On 05/04/2016 08:15 AM, John Hodrien wrote: > On Wed, 4 May 2016, Nux! wrote: > >> Direct links >> >> https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726 >> >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714 >> >> Mitigation: >> >> As a workaround the /etc/ImageMagick/policy.xml file can be edited to >> disable >> processing of MVG, HTTPS, EPHEMERAL and MSL commands within image >> files, simply >> add the following lines: >> <policy domain="coder" rights="none" pattern="EPHEMERAL" /> >> <policy domain="coder" rights="none" pattern="HTTPS" /> >> <policy domain="coder" rights="none" pattern="MVG" /> >> <policy domain="coder" rights="none" pattern="MSL" /> >> >> within the policy map stanza: >> >> <policymap> >> ... >> </policymap> > > This has been extended to: > > <policy domain="coder" rights="none" pattern="EPHEMERAL" /> > <policy domain="coder" rights="none" pattern="HTTPS" /> > <policy domain="coder" rights="none" pattern="HTTP" /> > <policy domain="coder" rights="none" pattern="URL" /> > <policy domain="coder" rights="none" pattern="FTP" /> > <policy domain="coder" rights="none" pattern="MVG" /> > <policy domain="coder" rights="none" pattern="MSL" /> > > Policy support not in EL5 AFAIK. Here is a workaround for el5, el6, and el7: https://bugzilla.redhat.com/show_bug.cgi?id=1332492#c3 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160506/db500b68/attachment-0005.sig>