Friday, November 18, 2016

Security Release: Drupal 7 and 8

The Drupal project released a new update that fixes several security vulnerabilities. We strongly recommend upgrading your existing Drupal 7 and 8 sites.

Information regarding the additional changes is available in the official security advisory. In response to the new Drupal version, we have released the following: Bitnami Drupal 7 and 8 installers, virtual machines, and cloud images.

Two notable issues include:

1. Confirmation forms allow external URLs to be injected (Moderately critical - Drupal 7)
Under certain circumstances, malicious users could construct a URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form, thereby exposing the users to potential social engineering attacks.

 2. Denial of service via transliterate mechanism (Moderately critical - Drupal 8)
A specially crafted URL can cause a denial of service via the transliterate mechanism.

Our new releases fix the known security issues. There are no new features or non-security related bug fixes in these releases.

If you have questions about Bitnami Drupal or these security issues, please post to our community forum and we will be happy to help you.

Security Release: Jenkins 2.19.3 (CVE-2016-9299)



The Jenkins project hast just released a new update that fixes a zero-day vulnerability that allow unauthenticated remote code execution. It is considered critical as it allows to execute code to unprivileged users.

 We released new versions of Bitnami Jenkins 2.19.3 installersvirtual machines and cloud images that fix the security issue.

 More information about the issue can be found in the official blog post.

 Do you already have a Jenkins installation? You can follow our guide about how to upgrade your application and you won't have to worry about these vulnerabilities.

 If you have further questions about Bitnami Jenkins or this security issue, please post to our community forum, and we will be happy to help.

Thursday, November 3, 2016

Critical Security Release for GitLab (CVE-2016-9086)

The Gitlab project released a new update that contains an important security fix for a critical directory traversal vulnerability, and we strongly recommend that all GitLab installations be upgraded to the new version immediately.

We released new versions of Bitnami Gitlab 8.13.3 installers, virtual machines and cloud images that fix the security issue.

Directory traversal via "import/export" feature: CVE-2016-9086


Added in GitLab 8.9, the "import/export project" feature of GitLab allows a user to export and then re-import their projects as tape archive files (tar). All GitLab versions prior to 8.13.0 restricted this feature to administrators only. Starting with version 8.13.0 this feature was made available to all users.

More information about the issue can be found in the official blog post.

Workarounds


If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using the workaround outlined below until you have time to upgrade.

Disable Project Import/Export via Tape Archive

Login using an administrator account to your GitLab installation and perform the following:

- Choose "Admin Area"
- Click "Settings"
- Under "Import Sources" disable the "GitLab export" option
- Click Save

Verifying the workaround

- In a Browser Window, login as any user
- Click "Projects"
- Click "New Project"
- Enter a project name
- Verify that "GitLab export" does not appear as an import option

Do you have questions about Bitnami Gitlab or the security issue? Please post to our community forum, and we will be happy to help you.
Labels: , ,
Subscribe to: Comments (Atom)


Copyright © 2005-2024 Broadcom.
All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.