonnet templating library. It is designed to be easy to use, yet extensible and powerful enough so it can cover as many scenarios as possible.

Our goal is that ksonnet will help lower the barrier of adoption for Kubernetes and will continue to evolve and integrate with the rest of the Kubernetes ecosystem. Though it has just been released, it is already being worked on by an active group of contributors that includes Red Hat, CoreOS, Box and Microsoft. We are particularly excited about the integration with the Helm project, allowing the generation of Helm charts that support ksonnet as an alternative to existing templates.

Heptio and us are excited to share ksonnet with the community, helping push Kubernetes further into the mainstream. Give it a try today and let us know what you think!

Thursday, May 18, 2017

Security Release: Joomla! 3.7.1


A critical SQL Injection vulnerability for Joomla! has been recently identified within version 3.7.0.  Joomla! version 3.7.1 is now published and available to address this vulnerability and other bug fixes.  You can find more information in regards to version 3.7.1 and the security vulnerability within version 3.7.0 in this Joomla! blog post.

The Joomla! team strongly encourages users to update their Joomla! site(s) to the version 3.7.1.  Bitnami has released Bitnami Joomla! 3.7.1 installers, virtual machines and cloud images for all platforms. You can find instructions on how to upgrade your Bitnami Joomla! application here.

Have questions about Bitnami Joomla! or the Joomla! security vulnerability? Post to our Community Forum, and we will be happy to help you.

Wednesday, May 10, 2017

Newly Released Open edX Ficus Now Available in Bitnami

We are happy to announce the release of Ficus, the latest version of the popular Open edX online learning platform. Conceived by edX, a nonprofit online learning destination founded by Massachusetts Institute of Technology and Harvard University, Open edX is the chosen online learning solution for a wide variety of educational institutions, non-profits, and corporate training departments.
Bitnami’s Open edX package contains everything you need to run online learning courses out of the box. Some of the application’s main features include:
  • Open edX Studio to create the course structure and add content, including problems, videos, and other resources. Studio is also used to manage the course schedule and team, set grading policies, publish each part of a course, and more.
  • A Learning Management System (LMS) that learners use to access course content, including videos, textbooks, and problems, and to check their progress in the course. The LMS includes forum and wiki functionality for both learners and instructors.
  • Full customization, with themes that incorporate an organization’s logos, images, and color schemes. Themes for Open edX Studio and LMS can incorporate custom page templates and CSS for a truly unique look.


What’s New in Ficus

The latest version of Open edX includes many new features centered around the LMS, the studio, and course author tools. The edX team has also added enhanced course data for instructors and students, new third party authentication capability, and accessibility improvements.

For a complete list of new features in Ficus, take a look at the Open edX release blog post.
Interested in trying Open edX? You can launch a one-hour demo in the cloud, absolutely free! See how easy it is to get started with an Open edX cloud image by taking a free test drive.



You can also launch Open edX Ficus in your own cloud account, download a Virtual Machine, or download a native installer for Linux.

Visit our documentation to learn how to manage your installation. Still have questions? Head to our community pages for expert advice from our team.

Thursday, May 4, 2017

WordPress security issue: Unauthenticated Remote Code Execution (RCE)

A critical security WordPress vulnerability was recently published. The Remote Code Execution PoC exploit described in this advisory is based on version 4.6. However, other versions of WordPress prior to 4.7.1 may also be affected.

The WordPress team strongly encourages their users to update their Wordpress site(s) to the most recent version: 4.7.4.  If you already have a running version of Bitnami WordPress, the application can be updated from the admin panel. Note that the Automatic Background Upgrades functionality is enabled by default but upgrading from 4.6.x to 4.7.y is not automatic. You can confirm that the update has been done by checking the version from within your admin panel.

We have released Bitnami WordPress 4.7.4 (and Multisite version) installers, virtual machines and cloud images for all platforms.

Have questions about Bitnami WordPress or the security issue? Post to our Community Forum, and we would be happy to help you.

Friday, April 28, 2017

Security Release: Jenkins 2.57/2.46.2

The Jenkins project has released a new version that fixes multiple Cross-Site Request Forgery vulnerabilities, along with an unauthenticated remote code execution vulnerability & an impersonation issue.

It is strongly suggested that you update your Jenkins installations to the latest version. You can follow our documentation to learn how to upgrade your application. If you are using the Bitnami Jenkins Docker container image, please follow the documentation in our GitHub repository.

You can find more information about the Jenkins security issues in the Jenkins Security Advisory.



Bitnami has released Jenkins 2.57 containers, and Jenkins 2.46.2 installers, virtual machines and cloud images that address these vulnerabilities.

https://bitnami.com/stack/jenkins

The Bitnami Jenkins offered on Bitnami.com and on our cloud-specific launchpads has been updated to version 2.46.2. New launches of Bitnami Jenkins via our launchpad are secure and do not need to be further updated.

Users launching Bitnami Jenkins via a cloud marketplace are advised to select version 2.46.2 of Bitnami Jenkins, once it is published. Installations based on previous versions will need to be upgraded as described above.

If you have further questions about Bitnami Jenkins or this security issue, please post to our community forum and, we will be happy to help you.

Thursday, April 20, 2017

Drupal Security Issue SA-CORE-2017-002


Drupal’s core security team has discovered a new critical security vulnerability in the RESTful Web Services (rest) module, SA-CORE-2017-002.

This module is not enabled by default in the Bitnami Drupal application. If you do not use the RESTful Web Services module, you do not need to take any action.

If you have the RESTful Web Services module enabled, your Drupal application is affected if all of the following conditions are met:
  • The version of the application is prior to 8.3.1 (Drupal 7.x is not affected).
  • The site allows PATCH requests.
  • An attacker can get or register a user account on the site.
If your Drupal installation meets those requirements it is recommended to update your Drupal application to the latest version, Drupal 8.3.1. You can follow our documentation to learn how to upgrade your application and ensure its security.

For new application deployments, Bitnami has released Drupal 8.3.1 containers, installers, virtual machines and cloud images that address this vulnerability. If you deploy Bitnami Drupal via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Drupal via one of our cloud partner marketplaces and it is not yet updated to version 8.3.1, you will need to upgrade your application using the documentation linked above.

If you have further questions about Bitnami Drupal or this security issue, please post to our  community forums, and we will be happy to help you.

Tuesday, April 18, 2017

Drupal Security Issue SA-CONTRIB-2017-38

A new critical security vulnerability in the References module has been discovered by Drupal's core security team as SA-CONTRIB-2017-38. Although this module is no longer maintained, it is currently used within over 120,000 installations.

If you use the References module, it is advised to uninstall it. In order to maintain equivalent functionality, it is recommended to try the Entity Reference module. If you do not use the References module, you do not need to take any action.

The References module is only supported by Drupal 7.x versions. The Bitnami Drupal stack does not include the References module by default.  Therefore, it is not affected by this issue.

If you have further questions about Bitnami Drupal or this security issue, please post to our community forum, and we will be happy to help you.

Wednesday, March 22, 2017

Moodle Security Issue CVE-2017-2641

[UPDATE 2017-03-23]

For new application deployments, Bitnami has released Moodle 3.2.2 installers, containers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami Moodle via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Moodle via one of our cloud partner marketplaces and it is not yet updated to version 3.2.2, you should apply the workaround explained below.

----

The Moodle project has just released new versions that contain an important security fix for a SQL injection vulnerability via user preferences that can lead to remote code execution (CVE-2017-2641).

Moodle has released versions 3.2.2, 3.1.5, 3.0.9 and 2.7.19 that fix the issue. We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working to update all of the affected Moodle packages available through Bitnami as quickly as possible.

Workaround


In the meantime, we strongly encourage all Moodle administrators to apply the security patch published by the Moodle maintainers. In order to do so, log in to your Moodle installation and run the following commands:

$ curl -L -o /tmp/security.path 'https://git.moodle.org/gw?p=moodle.git;a=patch;h=6e65554ea19f4e90c09864081e47424f8efca02e'
$ cd /opt/bitnami/apps/moodle/htdocs
$ sudo patch -p1 < /tmp/security.patch
$ rm /tmp/security.patch

If you have further questions about Bitnami Moodle or this security issue, please post to our community forum, and we will be happy to help you.

Thursday, March 16, 2017

Security Release: Drupal 8.2.7



Drupal has released a new version that fixes three security vulnerabilities.

It is recommended that you update your Drupal application to the latest version, Drupal 8.2.7. You can follow our documentation to learn how to upgrade your application and ensure its security.

The vulnerabilities fixed in the latest version of Drupal are the following:

  • Editor module incorrectly checks access to inline private files - Access Bypass - Critical - CVE-2017-6377
  • Some admin paths were not protected with a CSRF token - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379
  • Remote code execution - Moderately Critical - CVE-2017-6381


For new application deployments, Bitnami has released Drupal 8.2.7 containers, installers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami Drupal via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Drupal via one of our cloud partner marketplaces and it is not yet updated to version 8.2.7, you will need to upgrade your application using the documentation linked above.

If you have further questions about Bitnami Drupal or this security issue, please post to our community forum, and we will be happy to help you.

Tuesday, March 7, 2017

Security release: WordPress 4.7.3

WordPress has released a new version that fixes six security vulnerabilities.

It is recommended that you update your WordPress application to the latest version, Wordpress 4.7.3. You can follow our documentation to learn how to upgrade your application and ensure its security.

For new application deployments, Bitnami has released WordPress 4.7.3 containers, installers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami WordPress via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami WordPress via one of our cloud partner marketplaces and it is not yet updated to version 4.7.3, you will need to upgrade your application using the documentation linked above.

If you have further questions about Bitnami WordPress or this security issue, please post to our community forum, and we will be happy to help you.

Bitnami Announces Skippbox Acquisition

Those of you who follow Bitnami closely may have noticed that Bitnami has been ramping up our development of container-based applications, and, more recently, our efforts to make Kubernetes-based application deployment easier via Helm Charts and the Monocular project.

Thus, it’s probably not a big surprise that we are enthusiastic about the future of containers, and when it comes to orchestration, very excited about the momentum that has built around Kubernetes as the leading solution for running containers in production.

Therefore, we’re happy to announce the acquisition of Skippbox, Ltd.

With the Skippbox acquisition, we’re vastly upgrading our container and Kubernetes expertise.  While much is still in the “stay tuned” category, some immediate announcements include:

  • We’re now offering Kubernetes training, the first session of which will be at KubeCon EU, in Berlin.  For additional information on future training offerings, please check out our new training page.
  • Our new Senior Director of Cloud Technologies, Sebastien Goasguen, will be speaking on “Scheduling Containers with Kubernetes” at the upcoming O’Reilly Velocity Conference, June 21, 2017.
  • Bitnami has joined the Cloud Native Computing Foundation (CNCF), which is a perfect fit for our increased investments in containers and Kubernetes.

If you have any questions, we love to hear from you.  In the meantime, stay tuned for more container and Kubernetes developments in the very near future. 

Monday, February 27, 2017

Security notification: XSS and sandbox escape vulnerability in Plone

The Plone project has released a new patch that fixes a XSS and a sandbox escape vulnerability in the application.

You can find more info about these issues on the Plone Security Announcements page.

All supported Plone versions (4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version) are affected. Previous versions could be affected but have not been fully tested. We highly recommend patching your existing Plone sites by following the steps below:

1. Create a backup of your current installation of the application

https://docs.bitnami.com/?page=apps&name=plone&section=how-to-create-a-full-backup-of-plone

2. Download the available patch at the security page

https://plone.org/security/hotfix/20170117

3. Unpack the zip file at /opt/bitnami/apps/plone/zeocluster/products

4. Modify the permissions of the files

    sudo chown -R plone:plone /opt/bitnami/apps/plone/zeocluster/products

5. Restart the Plone service

    sudo /opt/bitnami/ctlscript.sh restart plone

6. Check that the application has been restarted properly. You should see these lines in the /opt/bitnami/apps/plone/zeoclustervar/client1/event.log file

------
2017-02-27T11:04:58 INFO Products.PloneHotfix20170117 Applied zmi patch
------
2017-02-27T11:04:58 INFO Products.PloneHotfix20170117 Applied strformat patch
------
2017-02-27T11:04:58 INFO Products.PloneHotfix20170117 Hotfix installed

Do you have additional questions about Bitnami Plone or the security vulnerability? Please post to our community forum and we will be happy to help you.

Chat Securely with Mattermost Team Edition, Now in Bitnami!


We are excited to announce our newest ISV partnership with Mattermost, the open source Slack-alternative you can run in your own cloud account!

Modern chat tools have taken the world by storm with a variety of features like search, archiving, and extensibility that make them extremely useful to almost any type of organization. However, when chat is only available as a service it can run afoul of' IT security policies that require full control over sensitive files and data. With a seemingly endless procession of data breaches, it is no surprise that many companies and organizations are unable to use chat tools that only run in servers they cannot control or audit.


That's why Mattermost Team Edition presents such a great opportunity: it comes loaded with all the features that make contemporary chat tools great while giving the organization complete ownership of all its conversations, shared files, images, and other data generated in the course of routine chat operations. Mattermost integrates with the other tools that teams depend on such as a version control system, CRM, help desk, continuous integration/delivery, bug tracker, and countless other technologies that can generate a tremendous amount of sensitive, business-critical data. It also has the features that endear modern chat tools to users, such as slash commands for GIFs (and other useful functions) and customized emojis.


Bitnami Mattermost Team Edition can be launched in your organization's cloud account on all the most popular platforms like Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Oracle Cloud Platform through the Bitnami Launchpads or third party marketplaces. Government entities will be delighted to know that they can launch Mattermost Team Edition in Azure's Government Cloud in just a few clicks through the Gov Cloud Marketplace. There is also a Mattermost Virtual Machine that can be used in the enterprise datacenter, with or without a connection to the internet.

Powerful Features Include:

  • One-to-one and group messaging, file sharing, and unlimited search history
  • Advanced communication features including markdown support, threaded messaging, custom emoji, and emoji reactions
  • Ability to connect to mobile apps in iTunes and Google Play, or to compile your own mobile apps from provided source code
  • Ability to connect to desktop apps for Windows, Mac, and Linux 
  • Highly customizable third party bots, integrations and command line tools 
  • Languages include English, Chinese (Simplified & Traditional), Dutch, French, German, Japanese, Korean, Portuguese, Russian, Spanish
  • Easily scales from dozens to hundreds of users
  • Supports upgrade to Mattermost Enterprise Edition with advanced security, configuration and scalability benefits. Learn more at https://mattermost.com
Mattermost Team Edition is now available in Bitnami to launch in just a few clicks in all your favorite cloud platforms, as a virtual machine, and as a native installer for Linux. Interested in a quick test drive? Try our one-hour cloud demo and get familiar with the intuitive interface, absolutely free!



Visit our docs to learn how to manage and configure your installation. Still have questions? Head to the Mattermost Team Edition product page or Mattermost Help page for more information.

Wednesday, February 22, 2017

Security notification: DCCP double-free kernel vulnerability (CVE-2017-6074)


[UPDATE 2017-02-28]


Updated blog post with the steps to update CentOS and Oracle Linux kernels

----

[UPDATE 2017-02-23]

Updated blog post with the steps to update Debian and RedHat kernels

----

A new security vulnerability in the Linux kernel has been discovered. You can find more information about this vulnerability in the following research report: "DCCP double-free vulnerability".

Even though the Linux kernel code affected was implemented before 2006, it is not a remotely exploitable vulnerability. Therefore, you can continue using any of the Bitnami Cloud Images or Virtual Machines without being affected. We also want to let you know that our containers offering is not affected by this security vulnerability.

At the time of this post, a new patched kernel has only been released for Ubuntu. We will update this blog post as kernel patches for other distributions become available. You can update your appropriate kernel by running the following commands (you must run the command specific to your distribution):

Ubuntu 


sudo apt-get update && sudo apt-get dist-upgrade 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux ip-172-31-32-244 3.13.0-110-generic #157-Ubuntu SMP Mon Feb 20 11:54:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Debian


sudo apt-get update && sudo apt-get dist-upgrade 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux bitnami-wordpress-dm-1d22 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u1 (2017-02-22) x86_64 GNU/Linux

RedHat


sudo yum update 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux ip-10-99-173-165.ec2.internal 3.10.0-514.6.2.el7.x86_64 #1 SMP Fri Feb 17 19:21:31 EST 2017 x86_64 x86_64 x86_64 GNU/Linux

CentOS


sudo yum update 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux localhost.localdomain 3.10.0-514.6.2.el7.x86_64 #1 SMP Thu Feb 23 03:04:39 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Oracle Linux


sudo yum update 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux bitnami-wordpress-0 4.1.12-61.1.28.el6uek.x86_64 #2 SMP Thu Feb 23 20:03:53 PST 2017 x86_64 x86_64 x86_64 GNU/Linux

If you have any questions about this process, please post to our community support forum and we will be happy to help!

Wednesday, February 8, 2017

Security Release: Parse Server 2.3.1-1

Bitnami has released Parse Server version 2.3.1-1 for containers, installers and virtual machines to implement authentication when connecting to the Parse dashboard. If you deploy a new Bitnami Parse Server via a Bitnami Launchpad, your application will be up-to-date and secure. When deploying via a partner cloud marketplace, please ensure version 2.3.1-1 is selected.

If you are still using a Bitnami Parse Server version 2.3.1-0 or earlier you must take steps to secure your installation. This is important because unauthenticated users could connect to and and extract data from your server. Possible ways to secure your installation include:

    1. Preventing connections from the public Internet to port 80 on the Parse Server.
    2. Configuring authentication as described in our documentation.

Do you have questions about Bitnami or this security release? Please post to our community forum and we will be happy to help you.

Thursday, February 2, 2017

Security Release: Jenkins 2.44/2.32.2

[UPDATE 2017-02-03]

For new application deployments, Bitnami has released Jenkins 2.44 containers, and Jenkins 2.32.2 installers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami Jenkins via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Jenkins via one of our cloud partner marketplaces and it is not yet updated to version 2.32.2, you will need to upgrade your application using the documentation linked below.

----

The Jenkins project has just released a new version that fixes multiple security issues, including a fix for a XStream remote code execution vulnerability.

It is strongly suggested that you update your Jenkins application to the latest version. You can follow our documentation to learn how to upgrade your application. If you are using the Bitnami Jenkins container, please follow the documentation in our GitHub repository.


You can find more information about the Jenkins security issues in the Jenkins Security Advisory.



We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working to update all of the affected Jenkins packages available through Bitnami as quickly as possible.

If you have further questions about Bitnami Jenkins or this security issue, please post to our community forum,and we will be happy to help you.

Friday, January 27, 2017

Security Release: WordPress 4.7.2

WordPress has released a new version that fixes three security vulnerabilities.

It is strongly recommended that you update your WordPress application to the latest version, Wordpress 4.7.2. You can follow our documentation to learn how to upgrade your application and ensure its security.

For new application deployments, Bitnami has released WordPress 4.7.2 containers, installers and virtual machines that address these vulnerabilities. If you deploy Bitnami WordPress via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami WordPress via one of our cloud partner marketplaces and it is not yet updated to version 4.7.2, you will need to upgrade your application using the documentation linked above.

If you have further questions about Bitnami WordPress or this security issue, please post to our community forum, and we will be happy to help you.

Friday, January 13, 2017

Elasticsearch Installation Security Incident

As of today, attackers have been reportedly scanning for and vandalizing unsecured Elasticsearch installations over the Internet. (See: http://www.pcworld.com/article/3157417/security/after-mongodb-ransomware-groups-hit-exposed-elasticsearch-clusters.html)

Bitnami's security team has reviewed our image library. As a result, we have confirmed that Bitnami virtual machines and single-VM cloud images are not vulnerable to this attack because they do not expose Elasticsearch publicly by default; Elasticsearch is proxied through Apache with authentication.

One Bitnami listing, "Elasticsearch Cluster" on Microsoft Azure, was found to be vulnerable. This listing was removed earlier this week and we are notifying the small number of users who may have installations based on the affected template.

Since the scale of the attack appears to be growing, we recommend that all users of Bitnami Elasticsearch on all cloud platforms check that their installations are secure. Deployments that were secure at launch may have been accidentally opened to the Internet by changing the default configuration. 

We recommend that you immediately ensure that your Elasticsearch is not exposed to the public internet by reviewing:

a) Inbound firewall rules prevent traffic to ports 9200-9300 from the Internet

or

b) Moving any Elasticsearch deployments to private networks

How to restrict access to port 9200 on Microsoft Azure:
1. Login to Microsoft Azure Portal.
2. Using the left hand navigation bar, go to “Resource groups”.
3. Select the resource group your Elasticsearch Cluster application is located in.
4. Select the "Network Security Group" to edit the properties.



5. Select the "Inbound security rules" to close the port 9200 by changing the Action from “Allow” to “Deny”.
6. Click the blue “Save” button at the top of the window.


Additional practices for securing Elasticsearch can be found here: http://code972.com/blog/2017/01/107-dont-be-ransacked-securing-your-elasticsearch-cluster-properly

If you have been affected by this attack or need additional help updating your Bitnami Elasticsearch, please contact us directly through our Helpdesk and we will do our best to assist you. https://bitnami.zendesk.com/hc/en-us.

CodeIgniter Security Issue CVE-2016-10131

[ UPDATE 2017-01-17 ]

The Bitnami Team is happy to announce that the Bitnami Cloud Hosting images have been properly updated and they use the latest version of CodeIgniter.

----

The CodeIgniter project released a new update that contains an important security fix for a cross-site scripting vulnerability. We strongly recommend that all CodeIgniter developers using Bitnami LAMP installations or CodeIgniter Development container should upgrade to the latest version immediately.

We released new versions of Bitnami LAMP, MAMP, WAMP, LAPP, MAPP and WAPP (PHP5 and PHP7) installers, virtual machines and cloud images that fix this security issue. We also released a new version of our Bitnami CodeIgniter development container. Further details regarding the security issue are explained below:

"System/libraries/Email.php in CodeIgniter before 3.1.3 allows remote attackers to execute arbitrary code by leveraging control over the email->from field to insert sendmail command-line arguments."

More info: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10131

Workaround

 

If you're unable to upgrade right away, you can secure your installation against this vulnerability by manually updating CodeIgniter. In order to do so, please follow the instructions below:

https://codeigniter.com/userguide3/installation/upgrading.html

Do you have questions about Bitnami or the security issue? Please post to our community forum and we will be happy to help you.

Tuesday, January 10, 2017

PWNScriptum Security Issue

[ UPDATE 2017-01-16 ]

The Magento team has published a new blog post about this security issue. They recommend to turn off the "Set Return-Path" setting (switch to "No") at "Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path"

We also want to inform you that the standard Bitnami Magento deployments are not affected as that field is set to "No" by default.

https://magento.com/security/news/new-zend-framework-1-security-vulnerability

----

During the past couple of weeks, vulnerabilities were discovered in the most widely used PHP Mailing Libraries: PHPMailer (CVE-2016-10033 and CVE-2016-10045), Swiftmailer (CVE-2016-10074) and ZendMail (CVE-2016-10034). There are several stacks in the Bitnami library that could be potentially affected. Because this issue is related to the implementation of the applications themselves, it must be addressed by their original developers.

From the moment this issue was reported, our security team started a very thorough review of all our PHP applications (including contacting developers directly in several cases.) We will release fixed versions of all affected apps as soon as they are available.

Note that in several cases, the application was developed in a way that made it impossible for the vulnerability to be exploited. Examples include:

  • WordPress: “Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail() does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions.” [more info]
  • Drupal: “The SMTP module has a modified third party PHPMailer library in its codebase. The modified version of the library is not affected.” [more info]
  • Joomla: “After analysis [..] there are additional validations in place which make executing this vulnerability impractical within the Joomla environment.” [more info]
  • Moodle: “So my current conclusion is that Moodle sites are not affected by the Sender vulnerability discovered in phpmailer < 5.2.18.” [more info]
  • Phabricator: “No immediate action is necessary because we don't expose any way to get at these vulnerabilities.” [more info] 

Affected Bitnami PHP applications with recently released fixes
: Akeneo, Dreamfactory, Mahara, Mantis, Mautic, ModX, Owncloud, OroCRM, TinyTinyRSS, PHPList. Please make sure you update your stacks by following the documentation in docs.bitnami.com.

Unaffected Bitnami PHP applications
: SEO Panel, CMS Made Simple, Piwik, Magento, Prestashop, EspoCRM, Pimcore, Shopware and Oxid.

Please stay tuned if you are using a Bitnami PHP application, as we will continue releasing apps as soon as a fix is available.

Bitnami Applications for Oracle Bare Metal Cloud Services


At Oracle World in 2015, Bitnami and Oracle jointly announced the availability of the Bitnami catalog of more than 150 applications for Oracle Cloud Platform.

Fast forward a little more than a year later, and Bitnami is proud to be collaborating with the Oracle Bare Metal Cloud Services (BMCS) team to extend selected Bitnami offerings to BMCS, as well.

We've worked with the Oracle BMCS team to select the first 21 applications, including Java-related infrastructure such as JBoss, Liferay, Node.JS, and Tomcat; databases such as MongoDB and MySQL, as well as popular line of business applications like WordPress, Magento, and Moodle.

Bitnami-packaged applications are tested and approved to run on Oracle Cloud, secure, and kept up to date.

To see the complete list:

1. Go to the Oracle Cloud Marketplace

2. Type "bitnami bare metal" into the search box



You're now ready to download the installer for the application of your choice and use it on your Oracle BMCS account.