Welcome to Centmin Mod Community
Become a Member

Security ImageMagick vulnerabilities CVE-2016-3714 (imagetragick) active exploitation confirmed

Discussion in 'CentOS, Redhat & Oracle Linux News' started by Revenge, May 4, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    53,853
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:54 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    probably because Xenforo ain't exploitable ImageMagick remote code execution (RCE) vulnerability | XenForo Community


     
  2. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    5:54 AM
    1.9.x
    10.1.x
    New version of ImageMagick.
    Code:
    6.9.4.1-1.el7
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,853
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:54 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    thanks ImageMagick/ChangeLog at ImageMagick-6 · ImageMagick/ImageMagick · GitHub
    Code (Text):
    2016-05-10  6.9.4-1 Cristy  <quetzlzacatenango@image...>
      * Quote passwords when passed to a delegate program.
    
    2016-05-09  6.9.4-1 Cristy  <quetzlzacatenango@image...>
      * Release ImageMagick version 6.9.4-1, GIT revision 10755:d540dda:20160509.
    
    2016-05-07  6.9.4-1 Cristy  <quetzlzacatenango@image...>
      * Remove https delegate.
    
    2016-05-05  6.9.4-0 Cristy  <quetzlzacatenango@image...>
      * Release ImageMagick version 6.9.4-0, GIT revision 10741:5746147:20160507.
    
    2016-05-04  6.9.4-0 Cristy  <quetzlzacatenango@image...>
      * Check for buffer overflow in magick/draw.c/DrawStrokePolygon().
      * Replace show delegate title with image filename rather than label.
      * Fix GetNextToken() off by one error.
      * Remove support for internal ephemeral coder.
    
    2016-05-03  6.9.3-10 Cristy  <quetzlzacatenango@image...>
      * New version 6.9.3-10, GIT revision 10723:9fc8a0c:20160503.
    
    2016-05-03  6.9.3-10 Cristy  <quetzlzacatenango@image...>
      * Sanitize input filename for http / https delegates (improved patch).
      * Fix for possible security vulnerabilities (reference
        https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588).
    
    2016-04-30  6.9.3-9 Cristy  <quetzlzacatenango@image...>
      * New version 6.9.3-9, GIT revision 10716:b527bce:20160430.
     
  4. pamamolf

    pamamolf Premium Member Premium Member

    4,071
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    7:54 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Simple yum update for it?
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,853
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:54 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yes

    for 123.08stable users, yum update + centmin.sh menu option 15 to recompile imagick php extension recompile
    Code (Text):
    yum -y update --enablerepo=remi --disableplugin=priorities
    

    for 123.09beta01 users, running centmin.sh menu option 15 does both yum update + imagick php extension recompile
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,853
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:54 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Interesting reading ImageMagick calls into question responsible disclosure reporting