Closed
Bug 1269793
Opened 9 years ago
Closed 9 years ago
Add a note on bugzilla.org that admins should either update ImageMagick (due to CVE-2016-3714) or disable the BmpConvert extension
Categories
(Bugzilla :: bugzilla.org, defect, P1)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dylan, Assigned: dkl)
References
Details
https://medium.com/@rhuber/imagemagick-is-on-fire-cve-2016-3714-379faf762247#.kqh5svaq0
> If you use ImageMagick or an affected library, we recommend you mitigate the
> known vulnerabilities by doing at least one these two things (but preferably
> both!):
> Verify that all image files begin with the expected “magic bytes”
> corresponding to the image file types you support before sending them to
> ImageMagick for processing. (see FAQ for more info) Use a policy file to
> disable the vulnerable ImageMagick coders. The global policy for ImageMagick
> is usually found in “/etc/ImageMagick”. This policy.xml example will disable
> the coders EPHEMERAL, URL, MVG, and MSL.
> https://gist.githubusercontent.com/rawdigits/d73312d21c8584590783a5e07e124723/raw/d3232a3958d8a26adcce53dfa2413b42623ca4b8/policy.xml
|
Reporter | |
Comment 1•9 years ago
|
||
What is the procedure for this? BMO is responding by disabling the BmpConvert extension. We should inform other sites that they need to do the same or take steps apply the config noted in comment #0.
|
||
Comment 2•9 years ago
|
||
All we should do is to add a note to the release notes, or even not do anything. It's not our job to inform other admins about security vulnerabilities discovered in modules Bugzilla uses. And we also cannot blacklist older versions, because many Linux distros already backport security patches.
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
|
|
||
Comment 4•9 years ago
|
||
(In reply to Frédéric Buclin from comment #2)
> All we should do is to add a note to the release notes, or even not do
> anything. It's not our job to inform other admins about security
> vulnerabilities discovered in modules Bugzilla uses. And we also cannot
> blacklist older versions, because many Linux distros already backport
> security patches.
Frederic, if you run into a bug in a module that Bugzilla uses, please notify me, preferably with a needinfo on the bug. I'm working on putting that kind of coordination in place.
|
|
||
Comment 5•9 years ago
|
||
This bug is for upstream, not bmo.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
|
||
Comment 6•9 years ago
|
||
(In reply to Frédéric Buclin from comment #5)
> This bug is for upstream, not bmo.
yeah, we have bug 1269795 for BMO. But in comment 2 it sounded like you said "Bugzilla" shouldn't do anything so that's probably why Adam closed the bug.
|
|
||
Comment 7•9 years ago
|
||
Well, as I cannot see bug 1269836, and Adam is not involved in upstream Bugzilla, marking this bug as a dupe sounded wrong anyway. :)
|
Assignee | |
Comment 8•9 years ago
|
||
Opening this up as it is not tied to any specific release of Bugzilla.
Group: bugzilla-security
|
|
||
Updated•9 years ago
|
Component: Bugzilla-General → bugzilla.org
|
|
||
Comment 9•9 years ago
|
||
A note has been added on the bugzilla.org website recommending admins to make sure their version of ImageMagick is up-to-date or to disable the BmpConvert extension.
Assignee: dylan → dkl
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → FIXED
|
|
||
Updated•9 years ago
|
Summary: ImageMagick Is On Fire — CVE-2016-3714 → Add a note on bugzilla.org that admins should either update ImageMagick (due to CVE-2016-3714) or disable the BmpConvert extension
You need to log in
before you can comment on or make changes to this bug.
Description
•