There's a reported ImageMagick security vulnerability making the rounds: http://arstechnica.com/security/2016/05/easily-exploited-bug-exposes-huge-number-of-sites-to-code-execution-attacks/
Many MediaWiki sites are configured to use ImageMagick's 'convert' command to perform image rescaling/thumbnailing, so it's worth double-checking that everything is secure... MediaWiki already performs file type validation checks on uploads, which *should* prevent exploitation of the vulnerability for the standard image types (JPEG, PNG, GIF, SVG etc) -- this is one of the recommended mitigation strategies. But I am not confident enough to pronounce us immune without actually checking! Some folks are also recommending tweaking the ImageMagick policy.xml to disable the most dangerous code modules; see the article linked above for further links. -- brion _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
