Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 May 2016 12:25:09 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: ImageMagick Is On Fire -- CVE-2016-3714

Without making a commercial pitch for the company I work ... I suspect one
aspect of other vendors not fixing this is that there is a very
simple/effective/verifiable workaround to prevent exploitation of this, and
even with vendor updates I would still suggest using the workaround, after
reading the MVG docs it seems to much like flash to ever be "safe" (also in
a web app world I can't imagine a normal use case for people uploading MVG
files).

On Thu, May 19, 2016 at 11:07 AM, Bob Friesenhahn <
bfriesen@...ple.dallas.tx.us> wrote:

> I find it very disturbing that there seems to be very little response from
> popular OS distributions to this issue.  Most do not appear to have issued
> any package updates to close the shell exploit.  Perhaps
> the opinion is that major new versions will be introduced as part of major
> distribution releases and it is ok for users to exposed to problems for two
> or three years.
>
> As an example Ubuntu 14.04.4 LTS (which is supposed to be getting security
> updates) has not provided ImageMagick or GraphicsMagick package updates in
> 3 years.
>
> Even NebBSD pkgsrc does not appear to have created a new version to
> address the "ImageTragick" issues.
>
> What is the point of security notices and advisories if there is no
> response from the community to provide updates to protect the majority of
> their users (who are using 'stable' releases) from the problems?
>
>
> Bob
> --
> Bob Friesenhahn
> bfriesen@...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
> GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
>



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ