Kia ora, At Lincoln University (NZ), we are planning to install ImageMagick Thumbnails for our dspace instance. We are currently on Dspace v5.6. If we install the latest version of ImageMagick ie., ImageMagick-7.0.7-22-Q16-x64 https://www.imagemagick.org/script/download.php, does anyone know if we still need to be concerned about this vulnerability? https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
Ngā mihi nui (Many thanks in advance), Yanan *Yanan Zhao* *Digital Services Analyst* *Library, Teaching and Learning, Te Wharepūrākau* *P O Box 85064* *Lincoln University* *Lincoln 7647* *Canterbury* *New Zealand* *p* +64 3 423 0340 *e* *yanan.z...@lincoln.ac.nz <yanan.z...@lincoln.ac.nz>* | *w* ltl.lincoln.ac.nz On Saturday, May 14, 2016 at 2:23:02 AM UTC+12, Tim Donohue wrote: > > Hi, > > This vulnerability appears in ImageMagick and doesn't actually appear > anywhere in the DSpace code itself. However, if you are using the > ImageMagick Thumbnails, then you would be affected by these > vulnerabilities. This is because you will have had to install ImageMagick > on your server in order to use the Thumbnail creation tools: > > https://wiki.duraspace.org/display/DSDOC5x/ImageMagick+Media+Filters > > So, to answer your questions: > > * You only need to be concerned about this vulnerability if you actually > have *installed* ImageMagick (http://www.imagemagick.org/), as it's a > separate installation from DSpace and does NOT come bundled with DSpace. > > * There's no need to remove the ImageMagick configuration lines from your > configuration file. They won't be used unless they are uncommented and > ImageMagick is installed. > - Tim > > On 5/10/2016 9:27 AM, Feed My Lambs Esq. wrote: > > Thanks for the announcement of this vulnerability, Tim. > > I found the plugin addition in dspace.cfg > under plugin.named.org.dspace.app.mediafilter.FormatFilter = ... > org.dspace.app.mediafilter.ImageMagickImageThumbnailFilter = ImageMagick > Image Thumbnail, \ > org.dspace.app.mediafilter.ImageMagickPdfThumbnailFilter = ImageMagick > PDF Thumbnail > > but this line is still commented out: > # org.dspace.app.mediafilter.ImageMagickThumbnailFilter.ProcessStarter = > /usr/bin > (which is how I found it in our Windows server) > > I'm assuming that means we aren't using this plugin (and therefore not > vulnerable). > > I also tried to find the software installed in our Windows "Program Files" > directories but didn't see it. > > I realize I may be overthinking things but just wanted to make sure. Thank > you for confirming! > > Lastly, should I delete / comment out the ImageMagick lines under the > FormatFilter I mentioned above? Thanks > -- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dspace-tech...@googlegroups.com <javascript:>. > To post to this group, send email to dspac...@googlegroups.com > <javascript:>. > Visit this group at https://groups.google.com/group/dspace-tech. > For more options, visit https://groups.google.com/d/optout. > > > -- > Tim Donohue > Technical Lead for DSpace & DSpaceDirect > DuraSpace.org | DSpace.org | DSpaceDirect.org > > -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To post to this group, send email to dspace-tech@googlegroups.com. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
