Direct links
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714
Mitigation:
As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, EPHEMERAL and MSL commands within image files, simply add the following lines:
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
within the policy map stanza:
<policymap>
...
</policymap>
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Alice Wonder" <alice@xxxxxxxxxxxxxx>
> To: "CentOS mailing list" <centos@xxxxxxxxxx>
> Sent: Tuesday, 3 May, 2016 22:29:19
> Subject: ImageMagick security alert
> https://imagetragick.com/
>
> As CentOS is often used for web servers, I thought this should be posted
> here.
>
> Bug in ImageMagick allows remote exploit.
>
> AFAIK no patch exists yet but defense against the exploit is detailed at
> the link.
>
> CVE-2016–3714
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
