On Wed, 4 May 2016, Nux! wrote:> Direct links > > https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726 > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714 > > Mitigation: > > As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable > processing of MVG, HTTPS, EPHEMERAL and MSL commands within image files, simply > add the following lines: > <policy domain="coder" rights="none" pattern="EPHEMERAL" /> > <policy domain="coder" rights="none" pattern="HTTPS" /> > <policy domain="coder" rights="none" pattern="MVG" /> > <policy domain="coder" rights="none" pattern="MSL" /> > > within the policy map stanza: > > <policymap> > ... > </policymap>This has been extended to: <policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="HTTP" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="FTP" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> Policy support not in EL5 AFAIK. jh
On 05/04/2016 08:15 AM, John Hodrien wrote:> On Wed, 4 May 2016, Nux! wrote: > >> Direct links >> >> https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726 >> >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714 >> >> Mitigation: >> >> As a workaround the /etc/ImageMagick/policy.xml file can be edited to >> disable >> processing of MVG, HTTPS, EPHEMERAL and MSL commands within image >> files, simply >> add the following lines: >> <policy domain="coder" rights="none" pattern="EPHEMERAL" /> >> <policy domain="coder" rights="none" pattern="HTTPS" /> >> <policy domain="coder" rights="none" pattern="MVG" /> >> <policy domain="coder" rights="none" pattern="MSL" /> >> >> within the policy map stanza: >> >> <policymap> >> ... >> </policymap> > > This has been extended to: > > <policy domain="coder" rights="none" pattern="EPHEMERAL" /> > <policy domain="coder" rights="none" pattern="HTTPS" /> > <policy domain="coder" rights="none" pattern="HTTP" /> > <policy domain="coder" rights="none" pattern="URL" /> > <policy domain="coder" rights="none" pattern="FTP" /> > <policy domain="coder" rights="none" pattern="MVG" /> > <policy domain="coder" rights="none" pattern="MSL" /> > > Policy support not in EL5 AFAIK.Here is a workaround for el5, el6, and el7: https://bugzilla.redhat.com/show_bug.cgi?id=1332492#c3 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160506/db500b68/attachment-0001.sig>
On 05/06/2016 07:02 PM, Johnny Hughes wrote:> On 05/04/2016 08:15 AM, John Hodrien wrote: >> On Wed, 4 May 2016, Nux! wrote: >> >>> Direct links >>> >>> https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726 >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714 >>> >>> Mitigation: >>> >>> As a workaround the /etc/ImageMagick/policy.xml file can be edited to >>> disable >>> processing of MVG, HTTPS, EPHEMERAL and MSL commands within image >>> files, simply >>> add the following lines: >>> <policy domain="coder" rights="none" pattern="EPHEMERAL" /> >>> <policy domain="coder" rights="none" pattern="HTTPS" /> >>> <policy domain="coder" rights="none" pattern="MVG" /> >>> <policy domain="coder" rights="none" pattern="MSL" /> >>> >>> within the policy map stanza: >>> >>> <policymap> >>> ... >>> </policymap> >> >> This has been extended to: >> >> <policy domain="coder" rights="none" pattern="EPHEMERAL" /> >> <policy domain="coder" rights="none" pattern="HTTPS" /> >> <policy domain="coder" rights="none" pattern="HTTP" /> >> <policy domain="coder" rights="none" pattern="URL" /> >> <policy domain="coder" rights="none" pattern="FTP" /> >> <policy domain="coder" rights="none" pattern="MVG" /> >> <policy domain="coder" rights="none" pattern="MSL" /> >> >> Policy support not in EL5 AFAIK. > > Here is a workaround for el5, el6, and el7: > > https://bugzilla.redhat.com/show_bug.cgi?id=1332492#c3And more info here: https://access.redhat.com/security/vulnerabilities/2296071 If you are using CentOS-5 .. make SURE you do the fix, they say the are NOT issuing a fix for it (see the "Resolve" tag in the link). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160506/fefec3a0/attachment-0001.sig>