Arbitrary Code Execution Vulnerability in Git CVE-2018-17456

A new security vulnerability has been disclosed. All Git versions prior to 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1 and 2.19.1 are affected.

The CVE-2018-17456 vulnerability allows an attacker to execute arbitrary code by crafting a malicious .gitmodules file in a project cloned with the flag --recurse-submodules:

When running "git clone --recurse-submodules", Git parses the supplied
.gitmodules file for a URL field and blindly passes it as an argument
to a "git clone" subprocess.  If the URL field is set to a string that
begins with a dash, this "git clone" subprocess interprets the URL as
an option.  This can lead to executing an arbitrary script shipped in
the superproject as the user who ran "git clone".

Our team is working on updating all the affected solutions available in the  Bitnami catalog. That way, all new installations and cloud launches will use a fixed Git version. If you have a running application that uses  Git, you will need to migrate the content of your deployment to a secured one.

If you have installed Git using the system packages, please update the component when the new package is available for your operating system.

If you have any questions about the security issue or you need support to migrate your data, please post to our community support forum and we will be happy to help!

Announcing New Stacksmith Features - Git Repository Support, Customized Deployment Templates, and CLI beta

Since launching Stacksmith this spring, we have been busy collecting feedback from our early enterprise customers in order to prioritize new feature developments appropriately. One of the consistent pieces of feedback we heard, whether they’re using Stacksmith to move-and-improve existing applications to the cloud, or upgrading their software delivery pipeline for containerization, has been the need for Stacksmith to work seamlessly with existing systems, tools, and workflows. We’re happy to announce several new features now available to address these requests.  Here is a brief overview of the most important improvements.

Oh, and if you are interested in getting a personalized walkthrough of these new features and / or Stacksmith in general, please email our Customer Success team at customersuccess@bitnami.com and we will be happy to set up some time with you.

Integration with Git repositories

Developers typically use a version control system as a 'source of truth' for their application code, and GitOps encourages operations, security, and support teams to follow similar practices. Now, Stacksmith aligns with this best practice via its support for Git repositories.  This new feature enables application runtime configurations and app customization scripts to be stored and tracked from a Git repository.

This means you no longer need to upload your build and configuration scripts manually to Stacksmith. You can now simply place them in your repository, provide the repository URL to Stacksmith, and Stacksmith will fetch them from there.

To make things even easier, Stacksmith continuously monitors your repository, and will show when and what changes have been made.

For example, if you need to make an OS configuration change, add new application dependencies, or modify your boot logic for your application, all you need to do now is update the script and check it in to Github.

This new feature is a another great example of how Stacksmith makes it easy to keep your applications up to date and secure while further automating your code to cloud pipeline!

Stacksmith currently supports public Git repositories with this feature. If you would like to connect to a private repository that requires authentication, please contact us at customersuccess@bitnami.com.

Customizable deployment templates

The Stacksmith packaging process produces not only a VM or container image, but also the deployment template you will need to deploy your image on your target platform. Stack templates are the place in Stacksmith where the policies that will end up in the deployment template are defined.

Stacksmith provides a set of default stack templates that cover most common scenarios, but some companies want the ability to customize these templates to their specific requirements.  Now you can.

The Stacksmith administrator can now create customized stack templates, and make them available  for others to use in the packaging process.

This gives the operations team a tremendous amount of flexibility in defining what the final deployment template will include. For example, it lets them add extra options at deploy time, define additional services like load balancing for the application, establish that the application should be exposed on a public IP, specify that a specific database type should be used, or pass additional configuration definition across to the application.

This new feature enables your operations team to further ensure your specific policies and best practices are included in the application packaging process.

Stacksmith CLI - In Beta

We’ve released an important improvement to the Stacksmith API in the form of a documented CLI. These tools are designed to make it easy to link Stacksmith to an existing CI system such as Jenkins, TeamCity or CircleCI, and enable teams to get deployable artifacts whenever a change in their application code is landed.

In combination with the release of the CLI, we are also implementing support for long lasting authentication tokens. Combined, these improvements enable you to embed and automate Stacksmith's processes into your existing pipeline. Using this CLI, you can enable automatic application rebuilds when dependencies or application code is changed.   

You can find this CLI, along with documentation and a sample integration, at https://github.com/bitnami/stacksmith-cli. We’re releasing the CLI in beta form at this point so we can better understand your use-cases and integration challenges. Issues and PRs are welcome on Github!

Try out these new features on Stacksmith today, or reach out to our customer success team at customersucess@bitnami.com for a customized walkthrough.

Arbitrary Code Execution Vulnerability in Git

A new security vulnerability was disclosed and any Git versions previous to 2.13.7, 2.14.4, 2.15.2, 2.16.4 and 2.17.1 are affected.

This security vulnerability can lead to arbitrary code execution when a user operates in a malicious repository.

With a crafted .gitmodules file, the malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. 

Our team is working on updating the affected solutions available through Bitnami. This will ensure that all new installations and launches will be secured against these issues. If you have a running application with Git, you will need to migrate the content of your deployment to a secured one.

In case you have installed Git using the system packages, please update the component when the new package is available for your operating system.

If you have any questions about the security issue or how to migrate your data, please post to our community support forum and we will be happy to help!

Welcome Phabricator to the Bitnami Library!

Phabricator is now available in the  Bitnami Application Library!

Phabricator is an application platform that helps software companies build better software. It is a great application that can be used by your whole team, regardless of their level of technical knowledge. We use this application internally to coordinate all of our development efforts and are very happy with the way it has helped us to streamline our internal communications and task tracking. And we're in good company - Facebook, Dropbox, Groupon, Cisco, Kahn Academy and many others use Phabricator as well. 

We love Phabricator because it provides cohesive, tightly integrated applications for code review, repository hosting, bug tracking, design review, project management, and organizational communication.

Bitnami offers a simple and fast setup process for Phabricator, which allows you to focus on your testing and evaluation of the application itself. In just a few clicks, you can try Bitnami Phabricator Installers (available for Linux and Mac OS X), Virtual Machine images(VMs), cloud images for Amazon EC2, Azure and Google Cloud Platform.

How to run GitLab, an open source git management server, in Azure

Git is behind much of the software that's eating the world. Thanks to GitHub, open source projects have proliferated with tremendous new participation levels. Now that same transformation that has rejuvenated open source collaboration is making its way into the enterprise, and many organizations have standardized on GitLab.

The GitLab open source edition, available from Bitnami, allows users to collaborate on code, create new projects, manage repositories, and perform code reviews. Using GitLab, users can keep their code on their own servers, either in the cloud or on-premise. For additional peace of mind, the free community edition even features enterprise-grade features such as a mature user permissions scheme and support for high availability.

Bitnami GitLab is an easy-to-deploy version of GitLab that can be set up in minutes on a local machine, as a VM, or in the cloud. Check out our 2-minute video to see just how easy it is to get GitLab running in the Microsoft Azure cloud.

You can launch a server in your own Azure account, or just try a free 1-hour demo of GitLab. Microsoft offers $200 free credit for one month to try Azure, which is more than enough dough to try GitLab and many other apps.

Gitorious 3.0 released!

We are happy to announce a new major release for Gitorious, version 3.0.

Gitorious provides an open source infrastructure for hosting projects that use Git. It also supports projects with wikis, a web interface for merge requests and code reviews and activity timelines for projects and developers.

BitnNami Gitorious Stack provides a one-click install solution for Gitorious. You can download installers and virtual machines or run your own Gitorious server in the Amazon EC2 or Azure clouds. You can also now launch a free cloud demo server with the Bitnami Cloud Launchpad by clicking the launch button below.

The recently released 3.0 version ships a refreshed UI, a lot of improvements, and new features. The new repository browser comes with improved syntax highlighter, ability to select lines of code and friendlier navigation. It also has a nicer Dashboard, an improved merge request page and a new settings section.

Project Activities

Diff page

The service hooks feature was extended with the support for built-in integrations for external services.

 

Web hooks

In addition to that, Gitorious 3.0 now uses Ruby 1.9.3 and Rails 3.2.15 and all 3rd party gem dependencies has been updated to the latest versions.

Gitorious is developed by Gitorious AS, which also provides commercial prepackaged versions of Gitorious as well as managed servers and professional consulting services. Make sure to check them out if you need commercial support for Gitorious.

Start testing and contributing to Drupal 8

We are happy to announce a new package for Drupal 8 that includes Git. Now it is even easier to sync Drupal code with the official repository and start testing your Drupal-based applications.

In case you are not familiar with BitNami Drupal, it is a self-contained, easy to use distribution that makes it simple to get started developing and deploying Drupal applications. To get started with BitNami Drupal, you can download free, ready-to-run installers for Linux,Windows and Mac OS X, virtual machine images (VMs) and cloud images for the Amazon and Azure clouds.

BitNami Drupal installer

Before start using Drupal, we suggest updating the code to get the latest changes. Go to the installation directory and start the "use_drupal" console. This console is a script to load the required environment variables and paths to make your Drupal installation work. It is useful to run it before using any commands included in the stack: mysql, php, drush and git among others.

Git allows you to upgrade your Drupal installation to work with the latest 8.x version. It is already configured with git autocompletion so using the Tab key you can see suggested options. The repository was also configured following the official recommendations from the Drupal project.

Drupal console

Drupal 8 dashboard

We encourage you to try this new version of Drupal and start testing the latest improvements.  Try now Drupal 8 with BitNami Drupal!

GitLab 6.0 released!

We are glad to announce a new major release for GitLab, GitLab 6.0. GitLab is a popular open source application for git repository management through a nice easy to use web interface. Think of it as a version of GitHub that you can host on your servers. If you are not familiar with GitLab, you can take a quiack look by launching a free cloud demo server with the BitNami Cloud Launchpad (it only takes a minute and it is completely free)

In this version the GitLab team has introduced group membership as a replacement for teams improving how project permissions are handled when modifying group members. For a full list of improvements/fixes take a look at the changelog in their GitHub repository.

BitNami GitLab provides one-click installation solutions for GitLab with GitLab CI, an open-source continuous integration server closely integrated with Git and GitLab. We have just released a new version upgrading GitLab to include GitLab to 6.0 and the latest version of GitLab CI, 3.1.0. Since GitLab no longer supports using an URL prefix like /gitlab, this version of BitNami GitLab configures it in / by default.

You can download free, ready to run native installers for Linux, virtual machines and Azure and Amazon EC2 cloud images for BitNami GitLab integrated with GitLab CI.

GitLab 5.0 released in BitNami

We are happy to announce that GitLab v5.0 has just been released in BitNami. For those not familiar with this project, GitLab allows you to keep your code secure on your own server, manage repositories, users and access permissions, communicate through issues, line-comments and wiki pages and perform code review with merge requests.

The most important changes in this version are the following:

- GitLab-shell replaces Gitolite
- Instead of needing gitlab & git users accounts on the system we now only need git user to run GitLab
- The wiki is now stored in a git repository using the gollum library

You can download now the free and ready to run native installers for Linux, virtual machines and Windows Azure & Amazon EC2 images.

Weblate now available in BitNami

Weblate is now part of the BitNami library. Weblate is a web-based translation tool with tight Git integration. It features a simple and clean user interface, propagation of translations across subprojects, consistency checks and automatic linking to source files. Weblate is written in Python and powered by the Django application framework.

Weblate lets you handle several projects and languages simultaneously with an easy-to-use and clear interface.

Weblate dashboard

The list of features includes:

• Easy web-based translation
• Propagation of translations across sub-projects (for different branches)
• Tight git integration - every change is represented by Git commit
• Usage of Django's admin interface
• Upload and automatic merging of translation files
• Links to source files for context
• Allows to use machine translation services
• Message consistency checks
• Tunable access control
• Wide range of supported translation formats (Gettext, Qt, Java, Windows, Symbian and more)

You can now download free, ready to run native installers for OS X and Linux, virtual machines and Amazon EC2 images coming soon.

You can find more information about this project in its official web http://weblate.org and related documentation on http://weblate.readthedocs.org/en/latest/.

If you want your project to be featured as part of BitNami, you can propose it in our bi-weekly contest

BitNami Trac v1.0 released, Managing Users now easier

We have just released an updated BitNami Stack for Trac 1.0, the latest stable version of the popular bug tracking system. In the previous release candidate, we added Git support and now we also ship the popular Account Manager plugin.

If you are not familiar with Trac, it is an enhanced wiki and issue tracking system for software development projects. The project’s mission is to help developers write great software while staying out of the way.

The recently added Account Manager plugin offers features for managing user accounts easily:

• Enable authentication through a number of built-in authentication resources and some more by 3rd party extensions
• Allow users to register new accounts
• Allow existing users to change their passwords

Account Manager plugin in action

As usual, Trac is now available in the form of ready-to-run installers, virtual machine images (VMs) and Amazon Machine Images (AMIs) for the Amazon Cloud.

BitNami Trac now with Git bundled

We have just released the new BitNami Trac Stack 1.0 'Cell' Release (rc1). This version adds Git support among other improvements:

- Refreshed user interface
- Branching structure displayed in the revision log
- Ticket batch modification support

BitNami Trac Stack 1.0rc1 already includes Subversion and now ships Git and of the required dependencies to make it easy to get started with either repository.

Trac project with Git support

It can be deployed using a native installer for Windows, OS X or Linux, as a virtual machine or in the Amazon cloud. Thanks to the Amazon Free Tier, you can try BitNami Trac in the cloud for free for one year with BitNami Cloud Hosting.

New Gitorious Stack

We are happy to announce a new addition to our family, Gitorious. It is a great way of collaborating on distributed open source projects. Gitorious provides an open source infrastructure for hosting projects that use Git. It also supports projects with wikis, a web interface for merge requests and code reviews and activity timelines for projects and developers.

BitNami Gitorious Stack makes setting up Gitorious a simple process, so you can integrate your Git projects easily. 

Gitorious sample project

As usual, BitNami Gitorious Stack is now available in the form of ready-to-run installers, virtual machine images (VMs) and Amazon Machine Images (AMIs) for the Amazon Cloud. 

If you use the installer, note that Gitorious requires you to specify a hostname to access it from other computers. It is advisable to use a hostname or domain instead of an IP address to avoid issues with different browsers. Note that the Virtual Machine is configured using an IP address by default but you can change it easily:

$ sudo /opt/bitnami/apps/gitorious/updateip --machine_hostname your_hostname

You can find more info in our Wiki.

Gitorious is developed by Gitorious AS, which also provides commercial prepackaged versions of Gitorious as well as managed servers and professional consulting services. Make sure to check them out if you need commercial support for Gitorious.

Using Git with the BitNami Jenkins Stack

We are happy to announce that we have released a new version of the BitNami Jenkins Stack. Along with the upgrade to latest version, we are also including the Git plugin with Jenkins by default. It is now possible to use Jenkins to build git-based projects without setting additional binaries or plugins.

Jenkins can clone git repositories as source code for building one or more tasks, similar to how it works for cvs and subversion. With git, it is possible to both have Jenkins check the git repository for changes periodically and set up a hook to notify Jenkins about a commit. Setting up Jenkins to poll periodically is easier and therefore we will use this method in this example. Setting up push notifications is intended for more experienced git and Jenkins users and is described in the push notification from repository section of the Jenkins Git Plugin homepage.

To get started, we can create a new task that will use git as its source code repository. The 'Source Code Management' section of new and existing tasks will now allow selecting 'Git' for source code. We can set up local repositories by specifying the directory of the repository as well as remote repositories using the URL in the form of 'ssh://user@remoteserver/repository.git'. Some servers provide read-only access using git protocol - such as GitHub, where it is 'git://github.com/username/repository.git'.

For a simple repository with just the 'master' branch, that will be enough for Jenkins to retrieve the source code and automatically build it.

We can also set up Jenkins to poll the SCM for changes. To do this, simply go to 'Build Triggers' and enable 'Poll SCM'. This causes a text area for providing a schedule to be shown. The format is same as in 'crontab', so '*/5 * * * *' causes Jenkins to check for changes every 5 minutes.

We should also set up how our application is built. For this example, we can simply create 'script.sh' in our git repository, set its permissions to '0755' and run it from Jenkins to build our application. To do this, go to the 'Build' section of the task, choose 'Execute shell' from the 'Add build step' dropdown and specify the shell script to run:

One very interesting feature of the Jenkins git plugin is that it can be used to build any branch. By default the 'Branch Specifier' is empty, which indicates Jenkins should check all branches for changes. This may be convenient for some branches - such as 'master' being the current version and 'legacy' being the previous version, which is still being maintained. If more than one branch is modified, Jenkins runs multiple builds for the task - one for each branch.

However, in many cases not all branches should be built whenever a change occurs. To only build the two branches above, we can set 2 branch specifiers as follows:

With this setup, whenever a change is pushed to 'master' or 'legacy' branch, they are automatically built when Jenkins fetches the changes and detects an update.