On 05/04/2016 08:15 AM, John Hodrien wrote: > On Wed, 4 May 2016, Nux! wrote: > >> Direct links >> >> https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726 >> >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714 >> >> Mitigation: >> >> As a workaround the /etc/ImageMagick/policy.xml file can be edited to >> disable >> processing of MVG, HTTPS, EPHEMERAL and MSL commands within image >> files, simply >> add the following lines: >> <policy domain="coder" rights="none" pattern="EPHEMERAL" /> >> <policy domain="coder" rights="none" pattern="HTTPS" /> >> <policy domain="coder" rights="none" pattern="MVG" /> >> <policy domain="coder" rights="none" pattern="MSL" /> >> >> within the policy map stanza: >> >> <policymap> >> ... >> </policymap> > > This has been extended to: > > <policy domain="coder" rights="none" pattern="EPHEMERAL" /> > <policy domain="coder" rights="none" pattern="HTTPS" /> > <policy domain="coder" rights="none" pattern="HTTP" /> > <policy domain="coder" rights="none" pattern="URL" /> > <policy domain="coder" rights="none" pattern="FTP" /> > <policy domain="coder" rights="none" pattern="MVG" /> > <policy domain="coder" rights="none" pattern="MSL" /> > > Policy support not in EL5 AFAIK. Here is a workaround for el5, el6, and el7: https://bugzilla.redhat.com/show_bug.cgi?id=1332492#c3
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
