[ale] Imagemagick exploit

Boris Borisov bugyatl at gmail.com
Thu May 5 10:13:49 EDT 2016 

I'm not pro in web but I think a lot of web sites rely on imagemagick tools
for resize/convert files.
On May 5, 2016 10:10 AM, "Jim Kinney" <jim.kinney at gmail.com> wrote:

> Yea. Using it as a thumbnail creator for a public web application is a
> threat vector that needs the patching.
>
> Using it on the desktop to modify/mangle images from the command line is
> not a cause for panic.
> On May 5, 2016 10:04 AM, "DJ-Pfulio" <DJPfulio at jdpfu.com> wrote:
>
>> Not worried at all.
>> I don't run any services that allow unknown uploaded files to be run
>> through ImageMagick.
>>
>> I use ImageMagick a few times a week.
>>
>> Before going crazy about this stuff ... look at the required attack
>> vector.
>>
>> On 05/05/16 09:46, Lightner, Jeff wrote:
>> > Not on RHEL5.  You’d have to do “yum” rather than “dnf”.
>> >
>> > Completely wiping your hard drive would also probably work but seems a
>> bit extreme.  :p
>> >
>> > One assumes the reason you’re doing mitigation is because you have a
>> reason to use ImageMagick (and an OS).
>> >
>> >
>> > From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
>> Pete Hardie
>> > Sent: Thursday, May 05, 2016 9:36 AM
>> > To: Atlanta Linux Enthusiasts
>> > Subject: Re: [ale] Imagemagick exploit
>> >
>> >
>> > sudo dnf remove ImageMagick probably works.....
>> >
>> > On Thu, May 5, 2016 at 9:21 AM, Lightner, Jeff <
>> JLightner at dsservices.com<mailto:JLightner at dsservices.com>> wrote:
>> > Looking this morning I see both the ImageMagick and the RedHat links
>> have been updated with suggested mitigations for RHEL5.   I haven’t tried
>> them yet.
>> >
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20160505/725a3d14/attachment.html>

More information about the Ale mailing list