Bitnami wp stack uses modsecurity 3.x which is not safe yet

Type: Suggestion

Description:
Hi there,

A few weeks ago we reported a bug on bitnami-docker-wordpress regarding mod security version, after which a fix was issued.
https://github.com/bitnami/bitnami-docker-wordpress/issues/331

When we check bitnami wordpress’ changelog and can’t find the fix – is it incorporated?

Take care and thanks for the help!
Mickey.

Hi @mickey3,

The changelog you are talking about in the github issue is for the Bitnami WordPress installers only and that’s why the team redirected you to this forum. As @davidg mentioned here, the docker images were updated and you should find modsecurity 2.x in the latest image we released. If you have any other questions regarding the docker image, please continue using the Github’s issues to ask the team.

Happy to help!


Was my answer helpful? Click on :heart:

1 Like

Hi Jota and thanks for the help!

It was not clear to us if the fix was incorporated already on the image, as we couldn’t find it on the release notes. Anyway, you just answered us, so problem solved.

Take care and thanks again :blush:
Mickey.

Hi Jota,

We have another quick follow up question – can you please share which version includes the fix? I’m asking since AWS lightsail runs Bitnami 5.8.2-4 and the fix is not there.

$ ls -l /opt/bitnami/apache/modules/mod_security*
-rwxr-xr-x 1 root root 23200 Oct  7 18:42 /opt/bitnami/apache/modules/mod_security3.so

Note that 5.8.2-4 is not visible on the change log, but I’m assuming it was released after 5.8.2-2.
https://bitnami.com/stack/wordpress/installer/changelog.txt

Thanks for your help on this one!
Mickey.

The changelog file is only for the installers, not for the cloud images.

We have submitted the updated packages to AWS, but they are still in the process of publishing them to the Lightsail platform.To get the latest version of all of our applications for AWS, we suggest that you use our Bitnami Launchpad for AWS. We publish the most up-to-date packages in our launchpad as soon as they are ready.

The launchpad is free to use, so you won’t need to pay for anything except the hosting of the applications.