The Magento project recently released new versions that fix several security vulnerabilities. The most important one is a critical SQL injection vulnerability, but these new versions also include over 30 security enhancements that help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues. A few of the notable fixes include:
PRODSECBUG-2198: SQL Injection vulnerability through an unauthenticated user
PRODSECBUG-2236: SQL Injection and cross-site scripting vulnerability in Catalog section (XSS)
PRODSECBUG-2192: Remote code execution though crafted newsletter and email templates
PRODSECBUG-2287: Remote code execution through email template
We highly recommend upgrading your existing Magento Community Edition 2.x sites. For more information about these security issues and many others fixed in Magento 2.3.1, please refer to this blog post in the Magento Security Center.
Bitnami has released Bitnami Magento 2.3.1 Helm charts, containers, installers, virtual machines, and cloud images in order to address these security vulnerabilities. If you already have Bitnami Magento running on any of these platforms, you can upgrade the application by following our documentation.
Users launching Bitnami Magento via a cloud provider's marketplace are advised to select version 2.3.1, once it is published. Installations based on previous versions will need to be upgraded as described above.
If you have additional questions about Bitnami Magento, post them in our community forum, and we will be happy to help you.
A new Drupal version was released recently to address a security issue. Under certain circumstances, the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. You can find more information at SA-CORE-2019-004.
For new application deployments, including those performed through the Bitnami Launchpad, we have released Drupal 8.6.13 and 7.65 for containers, installers, virtual machines, cloud images, and Multi-Tier solutions. We also updated the Drupal based solutions (CiviCRM and OpenAtrium). If you deploy any of these solutions and they have not yet been updated to the latest version, you will need to follow the upgrade process described in our documentation.
If you have further questions about this security issue, please post to our community forum, where we will be happy to help.
The GitLab project has released a new update that contains several important security fixes. We recommend that all GitLab installations be upgraded immediately to the new version of GitLab (GitLab 11.8.3).
Although the new version is publicly available now, the vulnerability details will not be made public on the GitLab issue tracker for approximately 30 days. The information disclosed to date is as follows:
Project Runner Token Exposed Through Issues Quick Actions. GitLab issues quick actions were vulnerable to an information disclosure issue that disclosed project runner tokens to unauthorized users. The issue is now mitigated in the latest release and is assigned CVE-2019-9866.
More information about this issue can be found in the official blog post.
Bitnami has released a new version of Bitnami GitLab 11.8.3 for both virtual machines and cloud images that fixes this vulnerability.
Do you have questions about Bitnami GitLab or this security issue? Please post them to our community forum. We will be happy to help you.
It is highly recommended that you upgrade Rails to the new patched versions: 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3
Bitnami is publishing updates which will be available in all formats soon.
For more details about these security issues, please check the information provided in the official Ruby On Rails blog. If you have further questions about Ruby or this security issue, please post to our community forums and we will be happy to help you.
TIBCO JasperReports has recently been updated to fix five security vulnerabilities in the application.
Community Edition versions 7.1.0 and below are affected by four vulnerabilities that allow unauthenticated read access to the contents of the host system and a race-condition vulnerability that may allow any user with domain save privileges to gain superuser privileges. More information about these security issues can be found in the official advisories:
TIBCO has released an updated version of the application which addresses these issues. For new application deployments, including the Bitnami Launchpad, we have released JasperReports 7.1.1 containers, installers, virtual machines and cloud images that include the security fixes to address these vulnerabilities. Users launching Bitnami JasperReports via a cloud marketplace are advised to select version 7.1.1, once it is published.
In case you already have a JasperReports server, use the official documentation to upgrade the application and address these issues.
If you have further questions about this security issue or about Bitnami JasperReports, please post in our community forum. Our support team will be happy to help you there!
Over a five day period that wrapped up last Friday, Bitnami delivered a fast-paced course about managing cloud-native applications using Docker and Kubernetes. This event has served as a recruiting tool since 2014. Now it is the time for evaluating attendees’ projects and for identifying potential members of the Bitnami team! Read on to find out the highlights of the latest Bitnami Bootcamp.
Why Kubernetes was the main topic of this Bootcamp?
Since 2015, Bitnami has published and maintained a catalog of more than 130 containerized applications and has promoted Kubernetes as the preferred way to manage container workloads in production.
In addition, Bitnami has created or contributed to key projects in the Kubernetes landscape:
Helm: The most popular package manager for Kubernetes. Bitnami is one of its contributors and maintains its own application repository.
Kubeapps: A web-based user interface used to deploy, monitor, upgrade or delete charts on Kubernetes.
Kubeless: A Kubernetes native serverless framework.
Kubecfg: A tool for managing complex enterprise Kubernetes environments as code.
Sealed Secrets: A tool for safely storing and managing Kubernetes secrets in a public repository.
Consistent with this view, last year we decided to move all our projects from dedicated servers to a centralized one that runs several Kubernetes clusters. We embraced the technology we promote to deliver our services and improve our internal operations.
Bitnami Bootcamp is always oriented to the technology that Bitnami is using internally at the time, so it was no surprise that Kubernetes was the centerpiece of this edition.
Bitnami Bootcamps: sharing knowledge and recruiting talent
At Bitnami, we continuously share our knowledge by contributing to numerous Kubernetes projects and by attending and speaking at prominent events such as KubeCon and Docker Summit. You can visit our Newsroom to see all the events that Bitnami has participated in.
We are very happy with the success of this edition: we received more than 50 applications, interviewed almost all candidates, and 16 were selected to participate. Their profile was a mixture of recent graduates and engineers with more than five years of experience working in software companies.
For their part, the bootcampers had to deliver four assessments and one final project. Once evaluated, we will be able to select the most skilled engineers to hire. We are currently in the evaluation process, so stay tuned: the Bitnami team is about to grow!
5th Edition Bitnami Bootcamp attendees
Bootcamps are a good way to find new candidates, but not the only way that Bitnami recruits talent. If you are interested in joining a diverse and globally distributed team, check out our open positions and apply!
