ImageMagick Security Alert
https://imagetragick.com/
As CentOS is often used for web servers, I thought this should be posted here.
Bug in ImageMagick allows remote exploit.
AFAIK no patch exists yet but defense against the exploit is detailed at the link.
CVE-2016–3714
4 thoughts on - ImageMagick Security Alert
Direct links
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714
Mitigation:
As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, EPHEMERAL and MSL commands within image files, simply add the following lines:
within the policy map stanza:
—
Sent from the Delta quadrant using Borg technology!
Nux!
http://www.nux.ro
—– Original Message —–
This has been extended to:
Policy support not in EL5 AFAIK.
jh
–arfbUGcUvQfI80IICXMfxW1CT2oHmUj5j Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Here is a workaround for el5, el6, and el7:
https://bugzilla.redhat.com/show_bug.cgi?id=1332492#c3
–arfbUGcUvQfI80IICXMfxW1CT2oHmUj5j
–4NcTfpvtijb0hOxtV1etgcWTk3f6gEXJw Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
And more info here:
https://access.redhat.com/security/vulnerabilities/2296071
If you are using CentOS-5 .. make SURE you do the fix, they say the are NOT issuing a fix for it (see the “Resolve” tag in the link).
–4NcTfpvtijb0hOxtV1etgcWTk3f6gEXJw