Hello Yanan, According to the bug report for that ImageMagick security issue, it looks like this issue has been fixed
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3714 On the page above, I see a notice that says it only affected "ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1" So, it sounds like it is fixed as long as you have a more recent version of ImageMagick running. - Tim On Tue, Feb 6, 2018 at 9:11 PM Yanan Z <yananjenniferz...@gmail.com> wrote: > Kia ora, > > At Lincoln University (NZ), we are planning to install ImageMagick > Thumbnails for our dspace instance. We are currently on Dspace v5.6. If we > install the latest version of ImageMagick ie., > ImageMagick-7.0.7-22-Q16-x64 > https://www.imagemagick.org/script/download.php, does anyone know if we > still need to be concerned about this vulnerability? > https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588 > > Ngā mihi nui (Many thanks in advance), > Yanan > > *Yanan Zhao* > > *Digital Services Analyst* > > > > *Library, Teaching and Learning, Te Wharepūrākau* > > *P O Box 85064* > > *Lincoln University* > > *Lincoln 7647* > > *Canterbury* > > *New Zealand* > > > > *p* +64 3 423 0340 <+64%203-423%200340> > > *e* *yanan.z...@lincoln.ac.nz <yanan.z...@lincoln.ac.nz>* | *w* > ltl.lincoln.ac.nz > > > On Saturday, May 14, 2016 at 2:23:02 AM UTC+12, Tim Donohue wrote: > >> Hi, >> >> This vulnerability appears in ImageMagick and doesn't actually appear >> anywhere in the DSpace code itself. However, if you are using the >> ImageMagick Thumbnails, then you would be affected by these >> vulnerabilities. This is because you will have had to install ImageMagick >> on your server in order to use the Thumbnail creation tools: >> >> https://wiki.duraspace.org/display/DSDOC5x/ImageMagick+Media+Filters >> >> So, to answer your questions: >> >> * You only need to be concerned about this vulnerability if you actually >> have *installed* ImageMagick (http://www.imagemagick.org/), as it's a >> separate installation from DSpace and does NOT come bundled with DSpace. >> >> * There's no need to remove the ImageMagick configuration lines from your >> configuration file. They won't be used unless they are uncommented and >> ImageMagick is installed. >> - Tim >> >> On 5/10/2016 9:27 AM, Feed My Lambs Esq. wrote: >> > Thanks for the announcement of this vulnerability, Tim. >> >> I found the plugin addition in dspace.cfg >> under plugin.named.org.dspace.app.mediafilter.FormatFilter = ... >> org.dspace.app.mediafilter.ImageMagickImageThumbnailFilter = >> ImageMagick Image Thumbnail, \ >> org.dspace.app.mediafilter.ImageMagickPdfThumbnailFilter = ImageMagick >> PDF Thumbnail >> >> but this line is still commented out: >> # org.dspace.app.mediafilter.ImageMagickThumbnailFilter.ProcessStarter = >> /usr/bin >> (which is how I found it in our Windows server) >> >> I'm assuming that means we aren't using this plugin (and therefore not >> vulnerable). >> >> I also tried to find the software installed in our Windows "Program >> Files" directories but didn't see it. >> >> I realize I may be overthinking things but just wanted to make sure. >> Thank you for confirming! >> >> Lastly, should I delete / comment out the ImageMagick lines under the >> FormatFilter I mentioned above? Thanks >> -- >> You received this message because you are subscribed to the Google Groups >> "DSpace Technical Support" group. >> >> To unsubscribe from this group and stop receiving emails from it, send an >> email to dspace-tech...@googlegroups.com. >> To post to this group, send email to dspac...@googlegroups.com. >> >> >> Visit this group at https://groups.google.com/group/dspace-tech. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> Tim Donohue >> Technical Lead for DSpace & DSpaceDirect >> DuraSpace.org | DSpace.org | DSpaceDirect.org >> >> -- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dspace-tech+unsubscr...@googlegroups.com. > To post to this group, send email to dspace-tech@googlegroups.com. > Visit this group at https://groups.google.com/group/dspace-tech. > For more options, visit https://groups.google.com/d/optout. > -- Tim Donohue Technical Lead for DSpace & DSpaceDirect DuraSpace.org | DSpace.org | DSpaceDirect.org -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To post to this group, send email to dspace-tech@googlegroups.com. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
