Tuesday, December 20, 2016

Joomla! 3.6.5 Security Release (CVE-2016-9838)

The Joomla! project has just released a new version that fixes three security vulnerabilities.

This is a security release for the 3.x series and it only contains the security fixes, no other changes have been made. It is strongly suggested that you update your Joomla! website to the latest version.

You can find more info about these issue at the Joomla! release news page.

We have released Bitnami Joomla! 3.6.5 Docker image, cloud images, installers and virtual machines that fix these issues.

Do you already have a Joomla! installation? You can follow our guide about how to upgrade your application and you won't have to worry about these vulnerabilities.

If you have further questions about Bitnami Joomla! or this security issue, please post to our community forum, and we would be happy to help you.

Friday, December 9, 2016

WordPress 4.7 “Vaughan” ‒ Now Available from Bitnami

Version 4.7 of WordPress, named “Vaughan” in honor of legendary jazz vocalist Sarah “Sassy” Vaughan, is now available from Bitnami. If you are already using a Bitnami WordPress image, you can simply upgrade your version from your WordPress admin panel.

Not familiar with Bitnami WordPress? In short, it is the easiest way to install your own WordPress instance. We've packaged WordPress as a self-contained and incredibly fast distribution that is simple to deploy. To get started with Bitnami WordPress, you can download our ready-to-run installers for Linux, Windows and Mac OS X, or our virtual machine images (VMs) and container for the application. If you want a hosted WordPress application, you can deploy Bitnami Wordpress into the cloud with one of our several cloud partners.

What's new in WordPress 4.7?

There are a significant number of new features in this WordPress version, including:

  • Twenty Seventeen theme: This yearly update of WordPress's native theme focuses on business sites and features a customizable front page with multiple sections. 
  • New additions to the application appearance customizer that take you through the initial setup of a theme, with non-destructive live previews of all your changes in one uninterrupted workflow.
  • New tools to manage your document collection; uploading PDFs will generate thumbnail images so you can more easily distinguish between all your documents.
  • REST API endpoints for posts, comments, terms, users, meta, and settings.
Get started with new a WordPress application easily by deploying a Bitnami WordPress stack. If you have questions about Bitnami WordPress, please post to our community forum, and we will be happy to help you.

Tuesday, December 6, 2016

Security Release: GitLab 8.14.3 (CVE-2016-9469)

The GitLab project released a new update that contains an important security fix for a critical denial-of-service and data corruption vulnerability, and we strongly recommend that all affected GitLab installations be upgraded to the latest version immediately.

We released new versions of Bitnami Gitlab 8.14.3 installers, virtual machines and cloud images that fix this security issue. Further details regarding the security issue are explained below:

Denial-of-Service and Data Corruption Vulnerability in Issue and Merge Request Trackers

This issue is the result of un-sanitized user input being passed to an internal function that expects only trusted data. This code was introduced in GitLab 8.13.0.

More information about the issue can be found in the official blog post.

Workarounds


If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using one of the workarounds outlined below until you have time to upgrade.

Securing via web server configuration

  • Add the following text at the end of the httpd-app.conf file of Gitlab
     RewriteEngine On
     RewriteCond %{QUERY_STRING} ^.*(state=destroy).* [NC,OR]
     RewriteCond %{QUERY_STRING} ^.*(state=delete).* [NC]
     RewriteRule ^(.*)$ - [F,L]

  • Restart Apache
           sudo /opt/bitnami/ctlscript.sh restart apache


Securing via patch

  • Create a patch file at /opt/bitnami/apps/gitlab/htdocs
  • Apply the patch below
     diff --git a/app/finders/issuable_finder.rb                          b/app/finders/issuable_finder.rb
     index e42d5af..2c9412b 100644
     --- a/app/finders/issuable_finder.rb
     +++ b/app/finders/issuable_finder.rb
     @@ -7,7 +7,7 @@
      #   current_user - which user use
      #   params:
      #     scope: 'created-by-me' or 'assigned-to-me' or 'all'
     -#     state: 'open' or 'closed' or 'all'
     +#     state: 'opened' or 'closed' or 'all'
      #     group_id: integer 
      #     project_id: integer
      #     milestone_title: string
     @@ -183,10 +183,13 @@ class IssuableFinder
          end
          def by_state(items)
     -      params[:state] ||= 'all'
     -
     -      if items.respond_to?(params[:state])
     -        items.public_send(params[:state])
     +      case params[:state].to_s
     +      when 'closed'
     +        items.closed
     +      when 'merged'
     +        items.respond_to?(:merged) ? items.merged : items.closed
     +      when 'opened'
     +        items.opened
            else
              items
            end


Verifying the workaround

  • Open your GitLab project
  • Open the project's issue tracker
  • Choose the "closed" tab
  • Adjust the "state" field in your browser's address bar to "deleteme"
  • Verify you receive a 403 Forbidden error
Note: If you only applied the patch you will receive no errors here.

Do you have questions about Bitnami GitLab or the security issue? Please post to our community forum and we will be happy to help you.


Thursday, December 1, 2016

Code Dx Now Available in Microsoft’s Azure Government Cloud Marketplace

Bitnami has included Code Dx in the first wave of applications published to Microsoft’s Azure Government Cloud Marketplace. Code Dx provides comprehensive tools for software development professionals and quality assurance experts to test applications for vulnerabilities, pinpointing issues in the actual code.

With the recent attention and focus on application security—along with the tools Code Dx provides to ensure software development compliance with standards found in regulations like the DISA-STIG—government and eligible private entities alike will benefit from the greater availability and utility offered by the Azure Government Cloud platform.

With lightweight, secure access to cloud-based, physically isolated instances of Code Dx, users can quickly aggregate the results of multiple analysis tools, compare them to a wide range of industry security standards (such as OWASP Top 10), and triage identified vulnerabilities based on severity. With deployment on the Azure Government Cloud Marketplace, both new and existing users can access Code Dx on this new platform in addition to the various other deployment options already available.

For government and government-affiliated agencies, this represents a secure solution to a complex problem, but private entities also have to contend with vulnerability identification, management, and remediation, as well as ensuring compliance with regulations like HIPAA. Deployment on the Azure Government Cloud Marketplace platform gives these users the same benefits of security and cloud-based access.

To spread awareness about application security—what developers, government organizations, and security professionals need to know about it, how it’s different from network security, and what needs to be the focus in the future—and to explain some of the highlights of Code Dx’s utility, Bitnami and Code Dx are hosting a webinar on December 6, 2016, at 10 AM PST. To register, visit https://bitnami.com/webinar/codedx.

Guest blog post by: Ken Prole, CTO of Code Dx

Tuesday, November 29, 2016

Bitnami Releases Two Amazon RDS Offerings!

Bitnami, one of the leading providers of open source software in the AWS Marketplace, is excited to announce two new offerings using Amazon Relational Database Service (RDS), Wordpress Multi-Tier with Amazon RDS for MariaDB and Redmine Multi-Tier with Amazon RDS for MariaDB. Wordpress, a popular Content Management System (CMS) and Redmine, a flexible and richly configurable project management platform, are excellent additions to any business’ needs in the cloud. 

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks, freeing you up to focus on your applications and business.  With Amazon RDS, you can deploy a scalable MariaDB database, a popular open source relational database created by the original developers of MySQL.



Tighter integration with Amazon’s managed database offering in the cloud allows customers to take advantage of that same value with the expertise of Amazon Web Services managing the infrastructure for critical data in the cloud. These two new offerings use Amazon CloudFormation Templates created by Bitnami to orchestrate the application’s resources for the deployment. Users will be able to configure architecture suited to their needs and launch an environment into their AWS Account. All of the data required to get up and running will be pre-populated and ready for use upon deployment. 

Bitnami’s applications are trusted for their ability to provide the most up-to-date and patched versions of popular open source applications, consistently and expediently after release.  Using Bitnami’s Cloud Formation Templates allows customers to receive all of these Bitnami benefits while also being able to have an environment that incorporates the scalability and ease of use of Cloud Formation Templates.

Bitnami is excited to deepen our partnership with Amazon Web Services and our customers through the AWS Marketplace. We look forward to continuing to provide more value for our users and receiving your feedback on these applications. Please reach out to us directly if you have any requests or would like to see your applications available with Amazon RDS. You can reach out to us at enterprise@bitnami.com.

Monday, November 21, 2016

MySQL / MariaDB: Privilege Escalation / Race Condition / Root Privilege Escalation (CVE-2016-6663 and CVE-2016-6664)

Several new security vulnerabilities that affect some versions of MySQL and MariaDB were announced recently:

We want to let you know that all the published Bitnami Stacks that include MySQL or MariaDB as the database server are not affected, since they are using non-affected versions of the component.

CVE-2016-6663

The vulnerability can allow a local system user with access to the affected database in the context of a low-privileged account (CREATE/INSERT/SELECT grants) to escalate their privileges and execute arbitrary code as the database system user.

Successful exploitation would allow an attacker to gain access to all of the databases stored on the affected database server.

Affected versions:

MariaDB 
< 5.5.52
< 10.1.18
        < 10.0.28

MySQL  
<= 5.5.51
<= 5.6.32
<= 5.7.14

More information about this issue can be found at the following link: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html

CVE-2016-6664

MySQL-based databases including MySQL, MariaDB and Percona are affected by a privilege escalation vulnerability which can let attackers who have gained access to mysql system user to further escalate their privileges to root user allowing them to fully compromise the system.
The vulnerability stems from unsafe file handling of error logs and other files.

Affected versions:

MySQL  
<= 5.5.51
<= 5.6.32
<= 5.7.14

MariaDB
All current

More information about this issue can be found at the following link: https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html

Are you using an affected version of the server or do you have questions about the security issue? Please post to our community forum and we will be happy to help you.

Friday, November 18, 2016

Security Release: Drupal 7 and 8

The Drupal project released a new update that fixes several security vulnerabilities. We strongly recommend upgrading your existing Drupal 7 and 8 sites.

Information regarding the additional changes is available in the official security advisory. In response to the new Drupal version, we have released the following: Bitnami Drupal 7 and 8 installers, virtual machines, and cloud images.

Two notable issues include:

1. Confirmation forms allow external URLs to be injected (Moderately critical - Drupal 7)
Under certain circumstances, malicious users could construct a URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form, thereby exposing the users to potential social engineering attacks.


2. Denial of service via transliterate mechanism (Moderately critical - Drupal 8)
A specially crafted URL can cause a denial of service via the transliterate mechanism.

Our new releases fix the known security issues. There are no new features or non-security related bug fixes in these releases.

If you have questions about Bitnami Drupal or these security issues, please post to our community forum and we will be happy to help you.

Security Release: Jenkins 2.19.3 (CVE-2016-9299)



T
he Jenkins project hast just released a new update that fixes a zero-day vulnerability that allow unauthenticated remote code execution. It is considered critical as it allows to execute code to unprivileged users.


We released new versions of Bitnami Jenkins 2.19.3 installersvirtual machines and cloud images that fix the security issue.

More information about the issue can be found in the official blog post.

Do you already have a Jenkins installation? You can follow our guide about how to upgrade your application and you won't have to worry about these vulnerabilities.

If you have further questions about Bitnami Jenkins or this security issue, please post to our community forum, and we will be happy to help.

Thursday, November 3, 2016

Critical Security Release for GitLab (CVE-2016-9086)

The Gitlab project released a new update that contains an important security fix for a critical directory traversal vulnerability, and we strongly recommend that all GitLab installations be upgraded to the new version immediately.

We released new versions of Bitnami Gitlab 8.13.3 installers, virtual machines and cloud images that fix the security issue.

Directory traversal via "import/export" feature: CVE-2016-9086


Added in GitLab 8.9, the "import/export project" feature of GitLab allows a user to export and then re-import their projects as tape archive files (tar). All GitLab versions prior to 8.13.0 restricted this feature to administrators only. Starting with version 8.13.0 this feature was made available to all users.

More information about the issue can be found in the official blog post.

Workarounds


If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using the workaround outlined below until you have time to upgrade.

Disable Project Import/Export via Tape Archive

Login using an administrator account to your GitLab installation and perform the following:

- Choose "Admin Area"
- Click "Settings"
- Under "Import Sources" disable the "GitLab export" option
- Click Save

Verifying the workaround

- In a Browser Window, login as any user
- Click "Projects"
- Click "New Project"
- Enter a project name
- Verify that "GitLab export" does not appear as an import option

Do you have questions about Bitnami Gitlab or the security issue? Please post to our community forum, and we will be happy to help you.

Wednesday, October 26, 2016

Joomla! 3.6.4 Security Release

The Joomla! project has just released a new version that fixes two critical security vulnerabilities, in addition to a bug fix for two-factor authentication.

This is a security release for the 3.x series and it only contains the security fixes, no other changes have been made. It is strongly suggested that you update your Joomla! website to the latest version.

You can find more info about these issue at the Joomla! release news.

We have released Bitnami Joomla! 3.6.4 Docker image, cloud imagesinstallers and virtual machines that fix these issues.

Do you already have a Joomla! installation? You can follow our guide about how to upgrade your application and you won't have to worry about these vulnerabilities.

If you have further questions about Bitnami Joomla! or this security issue, please post to our community forum, and we would be happy to help you.

Thursday, October 20, 2016

Dirty COW (CVE-2016-5195): Privilege escalation vulnerability in the Linux Kernel

[2016-10-26]

All the affected cloud images and virtual machines have been successfully patched.

If you are using a Bitnami Cloud Hosting instance, you can easily patch it by following the guide below while we upgrade the base images.

[2016-10-24]

The Bitnami Team is happy to announce that our images on Google, Azure, AWS Marketplace and regular images have been properly updated. Additionally, we will continue to work on releasing the images for our all of our cloud platform partners and virtual machines.

----

A new security vulnerability in the linux kernel has been discovered. You can find out more information about it in the following research report.

A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

This could be abused by an attacker to modify existing setuid files with instructions to elevate privileges.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami and our team is working to update all of the affected Virtual Machines and Cloud Images available through Bitnami for all Cloud Providers.

Once the new kernel is available, you can update it by running the following commands (you must run the command specific to your distribution):

  • Ubuntu / Debian
sudo apt-get update && sudo apt-get dist-upgrade 

You will have the fixed version of the kernel after rebooting your server.

  • Oracle Linux, Red Hat, CentOS and Amazon Linux
sudo yum update 

You will have the fixed version of the kernel after rebooting your server.

If you have any questions about this process, please post to our community support forum and we will be happy to help! 

Wednesday, October 12, 2016

Bitnami Fall 2016 All-Hands: Bringing Together a Global Team

Why We Do It: Building a Better Global Team

Bitnami prides itself on having a highly capable, distributed team with employees working across five continents and six countries (Australia, India, Poland, Spain, United Kingdom, Uruguay, and USA).

While we're pretty adept at collaborating remotely with each other, we also believe it's important to create opportunities for face-to-face interactions where co-workers, regardless of home location, can put a face to the username (we primarily use Slack and Google Hangouts to communicate).  As a consequence, we give a high priority to having a regular All-Hands meeting where all the Bitnami employees from across the globe meet in person for a week of work, followed by a weekend of play.

Additionally, when we get the team together in person we're able to effectively share our company-wide goals and work together on plans to achieve them. Face time also provides an opportunity for brainstorming and other free-form activities that can be challenging to conduct remotely.

Getting a distributed team together in-person is certainly not unique to Bitnami, but it is an important part of our culture that we want potential new-hires to understand.

How We Structure It: Cross-Team Presentations


Our most recent All-Hands was our largest yet, and the entire Bitnami team gathered in our Seville office for a week-long series of presentations and collaboration.

To kick off each day, all of our teams, from Engineering to Operations, SRE, Finance, Business Development, Marketing, and Product provided an update on their latest progress and the roadmap ahead. These team-specific sessions provide an opportunity for people across different teams to develop a more concrete understanding of how each team's work fits into the overall company goals, which helps us all be more effective in working together.





We then had experts within the teams present on a wide variety of deeper-dive or special topics, most of which were requested by teammates via a pre-event survey. Some of the more notable topics included:

  1. How to Build Immutable Infrastructure
  2. Bitnami Platform Overview & Architecture
  3. The Importance of "Default to Open"
  4. Engineering Manager Expectations
  5. Financial Dynamics of SaaS Business
  6. Cloud and Container Landscapes

Some of the most interesting discussions were the result of informal Q&A throughout the presentations, which yielded deeper insights from those team members who are the closest to the work and products we produce.

Week of Work, Weekend of Play


After a productive week in Seville, the entire group traveled to the picturesque town of Sigüenza, Spain, for a weekend of rest and relaxation.

To the rest of the team's surprise, our incredible Operations team secretly arranged for us to rent the entire Parador de Sigüenza (Castle of Sigüenza), a former medieval castle turned into a luxury hotel. Take a look:






The weekend activities were designed to help Bitnami employees get to know one another by developing shared experience outside of our day-to-day roles. We enjoyed everything from traditional Spanish meals in the Parador dining room, a treasure hunt, cooking lessons, hiking in the nearby village of Pelegrina, and the much anticipated Bitnami karaoke party:



It's safe to say our stay at the Parador de Sigüenza was a blast for all Bitnami employees, and we hope you will consider joining us before our next All-Hands! 

Take a look at our current job openings to see if there is a role that is a good fit for you: https://bitnami.com/careers

Thursday, September 22, 2016

Security notification: OpenSSL OCSP Status Request Extension Unbounded Memory Growth (CVE-2016-6304)


[UPDATE 2016-10-13]

BCH images have been updated properly. You can now launch new servers that mitigate the vulnerability.

[UPDATE 2016-10-07]

All the affected cloud images, virtual machines and native installers have been successfully patched.

If you are using a Bitnami Cloud Hosting instance, you can easily patch it following the guide below while we upgrade the base images.

[UPDATE 2016-09-26]

The OpenSSL team announced the release of version 1.0.2j, which patches a missing CRL sanity check issue affecting only version 1.0.2i. As a result any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. (CVE-2016-7052)

To update to the new OpenSSL version, please follow the instructions in our documentation system. 

The Bitnami Team will continue working on updating the Cloud Images, Virtual Machines and Native Installers using the latest released version.

[UPDATE 2016-09-23]

The Bitnami Team is happy to announce that our images on Google, Azure, Oracle (Ubuntu) and AWS Marketplace images have been properly updated. Additionally, we will continue to work on releasing the images for our all of our cloud platform partners, virtual machines and the native installers.

----

A new security vulnerability was recently discovered in certain versions of OpenSSL. More information about the vulnerability is available on the OpenSSL website: https://www.openssl.org/news/secadv/20160922.txt

Any Bitnami-packaged applications using affected OpenSSL versions prior to 1.0.1u, 1.0.2i and 1.1.0a are vulnerable. 

To secure your server, you need to update the OpenSSL version included in the system and the OpenSSL library included into the Bitnami installation. Please take a moment to update your existing installations of Bitnami-packaged applications by following the instructions in our documentation system

If you have any questions about this process, please post to our community support forum and we will be happy to help!

Shopware Community Edition now in Bitnami!



We are pleased to announce that our newest software partner Shopware's Community Edition (CE) is now available in Bitnami! Shopware is one of the world’s leading e-commerce applications, with over 54,000 storefronts for a wide variety of businesses. Shopware Community Edition (CE) enables even the smallest company to have a sophisticated e-commerce presence, while still being powerful and scalable enough to be relied upon by some of the world’s most recognizable brands.


No  Coding Necessary
The Shopware CE backend was designed with usability in mind, enabling users with no coding experience to design and build beautiful online storefronts that automatically adapt to multiple devices and browsers. Its open-template design enables you to completely customize the look and feel of your ecommerce website, with a simple interface that displays only those elements which you are actually using. Also available for the Shopware CE backend are powerful marketing tools available through a large library of extensions in the Community Store, and built-in SEO tools that help deliver good rankings for your content.

Listing content is entered through an intuitive form.
Listing pages look beautiful, no matter what browser or device they’re displayed on.
Powerful Features for Advanced Users
Available for free under an AGPL license, Shopware Community Edition is supported by a large community. The codebase is lean and efficient, with a wide variety of plugins that extend both the frontend and backend while maintaining the ability to update/upgrade the software using a standard workflow. The application is based on PHP7 and comes pre-configured with Elasticsearch and an Open REST API out of the box.

Shopware Community Edition is now available in Bitnami to launch in just a few clicks in all your favorite cloud platforms, as a virtual machine, and as a native installer. Interested in a quick test drive? Try our one-hour demo in the cloud, complete with easy-to-install demo data, absolutely free!


Visit our docs to learn how to manage and scale your installation. Still have questions? Head to the Shopware Community Edition product page for more information.

Monday, September 19, 2016

Backendless Pro Now Available in Bitnami

Backendless, the API management platform and Mobile Backend as a Service we all know and love, has now released a major update called Backendless Pro! Available immediately in Bitnami, this new iteration of the popular Middleware application will also be coming soon to the AWS Marketplace.

Backendless has been a valued partner with Bitnami for over a year, and in that time has gone through an extraordinary transformation into a product that is now a more scalable, reliable, and intuitive way to streamline your application development than ever before.

Development Without Server-Side Coding
Backendless Pro is an API generation and management suite and Mobile Backend as a Service (mBaaS) that enables rapid development of mobile, desktop, and IoT applications. Deploying your code to the application enables you to automatically generate server-side functionality such as user registration and login, data persistence, geo location and geo fencing, and publish-subscribe messaging. All the functions that would normally require extensive development on the server side are automated, giving you the freedom to focus on client-side and business logic for your application.

Ready to Scale
Backendless Pro has some awesome features that are suitable for the enterprise or for rapid scaling of a web, mobile, or IoT application. It has the ability to cluster multiple servers for failover and scaling, and to take advantage of cloud services like RDS, ELB, EFS and ElasticCache. It can integrate with a wide range of databases including Oracle, SQL Server, MySQL, PostgreSQL and others. With a robust marketplace of plugins and extensions, you will be hard pressed to find a service that cannot integrate with your app using Backendless Pro.

Backendless Pro is now available in Bitnami to launch in just a few clicks, in all your favorite cloud platforms, as a virtual machine, and as a native installer. Interested in a quick test drive? Try our one-hour demo in the cloud, absolutely free!


Visit our docs to learn how to manage and scale your installation. Still have questions? Head to the Backendless Pro product page for more information.

Thursday, September 15, 2016

Kong Now Available in Google Cloud Platform

Bitnami is excited to announce that we have partnered with Mashape and Google to package Kong for Google Cloud Platform! Now you can launch and scale your Kong instance in minutes through the Google Cloud Launcher or the Bitnami Launchpad for Google Cloud Platform.

Powerful Functionality for Your Software
Mashape’s Kong platform is a popular open source, scalable API gateway and microservices management layer that helps add common functionality on top of your web, mobile, or IoT application. It acts as a gateway for HTTP requests, while providing logging, authentication, rate-limiting, and a huge variety of additional functionality through plugins. Kong is built on NGINX and Cassandra, and is easily configurable for high availability, fault-tolerance, and clustering right out of the box.


Simple Clustering
The Bitnami Kong stack is easy to configure in a clustered topology - simply launch the number of instances you need, configure each node with the IP address and authentication settings for the Seed Node, and Kong does the rest! You can read more about clustering Kong with multiple instances in our documentation.



Launch Kong in Google Cloud Platform
Google Cloud Launcher is Google’s marketplace of preconfigured cloud images that enables you to launch Mashape’s Kong in Google Cloud Platform, in a configuration that makes sense for your application, in minutes. Kong is absolutely free- you only pay for the compute time.


Already a Bitnami user? The Bitnami launchpad for GCP enables you to deploy Kong to your cloud account, where it can be accessed in your GCP Console, in just a few clicks!

Give it a try, and add powerful functionality to your application now!

Tuesday, September 13, 2016

Announcing Bitnami / Eclipse Che Integration — Making Developer Workflows Better


Making Developer Workflows Better


Both had similar goals: to make it simpler for developers to get started with popular, but sometimes complex, development frameworks.  With Eclipse Che becoming an increasingly popular IDE for cloud-based and portable development, and Bitnami the leading source for open source applications amongst cloud providers, we thought we'd integrate the two to make a better workflow for developers everywhere.

Now it's here — by using the two together, you can combine Eclipse Che's cloud-based portable workspaces with Bitnami's trusted, always up-to-date, easy to use Development Containers, to get a faster, more stable, more seamless development workflow.

Just Click & Go: New Bitnami Development Containers for Eclipse Che

Eclipse Che now ships with Bitnami Development Containers (used to make Che workspaces), with the first release (we'll be adding more in the future) including:
  • Codeigniter
  • Express
  • Laravel
  • Play for Java
  • Rails
  • Swift
  • Symfony
To use them, you can either select them from the Stacks Library from within Eclipse Che (as shown in the screenshot above), or you can can launch Codenvy from any Bitnami Development Containers repository.


Questions or feedback? Drop us a line at containers@bitnami.com.

Monday, September 12, 2016

MySQL Security Issue (CVE-2016-6662)

A critical vulnerability that affects all MySQL version branches was recently announced.  

Affected versions are:
MySQL <= 5.7.15
               5.6.33
               5.5.52
MySQL clones (MariaDB, PerconaDB...) are also affected.

This issue allows attackers to inject malicious settings into a MySQL configuration locally and remotely. Both the authenticated access (network connection or web interface) or SQL Injection could be used as exploitation vectors to achieve Remote Root Code Execution. For more information, visit here.

Official patches are not available yet. As temporary mitigations, users should ensure that MySQL config files are not owned by mysql user, and create root-owned dummy my.cnf files that are not in use. This is not a complete solution, we will re-check new MySQL/MariaDB versions when they are available.

We want to let you know that Bitnami Stacks (VMs, Cloud Images, Docker containers and Native Installers) are not affected since our MySQL configuration is not owned by mysql user and we explicitly define the configuration file using the parameter below for starting the service:
             --defaults-files=/opt/bitnami/mysql/my.cnf

So, the creation of any other my.cnf file will be ignored.

Do you have questions about the security issue? Post to our community forum, and we will be happy to help you.

Monday, August 29, 2016

Introducing the First of Bitnami's Multi-VM Applications

Bitnami's applications in the cloud are trusted by developers, small businesses, and enterprises around the world to run critical business functions. The key reason for this is our ability to deliver the most up-to-date and patched versions, consistently and quickly. These applications are also available in multiple different formats, such as virtual machine images, containers, and local installers, so you can run them anywhere. 

As our customers environments grow in size and complexity, an important concern is being able to extend applications in different ways, with the ease of use that's expected of a Bitnami app. Bitnami is now splitting out our application catalog into multi-vm architectures. Different types of architectures give customers the flexibility to extend workloads in the cloud, and tailor the application for the use case. Types of Multi-VM architectures include: 


Multi-Tier Application



Benefits: 
  • Horizontal and Vertical scaling of both parts of the application
  • Your data and your application are separated into two different VMs. This enables:
      • Simplified backups and updates (version upgrades, patches, etc)
      • Improved security and access control by separating data from code
      • Ability to  performance tune each tier independently

An example of this application is Bitnami Multi-Tier Wordpress, in Azure. 

Clustered Application


Benefits:
  • Higher availability, with a three node configuration that permits a leader election inside of the cluster. In this environment, each of the nodes are treated as part of the same set and can be promoted based on consensus inside of the configuration.
  • The ability to add capacity by increasing the number of nodes in the cluster.
  • Increased resiliency in the face of individual node failures and the ability to divide a cluster across multiple availability zones.
An example of this application is Bitnami Production MongoDB, in Azure.

Primary / Secondary Application

Benefits:
  • Elastic capacity, with the ability to add workers as needed for increased application throughput based on application needs. With this type of architecture, scaling your application can be responsive to additional demand. Both programmatically and manually an application back-end can be scaled to meet need.
  • The worker based model works well with ephemeral storage common on cloud platforms as state is not needed after the job is finished.

An example of this application is Bitnami Production Jenkins, in Azure.

If your application requirements can benefit from the above, Bitnami Multi-VM can help you reach your goal. We want customers to be able to launch these applications quickly and easily. Bitnami now has 6 multi-vm templates (WordPress, MySQL, PostgreSQL, MoodleMongoDB, and Jenkins) available in the Azure Marketplace, and one (MongoDB) in the Google marketplace.


It’s also simple and easy to launch MongoDB on the Google Cloud Platform as well. Navigate to the Google Cloud Launcher using your Google Cloud Platform account, and simply follow the steps to set up your desired environment in one click. 






Of course, if your application does not need higher throughput or a distributed architecture, you can always use Bitnami’s one-click Single VM images, suitable for smaller environments. Bitnami is looking into developing more applications in more application topologies, and investing in expanding beyond our current offerings at this time. We welcome suggestions for improvements and look forward to improving production delivery with these templates; please email enterprise@bitnami.com with your feedback.

Have a few more questions?  Hopefully these FAQ’s can clear things up:

1. Will you make a multi-vm template for every Bitnami app?

Not every application in the Bitnami Catalog will be delivered as Multi-VM. The applications scheduled for release have a set of criteria such as benefiting from cluster configuration, or requiring horizontal scale as the application size increases.

2.  How do you decide which apps to select?  If I want a multi-vm version of a particular app, how can I request that?

Please reach out to us directly if you have any requests or would like to see your applications available as multi-vm. You can reach out to us at enterprise@bitnami.com.

3. You mentioned APIs -- do I have to be a software developer to utilize your multi-vm templates?

Not at all! Our Multi-VM templates will work with a single click-to-deploy through the cloud marketplace providers, and use the same experience that any bitnami application provides.

4. What's the benefit of using the Bitnami version vs building my own template?

Building your own template using a specific cloud provider can be done using any cloud specific template. However, keeping the application up-to-date, using a production configuration specific to the application, and consistent experience across clouds are where Bitnami’s applications can make your life easier.

5. Do multi-vm templates improve disaster recovery?  Or provide failover?

Bitnami’s templates are not designed to incorporate disaster recovery or failover at this time. You can still use the same backup and Disaster Recovery tooling for your applications that you currently use, however, since these applications will launch the same compute resource as our single-vms.

6. How much do you charge for this?

Bitnami’s templates are free of charge, and there is no cost for the software.

Thursday, August 18, 2016

Intel PGO Optimizations Lead to 20% Faster WordPress on AWS

Profile-guided Optimization (PGO) is a technique that improves the performance of applications. It requires profiling data, which is later passed to the compiler and can be obtained after a test run of the application. The profiling data contains information about code areas that are most frequently used, and by knowing these areas, the compiler is able to be more selective and specific in optimizing the application.

Bitnami has been working with Intel on adding Profile-guided Optimizations to selected Bitnami stacks and we started with a Bitnami WordPress stack. In summary, we saw the following:
  • Applying Profile-guided Optimizations to the Bitnami WordPress stack resulted in a 20% improvement in the page-load speed.
  • Additionally, applying some tweaks to the MariaDB configuration, we were able to decrease the page-load time a total of 34%, including the PGO change.
The machine used to get the results of these tests consisted of an AWS m3.medium instance with HVM and SSD, using a Ubuntu 14.04 image.

In order to test the improvements in page-load time, we are making use of the "php-cgi" executable which is included in the Bitnami WordPress stack. A sample command for testing a WordPress stack located at "/opt/bitnami" would be the following:

sudo /opt/bitnami/php/bin/php-cgi -c /opt/bitnami/php/etc/php.ini -T10,1000 /opt/bitnami/apps/wordpress/htdocs/index.php >/dev/null


The test will launch a total of 1000 requests, 10 at-a-time, and measure the time it takes until the last request finishes. With this result, we will be able to measure how quick our WordPress installation reacts.

Executing the command above in an original Bitnami WordPress stack, the results will look something like this:

$ sudo /opt/wordpress-4.5.3-2/php/bin/php-cgi -c /opt/wordpress-4.5.3-2/php/etc/php.ini -T10,1000 /opt/wordpress-4.5.3-2/apps/wordpress/htdocs/index.php >/dev/null

Elapsed time: 30.819571 sec


An important difference for the stack built with PGO-optimizations is that it bundles MariaDB (not MySQL), and that we added a few tweaks to the database configuration. These changes consist of a few added lines to the "mysqld" section in the database's "my.cnf" configuration file:

[mysqld]
query_cache_limit=1M
query_cache_size=16M
query_cache_type=1
thread_stack=192K
thread_cache_size=16
skip-external-locking=1
key_buffer_size=384M
sort_buffer_size=2M
read_buffer_size=2M
read_rnd_buffer_size=8M
myisam_sort_buffer_size=64M


These changes can be applied to the original WordPress installation too, resulting in an improvement in page-load speed up to 17,5% (comparing to the result of the first test):

$ sudo /opt/wordpress-4.5.3-2/php/bin/php-cgi -c /opt/wordpress-4.5.3-2/php/etc/php.ini -T10,1000 /opt/wordpress-4.5.3-2/apps/wordpress/htdocs/index.php >/dev/null

Elapsed time: 25.431113 sec


Now, combining the PGO-optimizations with the database tweaks mentioned above, it is possible to get up to 34% improvement in page-load time compared to the original Bitnami stack, and up to 20% if we compare it with the tweaked-database installation:

$ sudo /opt/wordpress-4.5.3-2/php/bin/php-cgi -c /opt/wordpress-4.5.3-2/php/etc/php.ini -T10,1000 /opt/wordpress-4.5.3-2/apps/wordpress/htdocs/index.php >/dev/null

Elapsed time: 20.310336 sec


As you can see, we get a 20.1% improvement in the page-load speed that are PGO-only related.
If we compare it with the original and non-modified WordPress stack (which does not include any database tweaks), the page-load time is reduced up to 34.1%:




Are you interested in trying the PGO-optimized Bitnami WordPress stack? You can download it below:




Friday, August 12, 2016

Security Notification: Off-Path TCP Linux Kernel Vulnerability (CVE-2016-5696)

[UPDATE: 2016-08-22]

BCH images have been updated properly. You can now launch new servers that mitigate the vulnerability.

[UPDATE: 2016-08-18]

All the affected cloud images and virtual machines have been successfully patched.

If you are using a Bitnami Cloud Hosting instance, you can easily patch it following the guide below while we upgrade the base images. 

[UPDATE: 2016-08-17]

The Bitnami Team is happy to announce that the images of Google, Azure, 1&1 and GoDaddy have been updated properly. Additionally, we continue working on releasing the images for our all of our cloud platform partners, virtual machines and the native installers.

----

A new security vulnerability in the linux kernel has been discovered. You can find out more information about it in the following research report: "Off-Path TCP Exploits: Global Rate Limit Considered Dangerous".

Since the Linux kernel code affected was implemented in 2012 (in Linux Kernel 3.6), all Bitnami-packaged images might be affected by this issue if the kernel hasn't been updated. At the time of writing this post, a new patched kernel has NOT been released for Debian and Ubuntu distributions that are the base OS for most of the Bitnami Virtual Machines. We will keep you updated in this blog post.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami and our team is working to update all of the affected Virtual Machines and Cloud Images available through Bitnami for all Cloud Providers. 

In the meantime, you can mitigate this problem by applying the following patch in your system:
sysctl net.ipv4.tcp_challenge_ack_limit=1073741823; grep -q tcp_challenge_ack_limit /etc/sysctl.conf || echo "net.ipv4.tcp_challenge_ack_limit=1073741823" >> /etc/sysctl.conf
Please, note that this is just a temporary solution that makes it a lot harder for attackers to succeed in exploiting this vulnerability. You can find more information about this temporary fix in a writeup on the Akamai blog.

Once the new kernel is available, you can update it by running the following commands (you must run the command specific to your distribution):


  • Ubuntu 
sudo apt-get update && sudo apt-get dist-upgrade 
You will have the fixed version of the kernel after rebooting your server.

  • Debian 
sudo apt-get update && sudo apt-get dist-upgrade 
You will have the fixed version of the kernel after rebooting your server.

  • Oracle Linux 
sudo yum update
sudo yum upgrade
You will have the fixed version of the kernel after rebooting your server.


  • Amazon Linux & RedHat Linux
sudo yum clean all
sudo yum update kernel
You will have the fixed version of the kernel after rebooting your server. 


If you have any questions about this process, please post to our community support forum and we will be happy to help!