Monday, February 27, 2017

Security notification: XSS and sandbox escape vulnerability in Plone

The Plone project has released a new patch that fixes a XSS and a sandbox escape vulnerability in the application.

You can find more info about these issues on the Plone Security Announcements page.

All supported Plone versions (4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version) are affected. Previous versions could be affected but have not been fully tested. We highly recommend patching your existing Plone sites by following the steps below:

1. Create a backup of your current installation of the application

https://docs.bitnami.com/?page=apps&name=plone&section=how-to-create-a-full-backup-of-plone

2. Download the available patch at the security page

https://plone.org/security/hotfix/20170117

3. Unpack the zip file at /opt/bitnami/apps/plone/zeocluster/products

4. Modify the permissions of the files

    sudo chown -R plone:plone /opt/bitnami/apps/plone/zeocluster/products

5. Restart the Plone service

    sudo /opt/bitnami/ctlscript.sh restart plone

6. Check that the application has been restarted properly. You should see these lines in the /opt/bitnami/apps/plone/zeoclustervar/client1/event.log file

------
2017-02-27T11:04:58 INFO Products.PloneHotfix20170117 Applied zmi patch
------
2017-02-27T11:04:58 INFO Products.PloneHotfix20170117 Applied strformat patch
------
2017-02-27T11:04:58 INFO Products.PloneHotfix20170117 Hotfix installed

Do you have additional questions about Bitnami Plone or the security vulnerability? Please post to our community forum and we will be happy to help you.

Chat Securely with Mattermost Team Edition, Now in Bitnami!


We are excited to announce our newest ISV partnership with Mattermost, the open source Slack-alternative you can run in your own cloud account!

Modern chat tools have taken the world by storm with a variety of features like search, archiving, and extensibility that make them extremely useful to almost any type of organization. However, when chat is only available as a service it can run afoul of' IT security policies that require full control over sensitive files and data. With a seemingly endless procession of data breaches, it is no surprise that many companies and organizations are unable to use chat tools that only run in servers they cannot control or audit.


That's why Mattermost Team Edition presents such a great opportunity: it comes loaded with all the features that make contemporary chat tools great while giving the organization complete ownership of all its conversations, shared files, images, and other data generated in the course of routine chat operations. Mattermost integrates with the other tools that teams depend on such as a version control system, CRM, help desk, continuous integration/delivery, bug tracker, and countless other technologies that can generate a tremendous amount of sensitive, business-critical data. It also has the features that endear modern chat tools to users, such as slash commands for GIFs (and other useful functions) and customized emojis.

Bitnami Mattermost Team Edition can be launched in your organization's cloud account on all the most popular platforms like Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Oracle Cloud Platform through the Bitnami Launchpads or third party marketplaces. Government entities will be delighted to know that they can launch Mattermost Team Edition in Azure's Government Cloud in just a few clicks through the Gov Cloud Marketplace. There is also a Mattermost Virtual Machine that can be used in the enterprise datacenter, with or without a connection to the internet.

Powerful Features Include:
  • One-to-one and group messaging, file sharing, and unlimited search history
  • Advanced communication features including markdown support, threaded messaging, custom emoji, and emoji reactions
  • Ability to connect to mobile apps in iTunes and Google Play, or to compile your own mobile apps from provided source code
  • Ability to connect to desktop apps for Windows, Mac, and Linux 
  • Highly customizable third party bots, integrations and command line tools 
  • Languages include English, Chinese (Simplified & Traditional), Dutch, French, German, Japanese, Korean, Portuguese, Russian, Spanish
  • Easily scales from dozens to hundreds of users
  • Supports upgrade to Mattermost Enterprise Edition with advanced security, configuration and scalability benefits. Learn more at https://mattermost.com
Mattermost Team Edition is now available in Bitnami to launch in just a few clicks in all your favorite cloud platforms, as a virtual machine, and as a native installer for Linux. Interested in a quick test drive? Try our one-hour cloud demo and get familiar with the intuitive interface, absolutely free!



Visit our docs to learn how to manage and configure your installation. Still have questions? Head to the Mattermost Team Edition product page or Mattermost Help page for more information.

Wednesday, February 22, 2017

Security notification: DCCP double-free kernel vulnerability (CVE-2017-6074)


[UPDATE 2017-02-28]


Updated blog post with the steps to update CentOS and Oracle Linux kernels

----

[UPDATE 2017-02-23]

Updated blog post with the steps to update Debian and RedHat kernels

----

A new security vulnerability in the Linux kernel has been discovered. You can find more information about this vulnerability in the following research report: "DCCP double-free vulnerability".

Even though the Linux kernel code affected was implemented before 2006, it is not a remotely exploitable vulnerability. Therefore, you can continue using any of the Bitnami Cloud Images or Virtual Machines without being affected. We also want to let you know that our containers offering is not affected by this security vulnerability.

At the time of this post, a new patched kernel has only been released for Ubuntu. We will update this blog post as kernel patches for other distributions become available. You can update your appropriate kernel by running the following commands (you must run the command specific to your distribution):

Ubuntu 


sudo apt-get update && sudo apt-get dist-upgrade 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux ip-172-31-32-244 3.13.0-110-generic #157-Ubuntu SMP Mon Feb 20 11:54:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Debian


sudo apt-get update && sudo apt-get dist-upgrade 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux bitnami-wordpress-dm-1d22 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u1 (2017-02-22) x86_64 GNU/Linux

RedHat


sudo yum update 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux ip-10-99-173-165.ec2.internal 3.10.0-514.6.2.el7.x86_64 #1 SMP Fri Feb 17 19:21:31 EST 2017 x86_64 x86_64 x86_64 GNU/Linux

CentOS


sudo yum update 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux localhost.localdomain 3.10.0-514.6.2.el7.x86_64 #1 SMP Thu Feb 23 03:04:39 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Oracle Linux


sudo yum update 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux bitnami-wordpress-0 4.1.12-61.1.28.el6uek.x86_64 #2 SMP Thu Feb 23 20:03:53 PST 2017 x86_64 x86_64 x86_64 GNU/Linux

If you have any questions about this process, please post to our community support forum and we will be happy to help!

Wednesday, February 8, 2017

Security Release: Parse Server 2.3.1-1

Bitnami has released Parse Server version 2.3.1-1 for containers, installers and virtual machines to implement authentication when connecting to the Parse dashboard. If you deploy a new Bitnami Parse Server via a Bitnami Launchpad, your application will be up-to-date and secure. When deploying via a partner cloud marketplace, please ensure version 2.3.1-1 is selected.

If you are still using a Bitnami Parse Server version 2.3.1-0 or earlier you must take steps to secure your installation. This is important because unauthenticated users could connect to and and extract data from your server. Possible ways to secure your installation include:

    1. Preventing connections from the public Internet to port 80 on the Parse Server.
    2. Configuring authentication as described in our documentation.

Do you have questions about Bitnami or this security release? Please post to our community forum and we will be happy to help you.

Thursday, February 2, 2017

Security Release: Jenkins 2.44/2.32.2

[UPDATE 2017-02-03]

For new application deployments, Bitnami has released Jenkins 2.44 containers, and Jenkins 2.32.2 installers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami Jenkins via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Jenkins via one of our cloud partner marketplaces and it is not yet updated to version 2.32.2, you will need to upgrade your application using the documentation linked below.

----

The Jenkins project has just released a new version that fixes multiple security issues, including a fix for a XStream remote code execution vulnerability.

It is strongly suggested that you update your Jenkins application to the latest version. You can follow our documentation to learn how to upgrade your application. If you are using the Bitnami Jenkins container, please follow the documentation in our GitHub repository.


You can find more information about the Jenkins security issues in the Jenkins Security Advisory.



We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working to update all of the affected Jenkins packages available through Bitnami as quickly as possible.

If you have further questions about Bitnami Jenkins or this security issue, please post to our community forum,and we will be happy to help you.