Discourse uses ImageMagic here and there, IIRC - for processing uploaded avatar images among other things? Is it vulnerable to CVE-2016–3714 (“ImageTragick”) or has that been handled?
Yep. Fixed yesterday.
Shouldn’t this be a large, globally pinned announcement here, so that people actually see it and upgrade as appropriate? Or how do you guys normally handle security advisories?
We will once ImageMagick pushes a fixed version and we update our base images with the fixed version
Did I misread it that a
git pull; ./launcher rebuild fixes this (as in works around or prevents), then? As by all accounts this is something that is already exploited in the wild, it seems that is something everyone should do ASAP?
The fix @sam created is only a temporary workaround. It has been deployed to Github, so anyone who updates regularly can get it, as well as to all hosted customers. Anyone who frequents Meta regularly should have seen the initial bug report yesterday, and updated. I personally doubt a “large, globally pinned announcement” would cause anyone else to update. Most Discourse admins don’t frequent Meta daily, so its effect would be limited. Those who do visit frequently, or follow major security issues like this, will come looking for a fix.
I’ll just pin it globally for now since there isn’t any downside to it.