Date: Thu, 19 May 2016 12:25:09 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: ImageMagick Is On Fire -- CVE-2016-3714 Without making a commercial pitch for the company I work ... I suspect one aspect of other vendors not fixing this is that there is a very simple/effective/verifiable workaround to prevent exploitation of this, and even with vendor updates I would still suggest using the workaround, after reading the MVG docs it seems to much like flash to ever be "safe" (also in a web app world I can't imagine a normal use case for people uploading MVG files). On Thu, May 19, 2016 at 11:07 AM, Bob Friesenhahn < bfriesen@...ple.dallas.tx.us> wrote: > I find it very disturbing that there seems to be very little response from > popular OS distributions to this issue. Most do not appear to have issued > any package updates to close the shell exploit. Perhaps > the opinion is that major new versions will be introduced as part of major > distribution releases and it is ok for users to exposed to problems for two > or three years. > > As an example Ubuntu 14.04.4 LTS (which is supposed to be getting security > updates) has not provided ImageMagick or GraphicsMagick package updates in > 3 years. > > Even NebBSD pkgsrc does not appear to have created a new version to > address the "ImageTragick" issues. > > What is the point of security notices and advisories if there is no > response from the community to provide updates to protect the majority of > their users (who are using 'stable' releases) from the problems? > > > Bob > -- > Bob Friesenhahn > bfriesen@...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ > GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ > -- -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ