OpenSSL Padding Oracle vulnerability (CVE-2016-2107) is present in the latest Google Cloud Bitnami Django Stack release, we've updated OpenSSL on the system itself. However, it appears Bitnami bundles OpenSSL.
When will a new stack be released? Can we update somehow in the meantime?
The security page on the wiki's last update was about the ImageTragick vulnerabilityCVE-2016-3714. Any guidance is much appreciated. Thanks....
I've confirmed the vulnerability by checking my domain using the Bitnami Django Stack using https://filippo.io/CVE-2016-2107/ as well as SSLLabs standard test.
We already published new releases where this vulnerability is fixed. In order to upgrade your stack, could you please follow the steps detailed in this guide?
This is updated in the Google Cloud Django stack as well? https://bitnami.com/stack/django/cloud/google
Yes, that should be updated as well.
We're using the 1.8.x LTS Bitnami stack of Django. According to the Bitnami Django Stack Changelog it doesn't look like the OpenSSL version was patched in this version.
What can I do? Leaving it vulnerable certainly isn't an option.
In Google Cloud we have only available the 1.9.x version, which fixes the issue.
Hope it helps.
@jsalmeron When will the 1.8.x stack be fixed? How can I upgrade OpenSSL manually if not?
As you can see https://www.djangoproject.com/weblog/2015/jun/25/roadmap/ this version is supported for quite some time by Django, unfortunately, our code would need a fair amount of testing and development to move to the 1.9.x branch.
@jsalmeron @dgonzalez When will the 1.8.x stack be fixed? If it isn't going to be addressed how can I manually upgrade OpenSSL inside the stack?
Based on my post at https://community.bitnami.com/t/django-stack-google-cloud-openssl-outdated-highly-vulnerable-cve-2016-2107/42834/8?u=brianjking this Django version is supported until 2018 and is obviously labeled LTS for a reason.
We are going to work on fixing it and we will let you know any news about it. Thanks for reporting it.
@jsalmeron @dgonzalez - Thank you, any ETA for when you expect this may be fixed?
We're also going to work on making our codebase function with the 1.9.x Django releases, however, this may take some time that we do not have at the moment.
We believe that by the end of this week it should be released. We will let you know when it is out.
Django 1.8.13-1 has been released, fixing the issue.
@arecio -- Thank you, we've updated to 1.8.13-1 and the vulnerability has been patched. Will the 1.8.x stack from Bitnami continue to receive updates?
Currently we are supporting 1.8.x and 1.9.x. As long as Django 1.10.x (as stable) is not released, we will continue supporting 1.8.x. After that, we will release Django 1.10.x and we will continue supporting 1.9.x but we will stop supporting 1.8.x.