Vulnerable to ImageMagic RCE, CVE-2016–3714?

(Jakob Borg) #1

Discourse uses ImageMagic here and there, IIRC - for processing uploaded avatar images among other things? Is it vulnerable to CVE-2016–3714 (“ImageTragick”) or has that been handled?

(Joshua Rosenfeld) #2

Yep. Fixed yesterday.

(Jakob Borg) #5

Shouldn’t this be a large, globally pinned announcement here, so that people actually see it and upgrade as appropriate? Or how do you guys normally handle security advisories?

(Régis Hanol) #6

We will once ImageMagick pushes a fixed version and we update our base images with the fixed version :wink:

(Jakob Borg) #7

Did I misread it that a git pull; ./launcher rebuild fixes this (as in works around or prevents), then? As by all accounts this is something that is already exploited in the wild, it seems that is something everyone should do ASAP?

(Joshua Rosenfeld) #8

The fix @sam created is only a temporary workaround. It has been deployed to Github, so anyone who updates regularly can get it, as well as to all hosted customers. Anyone who frequents Meta regularly should have seen the initial bug report yesterday, and updated. I personally doubt a “large, globally pinned announcement” would cause anyone else to update. Most Discourse admins don’t frequent Meta daily, so its effect would be limited. Those who do visit frequently, or follow major security issues like this, will come looking for a fix.

(Alan Tan) #9

I’ll just pin it globally for now since there isn’t any downside to it.

(Alan Tan) #10