Drupal 8.5.1 and 7.58 highly critical releases

[Update] Open Atrium (a Drupal distribution) and CiviCRM (CMS integration with Drupal) are are also affected by this vulnerability. Make sure that your deployment is updated to the latest version.

--

Drupal has released a new version that fixes a highly critical security vulnerability. We strongly recommend upgrading your existing Drupal 7 and 8 sites.

The vulnerability fixed in the latest version of Drupal is the following:

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. More information can be found on the Drupal website here: https://www.drupal.org/sa-core-2018-002

It is recommended that you upgrade your Drupal application to Drupal 7.58 or later and Drupal 8.5.1 or later. You can follow our documentation to learn how to upgrade your application and ensure its security.

If you are unable to update immediately, and have advanced Drupal administration skills you you may opt to patch your systems until such time as you are able to completely update. The Drupal community has provided patches which can be applied using the following procedure:

Download the correct patch for your system based on the version of Drupal in use.

For Drupal 7.x:

wget -O drupal.patch 'https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5'

For Drupal 8.5.x:

wget -O drupal.patch 'https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f'

2. Apply the patch:

sudo git apply /opt/bitnami/apps/drupal/htdocs/drupal.patch

3. Restart the Apache web server:

sudo /opt/bitnami/ctlscript.sh restart apache

Patching is a temporary solution until you find the time to perform a complete upgrade of your Drupal installation.

For new application deployments, including the Bitnami Launchpad, we are releasing Drupal 7.58 and 8.5.1 containers, installers, virtual machines and cloud images that include the fix to address this vulnerability. If you deploy Bitnami Drupal and it is not yet updated to its latest version, you will need to upgrade by following our documentation.

If you have further questions about Bitnami Drupal or this security issue, please post to our community forum, where we will be happy to help.

Security Release: GitLab 10.5.6

The GitLab project has released a new update that contains several important security fixes. We recommend that all GitLab installations be upgraded immediately to the new version of GitLab (GitLab 10.5.6). 

Although the new version is publicly available now, the vulnerability details will not be made public on the GitLab’s issue tracker for approximately 30 days. We recommend to stay tuned for any detail the GitLab team publishes during that time. The disclosed information is the following one:

• SSRF in services and web hooks (CVE-2018-8801): There were multiple server-side request forgery issues in the Services feature. An attacker could make requests to servers within the same network of the GitLab instance. This could lead to information disclosure, authentication bypass, or potentially code execution.
• Gitlab Auth0 integration issue: There was an issue with the GitLab omniauth-auth0 configuration which resulted in the Auth0 integration signing in the wrong users.

Bitnami has released a new version of Bitnami GitLab 10.5.6 for both virtual machines and cloud images that fix those vulnerabilities. 

More information about these issues can be found in the official blog post. As the vulnerability details were not disclosed at the time of this blog's publishing, there is currently no available workaround for it. Therefore, if you are running a GitLab instance with a version prior to 10.5.6, you will need to upgrade GitLab to the latest version by following this documentation.

Do you have questions about Bitnami GitLab or these security issues? Please post them to our community forum. We will be happy to help you.

Security update: Buffer overflow in the DHCP client

[2018-03-14]

Updated blog post with the information about CentOS' package

--------

[2018-03-13]

Updated blog post with the information about Red Hat's and Oracle Linux's packages

--------

A new security vulnerability in the DHCP client has been discovered. This allows a malicious server (or an entity masquerading as a server) to cause a buffer overflow in dhclient by sending a response containing a specially constructed options section. You can find more information about this in the DHCP official announcement.

This buffer overflow can result in a crash due to an out-of-bounds memory access if the client receives and processes a triggering response packet. However, buffer overflow outcomes might vary depending on the operating system. Outcomes such as remote code execution may also be possible in some circumstances.

Versions affected are:

• 4.1.0 -> 4.1-ESV-R15
• 4.2.0 -> 4.2.8
• 4.3.0 -> 4.3.6
• 4.4.0

Bitnami-packaged images might be affected by this issue if the dhclient tool hasn't been updated. At the same time of this security issue, another security vulnerability in the DHCP server component was published but we want to clarify that none of our solutions include that package installed by default.

When this security issue was found, another security vulnerability in the DHCP server component was published but we want to clarify that none of our solutions include that package installed by default.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami and our team is working to update all of the affected Virtual Machines and Cloud Images available through Bitnami for all Cloud Providers. We will keep you updated in this blog post.

How to mitigate the issue

In the meantime, you can mitigate this problem by updating the tool using the package manager included with your operating system.

Amazon Linux

    There is not any new version of the package yet

RedHat / CentOS / Oracle Server

    yum install dhcp-common

Ubuntu / Debian

    sudo apt-get install isc-dhcp-client

Once updated, you will have one of the following version:

Amazon Linux

    There is not any new version of the package yet

RedHat

    4.2.5-58.el7_4.3

CentOS

    4.2.5-58.el7.centos.3

Oracle Server

    4.2.5-58.0.1.el7_4.3

Ubuntu

    4.3.3-5ubuntu12.9

Debian

    jessie: 4.3.1-6+deb8u3
    stretch: 4.3.5-3+deb9u1

How to obtain the installed version of the package

To check the currently installed version on your system:

RedHat / CentOS / Oracle Server / Amazon Linux

    sudo yum -q info installed dhcp-common

Ubuntu / Debian

    sudo dpkg -s isc-dhcp-client

If you have additional questions about this security issue, post them in our community forum, and we will be happy to help you.

Bitnami Jenkins - Oracle Jump Start Demo Lab

While Bitnami has always made it easy to launch cloud applications, Oracle has taken it one step further with their Jump Start Demo Lab program. Now not only do you get free access to ready-to-run Bitnami applications, but you also get free access to the Oracle cloud to test the application as well.

Bitnami has been collaborating with the Oracle Jump Start team on several popular applications and we’re announcing today the availability of our Jenkins Demo Lab.

Bitnami Jenkins

If your job involves developing or deploying software, you've probably already heard of Jenkins, a Continuous Integration (CI) server designed specifically for automating software builds and deployments. As a leading open source project, Jenkins is extremely versatile and comes with 1000+ plugins that allow easy integration with many different platforms, source code management systems and build systems. Jump Start allows you to try a Jenkins on OCI in a self-paced guided demo environment for free.

Ready to get started?

If you are ready to automate your software testing and delivery process and would like to explore the functionality of Jenkins for free in one of the world’s leading clouds, then this is your chance.

Visit Oracle Jump Start page for detailed instructions to get you up and running right away.

How to Guides:

• Create A Continuous Integration Pipeline With Jenkins And GitHub On Oracle Jump Start
• Get Started with Bitnami Applications on Oracle Cloud Infrastructure
• Demo Video

Want more? Curious about other Oracle Jump Start applications?

Oracle Jump Start:
https://cloud.oracle.com/jumpstart

See the entire Bitnami application catalog available in the Oracle Cloud
https://oracle.bitnami.com/

Bitnami named Top 3 Vendor in Application Deployment and Management for DevOps by EMA

Authored by Tom McCafferty, VP of Marketing

The new Enterprise Management Associates report “Ten Priorities for Container Management and DevOps in 2018” was just released and Bitnami is proud to be chosen as a Top 3 vendor for Application Deployment and Management. The report analyzes survey data from 300 enterprise Devops teams to break down industry trends and highlights key products to “recognize a vendor’s excellent alignment with customer challenges.”

Let’s be honest...who doesn’t like a little recognition? At Bitnami we’ve been innovating very rapidly over the past year and it’s nice to be recognized for the work that we are doing. This report highlights three of our key products initiatives that are expanding our product portfolio beyond our core application catalog business. As Bitnami continues to grow, we’re squarely focused on adding value to customers in two ways…

1. Simplifying the journey to the cloud by automating application migration (see Stacksmith)

2. Driving the next generation of application packaging standards and usage around containers and Kubernetes (see Kubeapps) and FaaS (see Kubeless).





While these represent an obvious extension to our company focus on application packaging and management, it’s great to see that they align so nicely with the 10 priorities that the EMA report identified for container management and Devops in the enterprise…

Check out the complete report - Enterprise Management Associates “10 Priorities for Container Management and DevOps in Production and at Scale in 2018 (EMA Top 3)”

I’ve been a fan of Enterprise Management Associates and Torsten’s no-nonsense approach to the analyst game for a long time. Briefing him on the work we’re doing related to application packaging, cloud migration and Kubernetes was exactly as expected…conversational, technically deep and ultimately very enjoyable. Seeing that much of our product focus aligned with exactly the feedback he had been getting from the 300 enterprises surveyed for the recent Top 3 report was great validation from a resource I know I can trust and I expect that many enterprises can look to for guidance on 2018 strategies.