Wednesday, March 22, 2017

Moodle Security Issue CVE-2017-2641

[UPDATE 2017-03-23]

For new application deployments, Bitnami has released Moodle 3.2.2 installers, containers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami Moodle via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Moodle via one of our cloud partner marketplaces and it is not yet updated to version 3.2.2, you should apply the workaround explained below.

----

The Moodle project has just released new versions that contain an important security fix for a SQL injection vulnerability via user preferences that can lead to remote code execution (CVE-2017-2641).

Moodle has released versions 3.2.2, 3.1.5, 3.0.9 and 2.7.19 that fix the issue. We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working to update all of the affected Moodle packages available through Bitnami as quickly as possible.

Workaround


In the meantime, we strongly encourage all Moodle administrators to apply the security patch published by the Moodle maintainers. In order to do so, log in to your Moodle installation and run the following commands:

$ curl -L -o /tmp/security.path 'https://git.moodle.org/gw?p=moodle.git;a=patch;h=6e65554ea19f4e90c09864081e47424f8efca02e'
$ cd /opt/bitnami/apps/moodle/htdocs
$ sudo patch -p1 < /tmp/security.patch
$ rm /tmp/security.patch

If you have further questions about Bitnami Moodle or this security issue, please post to our community forum, and we will be happy to help you.

Thursday, March 16, 2017

Security Release: Drupal 8.2.7



Drupal has released a new version that fixes three security vulnerabilities.

It is recommended that you update your Drupal application to the latest version, Drupal 8.2.7. You can follow our documentation to learn how to upgrade your application and ensure its security.

The vulnerabilities fixed in the latest version of Drupal are the following:

  • Editor module incorrectly checks access to inline private files - Access Bypass - Critical - CVE-2017-6377
  • Some admin paths were not protected with a CSRF token - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379
  • Remote code execution - Moderately Critical - CVE-2017-6381


For new application deployments, Bitnami has released Drupal 8.2.7 containers, installers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami Drupal via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Drupal via one of our cloud partner marketplaces and it is not yet updated to version 8.2.7, you will need to upgrade your application using the documentation linked above.

If you have further questions about Bitnami Drupal or this security issue, please post to our community forum, and we will be happy to help you.

Tuesday, March 7, 2017

Security release: WordPress 4.7.3

WordPress has released a new version that fixes six security vulnerabilities.

It is recommended that you update your WordPress application to the latest version, Wordpress 4.7.3. You can follow our documentation to learn how to upgrade your application and ensure its security.

For new application deployments, Bitnami has released WordPress 4.7.3 containers, installers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami WordPress via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami WordPress via one of our cloud partner marketplaces and it is not yet updated to version 4.7.3, you will need to upgrade your application using the documentation linked above.

If you have further questions about Bitnami WordPress or this security issue, please post to our community forum, and we will be happy to help you.

Bitnami Announces Skippbox Acquisition

Those of you who follow Bitnami closely may have noticed that Bitnami has been ramping up our development of container-based applications, and, more recently, our efforts to make Kubernetes-based application deployment easier via Helm Charts and the Monocular project.

Thus, it’s probably not a big surprise that we are enthusiastic about the future of containers, and when it comes to orchestration, very excited about the momentum that has built around Kubernetes as the leading solution for running containers in production.

Therefore, we’re happy to announce the acquisition of Skippbox, Ltd.

With the Skippbox acquisition, we’re vastly upgrading our container and Kubernetes expertise.  While much is still in the “stay tuned” category, some immediate announcements include:

  • We’re now offering Kubernetes training, the first session of which will be at KubeCon EU, in Berlin.  For additional information on future training offerings, please check out our new training page.
  • Our new Senior Director of Cloud Technologies, Sebastien Goasguen, will be speaking on “Scheduling Containers with Kubernetes” at the upcoming O’Reilly Velocity Conference, June 21, 2017.
  • Bitnami has joined the Cloud Native Computing Foundation (CNCF), which is a perfect fit for our increased investments in containers and Kubernetes.

If you have any questions, we love to hear from you.  In the meantime, stay tuned for more container and Kubernetes developments in the very near future.