[CentOS] ImageMagick security alert
Johnny Hughes
johnny at centos.org
Sat May 7 00:02:07 UTC 2016
On 05/04/2016 08:15 AM, John Hodrien wrote:
> On Wed, 4 May 2016, Nux! wrote:
>
>> Direct links
>>
>> https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714
>>
>> Mitigation:
>>
>> As a workaround the /etc/ImageMagick/policy.xml file can be edited to
>> disable
>> processing of MVG, HTTPS, EPHEMERAL and MSL commands within image
>> files, simply
>> add the following lines:
>> <policy domain="coder" rights="none" pattern="EPHEMERAL" />
>> <policy domain="coder" rights="none" pattern="HTTPS" />
>> <policy domain="coder" rights="none" pattern="MVG" />
>> <policy domain="coder" rights="none" pattern="MSL" />
>>
>> within the policy map stanza:
>>
>> <policymap>
>> ...
>> </policymap>
>
> This has been extended to:
>
> <policy domain="coder" rights="none" pattern="EPHEMERAL" />
> <policy domain="coder" rights="none" pattern="HTTPS" />
> <policy domain="coder" rights="none" pattern="HTTP" />
> <policy domain="coder" rights="none" pattern="URL" />
> <policy domain="coder" rights="none" pattern="FTP" />
> <policy domain="coder" rights="none" pattern="MVG" />
> <policy domain="coder" rights="none" pattern="MSL" />
>
> Policy support not in EL5 AFAIK.
Here is a workaround for el5, el6, and el7:
https://bugzilla.redhat.com/show_bug.cgi?id=1332492#c3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20160506/db500b68/attachment.sig>
More information about the CentOS
mailing list