[CentOS] ImageMagick security alert
Nux!
nux at li.nux.ro
Wed May 4 07:24:01 UTC 2016
Direct links
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714
Mitigation:
As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, EPHEMERAL and MSL commands within image files, simply add the following lines:
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
within the policy map stanza:
<policymap>
...
</policymap>
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Alice Wonder" <alice at domblogger.net>
> To: "CentOS mailing list" <centos at centos.org>
> Sent: Tuesday, 3 May, 2016 22:29:19
> Subject: [CentOS] ImageMagick security alert
> https://imagetragick.com/
>
> As CentOS is often used for web servers, I thought this should be posted
> here.
>
> Bug in ImageMagick allows remote exploit.
>
> AFAIK no patch exists yet but defense against the exploit is detailed at
> the link.
>
> CVE-2016–3714
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list