Direct links https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714
Mitigation: As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, EPHEMERAL and MSL commands within image files, simply add the following lines: <policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> within the policy map stanza: <policymap> ... </policymap> -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Alice Wonder" <al...@domblogger.net> > To: "CentOS mailing list" <centos@centos.org> > Sent: Tuesday, 3 May, 2016 22:29:19 > Subject: [CentOS] ImageMagick security alert > https://imagetragick.com/ > > As CentOS is often used for web servers, I thought this should be posted > here. > > Bug in ImageMagick allows remote exploit. > > AFAIK no patch exists yet but defense against the exploit is detailed at > the link. > > CVE-2016–3714 > _______________________________________________ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
