Another similar security fix was released and it also allows steal credentials from staff members.
The Bitnami Team worked on publishing the new cloud images, virtual machines and native installers with this new fix. New launches of Bitnami edX ginkgo.2-7 via our launchpad are secure and do not need to be updated further.
If you have an already running installation, we updated the workaround steps to patch this security vulnerability along with the previous one that was announced.
[UPDATE 2018-07-30]
The Bitnami Team is happy to announce that the cloud images, virtual machines and native installers have been updated properly. New launches of Bitnami edX ginkgo.2-6 via our launchpad are secure and do not need to be updated further.
Users launching Bitnami edX via a cloud marketplace are advised to select version ginkgo.2-6 of Bitnami edX, once it is published. Installations based on previous versions will need to be upgraded as described below.
----
A new security vulnerability in edX has been announced. This vulnerability allows learners to include a script in their response to Chemical Equation advanced problems. If the script is malicious and staff members are lured into viewing the submission, their credentials could be at risk.
We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. For that reason, our team is working to update all of the affected edX packages available through Bitnami as quickly as possible.
Workaround
In the meantime, we strongly encourage edX administrators to apply the security patch published by the maintainers. To do so, run the following commands depending on your deployment choice:
- Native installers
cd /tmp
curl "https://github.com/edx/edx-platform/commit/5b144559fbdba7ff673cc1c165aa2d343e07b6bd.patch" > edX.patch
curl -L "https://groups.google.com/group/openedx-announce/attach/82b14205f6ca3/update-recommender-ginkgo.patch?part=0.1&authuser=0" > edX-xblock.patch
cd installdir/apps/edx/edx-platform/
patch -p1 < /tmp/edX.patch
patch -p1 < /tmp/edX-xblock.patch
- Cloud images and virtual machines
cd /tmp
curl "https://github.com/edx/edx-platform/commit/5b144559fbdba7ff673cc1c165aa2d343e07b6bd.patch" > edX.patch
curl -L "https://groups.google.com/group/openedx-announce/attach/82b14205f6ca3/update-recommender-ginkgo.patch?part=0.1&authuser=0" > edX-xblock.patch
cd /opt/bitnami/apps/edx/edx-platform/
sudo patch -p1 < /tmp/edX.patch
sudo patch -p1 < /tmp/edX-xblock.patch
If you have further questions about Bitnami edX or this security issue, please post to our community forum, and we will be happy to help you.