Joomla! 3.6.5 Security Release (CVE-2016-9838)

The Joomla! project has just released a new version that fixes three security vulnerabilities.

This is a security release for the 3.x series and it only contains the security fixes, no other changes have been made. It is strongly suggested that you update your Joomla! website to the latest version.

You can find more info about these issue at the Joomla! release news page.

We have released Bitnami Joomla! 3.6.5 Docker image, cloud images, installers and virtual machines that fix these issues.

Do you already have a Joomla! installation? You can follow our guide about how to upgrade your application and you won't have to worry about these vulnerabilities.

If you have further questions about Bitnami Joomla! or this security issue, please post to our community forum, and we would be happy to help you.

WordPress 4.7 “Vaughan” ‒ Now Available from Bitnami

Version 4.7 of WordPress, named “Vaughan” in honor of legendary jazz vocalist Sarah “Sassy” Vaughan, is now available from Bitnami. If you are already using a Bitnami WordPress image, you can simply upgrade your version from your WordPress admin panel.

Not familiar with Bitnami WordPress? In short, it is the easiest way to install your own WordPress instance. We've packaged WordPress as a self-contained and incredibly fast distribution that is simple to deploy. To get started with Bitnami WordPress, you can download our ready-to-run installers for Linux, Windows and Mac OS X, or our virtual machine images (VMs) and container for the application. If you want a hosted WordPress application, you can deploy Bitnami Wordpress into the cloud with one of our several cloud partners.

What's new in WordPress 4.7?

There are a significant number of new features in this WordPress version, including:

• Twenty Seventeen theme: This yearly update of WordPress's native theme focuses on business sites and features a customizable front page with multiple sections. 

• New additions to the application appearance customizer that take you through the initial setup of a theme, with non-destructive live previews of all your changes in one uninterrupted workflow.
• New tools to manage your document collection; uploading PDFs will generate thumbnail images so you can more easily distinguish between all your documents.
• REST API endpoints for posts, comments, terms, users, meta, and settings.

Get started with new a WordPress application easily by deploying a Bitnami WordPress stack. If you have questions about Bitnami WordPress, please post to our community forum, and we will be happy to help you.

Security Release: GitLab 8.14.3 (CVE-2016-9469)

The GitLab project released a new update that contains an important security fix for a critical denial-of-service and data corruption vulnerability, and we strongly recommend that all affected GitLab installations be upgraded to the latest version immediately.

We released new versions of Bitnami Gitlab 8.14.3 installers, virtual machines and cloud images that fix this security issue. Further details regarding the security issue are explained below:

Denial-of-Service and Data Corruption Vulnerability in Issue and Merge Request Trackers

This issue is the result of un-sanitized user input being passed to an internal function that expects only trusted data. This code was introduced in GitLab 8.13.0.

More information about the issue can be found in the official blog post.

Workarounds

If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using one of the workarounds outlined below until you have time to upgrade.

Securing via web server configuration

• Add the following text at the end of the httpd-app.conf file of Gitlab

     RewriteEngine On

     RewriteCond %{QUERY_STRING} ^.*(state=destroy).* [NC,OR]

     RewriteCond %{QUERY_STRING} ^.*(state=delete).* [NC]

     RewriteRule ^(.*)$ - [F,L]

• Restart Apache

           sudo /opt/bitnami/ctlscript.sh restart apache

Securing via patch

• Create a patch file at /opt/bitnami/apps/gitlab/htdocs
• Apply the patch below

     diff --git a/app/finders/issuable_finder.rb                          b/app/finders/issuable_finder.rb

     index e42d5af..2c9412b 100644

     --- a/app/finders/issuable_finder.rb

     +++ b/app/finders/issuable_finder.rb

     @@ -7,7 +7,7 @@

      #   current_user - which user use

      #   params:

      #     scope: 'created-by-me' or 'assigned-to-me' or 'all'

     -#     state: 'open' or 'closed' or 'all'

     +#     state: 'opened' or 'closed' or 'all'

      #     group_id: integer 

      #     project_id: integer

      #     milestone_title: string

     @@ -183,10 +183,13 @@ class IssuableFinder

          end

          def by_state(items)

     -      params[:state] ||= 'all'

     -

     -      if items.respond_to?(params[:state])

     -        items.public_send(params[:state])

     +      case params[:state].to_s

     +      when 'closed'

     +        items.closed

     +      when 'merged'

     +        items.respond_to?(:merged) ? items.merged : items.closed

     +      when 'opened'

     +        items.opened

            else

              items

            end

Verifying the workaround

• Open your GitLab project
• Open the project's issue tracker
• Choose the "closed" tab
• Adjust the "state" field in your browser's address bar to "deleteme"
• Verify you receive a 403 Forbidden error

Note: If you only applied the patch you will receive no errors here.

Do you have questions about Bitnami GitLab or the security issue? Please post to our community forum and we will be happy to help you.

Code Dx Now Available in Microsoft’s Azure Government Cloud Marketplace

Bitnami has included Code Dx in the first wave of applications published to Microsoft’s Azure Government Cloud Marketplace. Code Dx provides comprehensive tools for software development professionals and quality assurance experts to test applications for vulnerabilities, pinpointing issues in the actual code.

With the recent attention and focus on application security—along with the tools Code Dx provides to ensure software development compliance with standards found in regulations like the DISA-STIG—government and eligible private entities alike will benefit from the greater availability and utility offered by the Azure Government Cloud platform.

With lightweight, secure access to cloud-based, physically isolated instances of Code Dx, users can quickly aggregate the results of multiple analysis tools, compare them to a wide range of industry security standards (such as OWASP Top 10), and triage identified vulnerabilities based on severity. With deployment on the Azure Government Cloud Marketplace, both new and existing users can access Code Dx on this new platform in addition to the various other deployment options already available.

For government and government-affiliated agencies, this represents a secure solution to a complex problem, but private entities also have to contend with vulnerability identification, management, and remediation, as well as ensuring compliance with regulations like HIPAA. Deployment on the Azure Government Cloud Marketplace platform gives these users the same benefits of security and cloud-based access.

To spread awareness about application security—what developers, government organizations, and security professionals need to know about it, how it’s different from network security, and what needs to be the focus in the future—and to explain some of the highlights of Code Dx’s utility, Bitnami and Code Dx are hosting a webinar on December 6, 2016, at 10 AM PST. To register, visit https://bitnami.com/webinar/codedx.

Guest blog post by: Ken Prole, CTO of Code Dx