> If you use ImageMagick or an affected library, we recommend you mitigate the
> known vulnerabilities by doing at least one these two things (but preferably
> Verify that all image files begin with the expected “magic bytes”
> corresponding to the image file types you support before sending them to
> ImageMagick for processing. (see FAQ for more info) Use a policy file to
> disable the vulnerable ImageMagick coders. The global policy for ImageMagick
> is usually found in “/etc/ImageMagick”. This policy.xml example will disable
> the coders EPHEMERAL, URL, MVG, and MSL.
What is the procedure for this? BMO is responding by disabling the BmpConvert extension. We should inform other sites that they need to do the same or take steps apply the config noted in comment #0.
All we should do is to add a note to the release notes, or even not do anything. It's not our job to inform other admins about security vulnerabilities discovered in modules Bugzilla uses. And we also cannot blacklist older versions, because many Linux distros already backport security patches.
*** This bug has been marked as a duplicate of bug 1269836 ***
(In reply to Frédéric Buclin from comment #2)
> All we should do is to add a note to the release notes, or even not do
> anything. It's not our job to inform other admins about security
> vulnerabilities discovered in modules Bugzilla uses. And we also cannot
> blacklist older versions, because many Linux distros already backport
> security patches.
Frederic, if you run into a bug in a module that Bugzilla uses, please notify me, preferably with a needinfo on the bug. I'm working on putting that kind of coordination in place.
This bug is for upstream, not bmo.
(In reply to Frédéric Buclin from comment #5)
> This bug is for upstream, not bmo.
yeah, we have bug 1269795 for BMO. But in comment 2 it sounded like you said "Bugzilla" shouldn't do anything so that's probably why Adam closed the bug.
Well, as I cannot see bug 1269836, and Adam is not involved in upstream Bugzilla, marking this bug as a dupe sounded wrong anyway. :)
Opening this up as it is not tied to any specific release of Bugzilla.
A note has been added on the bugzilla.org website recommending admins to make sure their version of ImageMagick is up-to-date or to disable the BmpConvert extension.