Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1223 imagemagick security update 17 May 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: imagemagick Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Modify Arbitrary Files -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-3718 CVE-2016-3717 CVE-2016-3716 CVE-2016-3715 CVE-2016-3714 Reference: ASB-2016.0050 ESB-2016.1161 ESB-2016.1121 Original Bulletin: http://www.debian.org/security/2016/dsa-3580 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3580-1 security@debian.org https://www.debian.org/security/ Luciano Bello May 16, 2016 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : imagemagick CVE ID : CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717 CVE-2016-3718 Debian Bug : 823542 Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered several vulnerabilities in ImageMagick, a program suite for image manipulation. These vulnerabilities, collectively known as ImageTragick, are the consequence of lack of sanitization of untrusted input. An attacker with control on the image input could, with the privileges of the user running the application, execute code (CVE-2016-3714), make HTTP GET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715), move (CVE-2016-3716), or read (CVE-2016-3717) local files. These vulnerabilities are particularly critical if Imagemagick processes images coming from remote parties, such as part of a web service. The update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and PLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In addition, we introduce extra preventions, including some sanitization for input filenames in http/https delegates, the full remotion of PLT/Gnuplot decoder, and the need of explicit reference in the filename for the insecure coders. For the stable distribution (jessie), these problems have been fixed in version 8:6.8.9.9-5+deb8u2. We recommend that you upgrade your imagemagick packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXOeIaAAoJEG7C3vaP/jd0ROMP/2Twg466ucZVRzucPlyGQv+e eyu80GMnB9UlRIXrrpAoVKr7F+FnwnZiMtzqLXuoRIms4+pESBRMVu7YXMRMWupi Nj0DaZClL07cBm4RDF+Nzr/UK4XCWFTeHxDKBBD684ddfIL6PeJoKzRd13Yt4/9Y 14oijuDSCGSjSM761UMYh1y6Gnr47zx93t6TzomGFpcnp8KVMJeEWnnWere7QNFk xxwdDQhnQXWHwQP8h4WvS9/z+tRzQ80cmBzmcAZDgZ4ApllUyxHiv5OqBaRSP6aD C0k8UedOBUTTq6TGQCCmsM/JOE2o3LAzlbbEMWY3C2a9DxJ+H9gpQ6RHqZcFSE4A fs5jeJkviUB2R9M6tPLAlBBDmiEyGYfgVjUiEq/Rq1pWKU6RCDxnjbd8Uu3Cv0IV QRIqfPuL8KUN/X0PjXvJGZXIsN3xyOCW22grQEsyldUyLe4UivHNhFdKp6zb3cyo YyCC+mmDOVl7SwJa2swztOHSPZ7xlv2o4tMuvGVIP9x6mmTD8X6nJlY1g7SqSEZf CELrEE9B8YDIbd8fhiKzFgsh5Rjae0+MQW3g6bA8gtCc5iwoAl67g+bUBPwPhaIs riOWsAjPFoYyzsMeMLJpEpe7rFzLOWutfv4Vi3f0F+QgIpq89e4X0HlSTsCrjrAl s+4kgn+3ifTDFT2joBj7 =atw/ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVzqMx36ZAP0PgtI9AQJF0hAAuPHYJAWT8FyBemDlxV7sP4MPgWECLsQh O2Qu8PNnmZwsNpVRN2r7daKpar+xJ9GlYJnb8DOSmPrMv8dtYrgilnYBix/JDMWC lK9gyBxCmArleHpc5Yj+Q1F5SJnro/bswZmc5h8m1XxLdB+gbKFkBNchJmXIbDR7 aOaZ+8J/HWx9e2VGkifvgcmiNrmInEartKXv4skWabkfWb1gArrdL+uEfNL4lGs3 El9cY8FHLFiD7CItvs22utZbHlZCB8+mZNDMKN1e6IO3PYeJsRF+zYkswxCw+pN1 9u6oBfU8ioo316Pi8ATrkwmdZ6U5hHyzbSj2rabbArN4nWaFpEowoXLjFTYSkTb0 DBprEhyTUEtHzHqA2qriidSf/SsGC6Y7UpXCnNzuRnrTYyhXTo+ZN9l0Rie599Xh HAJyKOukzDPR364Tv72ON36GW3rNILDcgX1gxV+HNjuLnvwccOn5FKOb31DphbB5 NmwbdQOu0+wxjAaROPNFJHsML3JoTYtG8HawxaoU/UvrmfloV0Bv141CjgU4RKuT 9y1PVLAnR9ZRX/LOsy9upRVp/IuP7V0fWjJ5CWraZ3CX5UiU5gQtwHrfKVAkBr+u G4eLcoTna2MjTadhvnh8X9YVzSjtPklzBFwvyykGUgamRCEDORfsILoKc/K7hp4y VxhqIcniylc= =qIPC -----END PGP SIGNATURE-----