On 05/06/2016 07:02 PM, Johnny Hughes wrote: > On 05/04/2016 08:15 AM, John Hodrien wrote: >> On Wed, 4 May 2016, Nux! wrote: >> >>> Direct links >>> >>> https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726 >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714 >>> >>> Mitigation: >>> >>> As a workaround the /etc/ImageMagick/policy.xml file can be edited to >>> disable >>> processing of MVG, HTTPS, EPHEMERAL and MSL commands within image >>> files, simply >>> add the following lines: >>> <policy domain="coder" rights="none" pattern="EPHEMERAL" /> >>> <policy domain="coder" rights="none" pattern="HTTPS" /> >>> <policy domain="coder" rights="none" pattern="MVG" /> >>> <policy domain="coder" rights="none" pattern="MSL" /> >>> >>> within the policy map stanza: >>> >>> <policymap> >>> ... >>> </policymap> >> >> This has been extended to: >> >> <policy domain="coder" rights="none" pattern="EPHEMERAL" /> >> <policy domain="coder" rights="none" pattern="HTTPS" /> >> <policy domain="coder" rights="none" pattern="HTTP" /> >> <policy domain="coder" rights="none" pattern="URL" /> >> <policy domain="coder" rights="none" pattern="FTP" /> >> <policy domain="coder" rights="none" pattern="MVG" /> >> <policy domain="coder" rights="none" pattern="MSL" /> >> >> Policy support not in EL5 AFAIK. > > Here is a workaround for el5, el6, and el7: > > https://bugzilla.redhat.com/show_bug.cgi?id=1332492#c3 And more info here: https://access.redhat.com/security/vulnerabilities/2296071 If you are using CentOS-5 .. make SURE you do the fix, they say the are NOT issuing a fix for it (see the "Resolve" tag in the link). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160506/fefec3a0/attachment-0005.sig>