Re: [dspace-tech] Re: SECURITY ALERT: ImageMagick vulnerability may affect DSpace 5.x sites that use ImageMagick Media Filters

2018-02-07 Thread Tim Donohue 
Hello Yanan,

According to the bug report for that ImageMagick security issue, it looks
like this issue has been fixed

 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3714

On the page above, I see a notice that says it only affected "ImageMagick
before 6.9.3-10 and 7.x before 7.0.1-1"

So, it sounds like it is fixed as long as you have a more recent version of
ImageMagick running.

- Tim

On Tue, Feb 6, 2018 at 9:11 PM Yanan Z  wrote:

> Kia ora,
>
> At Lincoln University (NZ), we are planning to install ImageMagick
> Thumbnails for our dspace instance. We are currently on Dspace v5.6. If we
> install the latest version of ImageMagick ie.,
> ImageMagick-7.0.7-22-Q16-x64
> https://www.imagemagick.org/script/download.php, does anyone know if we
> still need to be concerned about this vulnerability?
> https://www.imagemagick.org/discourse-server/viewtopic.php?f=4=29588
>
> Ngā mihi nui (Many thanks in advance),
> Yanan
>
> *Yanan Zhao*
>
> *Digital Services Analyst*
>
>
>
> *Library, Teaching and Learning, Te Wharepūrākau*
>
> *P O Box 85064*
>
> *Lincoln University*
>
> *Lincoln 7647*
>
> *Canterbury*
>
> *New Zealand*
>
>
>
> *p* +64 3 423 0340 <+64%203-423%200340>
>
> *e* *yanan.z...@lincoln.ac.nz * | *w*
> ltl.lincoln.ac.nz
>
>
> On Saturday, May 14, 2016 at 2:23:02 AM UTC+12, Tim Donohue wrote:
>
>> Hi,
>>
>> This vulnerability appears in ImageMagick and doesn't actually appear
>> anywhere in the DSpace code itself. However, if you are using the
>> ImageMagick Thumbnails, then you would be affected by these
>> vulnerabilities. This is because you will have had to install ImageMagick
>> on your server in order to use the Thumbnail creation tools:
>>
>> https://wiki.duraspace.org/display/DSDOC5x/ImageMagick+Media+Filters
>>
>> So, to answer your questions:
>>
>> * You only need to be concerned about this vulnerability if you actually
>> have *installed* ImageMagick (http://www.imagemagick.org/), as it's a
>> separate installation from DSpace and does NOT come bundled with DSpace.
>>
>> * There's no need to remove the ImageMagick configuration lines from your
>> configuration file. They won't be used unless they are uncommented and
>> ImageMagick is installed.
>> - Tim
>>
>> On 5/10/2016 9:27 AM, Feed My Lambs Esq. wrote:
>>
> Thanks for the announcement of this vulnerability, Tim.
>>
>> I found the plugin addition in dspace.cfg
>> under plugin.named.org.dspace.app.mediafilter.FormatFilter = ...
>>   org.dspace.app.mediafilter.ImageMagickImageThumbnailFilter =
>> ImageMagick Image Thumbnail, \
>>   org.dspace.app.mediafilter.ImageMagickPdfThumbnailFilter = ImageMagick
>> PDF Thumbnail
>>
>> but this line is still commented out:
>> # org.dspace.app.mediafilter.ImageMagickThumbnailFilter.ProcessStarter =
>> /usr/bin
>> (which is how I found it in our Windows server)
>>
>> I'm assuming that means we aren't using this plugin (and therefore not
>> vulnerable).
>>
>> I also tried to find the software installed in our Windows "Program
>> Files" directories but didn't see it.
>>
>> I realize I may be overthinking things but just wanted to make sure.
>> Thank you for confirming!
>>
>> Lastly, should I delete / comment out the ImageMagick lines under the
>> FormatFilter I mentioned above? Thanks
>> --
>> You received this message because you are subscribed to the Google Groups
>> "DSpace Technical Support" group.
>>
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to dspace-tech...@googlegroups.com.
>> To post to this group, send email to dspac...@googlegroups.com.
>>
>>
>> Visit this group at https://groups.google.com/group/dspace-tech.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>> Tim Donohue
>> Technical Lead for DSpace & DSpaceDirect
>> DuraSpace.org | DSpace.org | DSpaceDirect.org
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dspace-tech+unsubscr...@googlegroups.com.
> To post to this group, send email to dspace-tech@googlegroups.com.
> Visit this group at https://groups.google.com/group/dspace-tech.
> For more options, visit https://groups.google.com/d/optout.
>
-- 
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org

-- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.

Re: [dspace-tech] Re: SECURITY ALERT: ImageMagick vulnerability may affect DSpace 5.x sites that use ImageMagick Media Filters

2018-02-06 Thread Yanan Z 
Kia ora,

At Lincoln University (NZ), we are planning to install ImageMagick 
Thumbnails for our dspace instance. We are currently on Dspace v5.6. If we 
install the latest version of ImageMagick ie., 
ImageMagick-7.0.7-22-Q16-x64 https://www.imagemagick.org/script/download.php, 
does anyone know if we still need to be concerned about this vulnerability? 
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4=29588 

Ngā mihi nui (Many thanks in advance), 
Yanan 

*Yanan Zhao*

*Digital Services Analyst*

 

*Library, Teaching and Learning, Te Wharepūrākau*

*P O Box 85064*

*Lincoln University*

*Lincoln 7647*

*Canterbury*

*New Zealand*

 

*p* +64 3 423 0340

*e* *yanan.z...@lincoln.ac.nz * | *w* 
ltl.lincoln.ac.nz


On Saturday, May 14, 2016 at 2:23:02 AM UTC+12, Tim Donohue wrote:
>
> Hi,
>
> This vulnerability appears in ImageMagick and doesn't actually appear 
> anywhere in the DSpace code itself. However, if you are using the 
> ImageMagick Thumbnails, then you would be affected by these 
> vulnerabilities. This is because you will have had to install ImageMagick 
> on your server in order to use the Thumbnail creation tools:
>
> https://wiki.duraspace.org/display/DSDOC5x/ImageMagick+Media+Filters
>
> So, to answer your questions:
>
> * You only need to be concerned about this vulnerability if you actually 
> have *installed* ImageMagick (http://www.imagemagick.org/), as it's a 
> separate installation from DSpace and does NOT come bundled with DSpace.
>
> * There's no need to remove the ImageMagick configuration lines from your 
> configuration file. They won't be used unless they are uncommented and 
> ImageMagick is installed.
> - Tim
>
> On 5/10/2016 9:27 AM, Feed My Lambs Esq. wrote:
>
> Thanks for the announcement of this vulnerability, Tim. 
>
> I found the plugin addition in dspace.cfg 
> under plugin.named.org.dspace.app.mediafilter.FormatFilter = ... 
>   org.dspace.app.mediafilter.ImageMagickImageThumbnailFilter = ImageMagick 
> Image Thumbnail, \
>   org.dspace.app.mediafilter.ImageMagickPdfThumbnailFilter = ImageMagick 
> PDF Thumbnail
>
> but this line is still commented out:
> # org.dspace.app.mediafilter.ImageMagickThumbnailFilter.ProcessStarter = 
> /usr/bin
> (which is how I found it in our Windows server)
>
> I'm assuming that means we aren't using this plugin (and therefore not 
> vulnerable).
>
> I also tried to find the software installed in our Windows "Program Files" 
> directories but didn't see it.
>
> I realize I may be overthinking things but just wanted to make sure. Thank 
> you for confirming!
>
> Lastly, should I delete / comment out the ImageMagick lines under the 
> FormatFilter I mentioned above? Thanks
> -- 
> You received this message because you are subscribed to the Google Groups 
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to dspace-tech...@googlegroups.com .
> To post to this group, send email to dspac...@googlegroups.com 
> .
> Visit this group at https://groups.google.com/group/dspace-tech.
> For more options, visit https://groups.google.com/d/optout.
>
>
> -- 
> Tim Donohue
> Technical Lead for DSpace & DSpaceDirect
> DuraSpace.org | DSpace.org | DSpaceDirect.org
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.

Re: [dspace-tech] Re: SECURITY ALERT: ImageMagick vulnerability may affect DSpace 5.x sites that use ImageMagick Media Filters

2016-05-13 Thread Tim Donohue 

Hi,

This vulnerability appears in ImageMagick and doesn't actually appear 
anywhere in the DSpace code itself. However, if you are using the 
ImageMagick Thumbnails, then you would be affected by these 
vulnerabilities. This is because you will have had to install 
ImageMagick on your server in order to use the Thumbnail creation tools:


https://wiki.duraspace.org/display/DSDOC5x/ImageMagick+Media+Filters

So, to answer your questions:

* You only need to be concerned about this vulnerability if you actually 
have *installed* ImageMagick (http://www.imagemagick.org/), as it's a 
separate installation from DSpace and does NOT come bundled with DSpace.


* There's no need to remove the ImageMagick configuration lines from 
your configuration file. They won't be used unless they are uncommented 
and ImageMagick is installed.


- Tim

On 5/10/2016 9:27 AM, Feed My Lambs Esq. wrote:

Thanks for the announcement of this vulnerability, Tim.

I found the plugin addition in dspace.cfg 
under plugin.named.org.dspace.app.mediafilter.FormatFilter = ...
org.dspace.app.mediafilter.ImageMagickImageThumbnailFilter = 
ImageMagick Image Thumbnail, \
org.dspace.app.mediafilter.ImageMagickPdfThumbnailFilter = ImageMagick 
PDF Thumbnail


but this line is still commented out:
# org.dspace.app.mediafilter.ImageMagickThumbnailFilter.ProcessStarter 
= /usr/bin

(which is how I found it in our Windows server)

I'm assuming that means we aren't using this plugin (and therefore not 
vulnerable).


I also tried to find the software installed in our Windows "Program 
Files" directories but didn't see it.


I realize I may be overthinking things but just wanted to make sure. 
Thank you for confirming!


Lastly, should I delete / comment out the ImageMagick lines under the 
FormatFilter I mentioned above? Thanks

--
You received this message because you are subscribed to the Google 
Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to dspace-tech+unsubscr...@googlegroups.com 
.
To post to this group, send email to dspace-tech@googlegroups.com 
.

Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.


--
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org

--
You received this message because you are subscribed to the Google Groups "DSpace 
Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.