Joomla! 3.6.5 Security Release (CVE-2016-9838)

The Joomla! project has just released a new version that fixes three security vulnerabilities.

This is a security release for the 3.x series and it only contains the security fixes, no other changes have been made. It is strongly suggested that you update your Joomla! website to the latest version.

You can find more info about these issue at the Joomla! release news page.

We have released Bitnami Joomla! 3.6.5 Docker image, cloud images, installers and virtual machines that fix these issues.

Do you already have a Joomla! installation? You can follow our guide about how to upgrade your application and you won't have to worry about these vulnerabilities.

If you have further questions about Bitnami Joomla! or this security issue, please post to our community forum, and we would be happy to help you.

WordPress 4.7 “Vaughan” ‒ Now Available from Bitnami

Version 4.7 of WordPress, named “Vaughan” in honor of legendary jazz vocalist Sarah “Sassy” Vaughan, is now available from Bitnami. If you are already using a Bitnami WordPress image, you can simply upgrade your version from your WordPress admin panel.

Not familiar with Bitnami WordPress? In short, it is the easiest way to install your own WordPress instance. We've packaged WordPress as a self-contained and incredibly fast distribution that is simple to deploy. To get started with Bitnami WordPress, you can download our ready-to-run installers for Linux, Windows and Mac OS X, or our virtual machine images (VMs) and container for the application. If you want a hosted WordPress application, you can deploy Bitnami Wordpress into the cloud with one of our several cloud partners.

What's new in WordPress 4.7?

There are a significant number of new features in this WordPress version, including:

• Twenty Seventeen theme: This yearly update of WordPress's native theme focuses on business sites and features a customizable front page with multiple sections. 

• New additions to the application appearance customizer that take you through the initial setup of a theme, with non-destructive live previews of all your changes in one uninterrupted workflow.
• New tools to manage your document collection; uploading PDFs will generate thumbnail images so you can more easily distinguish between all your documents.
• REST API endpoints for posts, comments, terms, users, meta, and settings.

Get started with new a WordPress application easily by deploying a Bitnami WordPress stack. If you have questions about Bitnami WordPress, please post to our community forum, and we will be happy to help you.

Security Release: GitLab 8.14.3 (CVE-2016-9469)

The GitLab project released a new update that contains an important security fix for a critical denial-of-service and data corruption vulnerability, and we strongly recommend that all affected GitLab installations be upgraded to the latest version immediately.

We released new versions of Bitnami Gitlab 8.14.3 installers, virtual machines and cloud images that fix this security issue. Further details regarding the security issue are explained below:

Denial-of-Service and Data Corruption Vulnerability in Issue and Merge Request Trackers

This issue is the result of un-sanitized user input being passed to an internal function that expects only trusted data. This code was introduced in GitLab 8.13.0.

More information about the issue can be found in the official blog post.

Workarounds

If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using one of the workarounds outlined below until you have time to upgrade.

Securing via web server configuration

• Add the following text at the end of the httpd-app.conf file of Gitlab

     RewriteEngine On

     RewriteCond %{QUERY_STRING} ^.*(state=destroy).* [NC,OR]

     RewriteCond %{QUERY_STRING} ^.*(state=delete).* [NC]

     RewriteRule ^(.*)$ - [F,L]

• Restart Apache

           sudo /opt/bitnami/ctlscript.sh restart apache

Securing via patch

• Create a patch file at /opt/bitnami/apps/gitlab/htdocs
• Apply the patch below

     diff --git a/app/finders/issuable_finder.rb                          b/app/finders/issuable_finder.rb

     index e42d5af..2c9412b 100644

     --- a/app/finders/issuable_finder.rb

     +++ b/app/finders/issuable_finder.rb

     @@ -7,7 +7,7 @@

      #   current_user - which user use

      #   params:

      #     scope: 'created-by-me' or 'assigned-to-me' or 'all'

     -#     state: 'open' or 'closed' or 'all'

     +#     state: 'opened' or 'closed' or 'all'

      #     group_id: integer 

      #     project_id: integer

      #     milestone_title: string

     @@ -183,10 +183,13 @@ class IssuableFinder

          end

          def by_state(items)

     -      params[:state] ||= 'all'

     -

     -      if items.respond_to?(params[:state])

     -        items.public_send(params[:state])

     +      case params[:state].to_s

     +      when 'closed'

     +        items.closed

     +      when 'merged'

     +        items.respond_to?(:merged) ? items.merged : items.closed

     +      when 'opened'

     +        items.opened

            else

              items

            end

Verifying the workaround

• Open your GitLab project
• Open the project's issue tracker
• Choose the "closed" tab
• Adjust the "state" field in your browser's address bar to "deleteme"
• Verify you receive a 403 Forbidden error

Note: If you only applied the patch you will receive no errors here.

Do you have questions about Bitnami GitLab or the security issue? Please post to our community forum and we will be happy to help you.