The current version 6(legacy version - https://legacy.imagemagick.org/script/index.php), avilable for FreeBSD, has multiple vulnerabilities. See here: https://www.cvedetails.com/vulnerability-list/vendor_id-1749/Imagemagick.html Please also see: http://thehackernews.com/2017/05/yahoo-imagemagick-hack.html Which has been fixed in the current version(v6.9.8-6): http://git.imagemagick.org/repos/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b Available versions upstream: http://git.imagemagick.org/repos/ImageMagick/tags
A commit references this bug: Author: brnrd Date: Thu May 25 20:51:49 UTC 2017 New revision: 441717 URL: https://svnweb.freebsd.org/changeset/ports/441717 Log: security/vuxml: Document ImageMagick vulnerabilities PR: 219497 Reported by: dani <i.dani@outlook.com> Changes: head/security/vuxml/vuln.xml
Created attachment 182914 [details] svn diff for graphics/ImageMagick graphics/ImageMagick: Update to 6.9.8.6 - Update to 6.9.8-6 incl security fixes - Fix plist issues PR: 219497 MFH: 2017Q2 Security: 50776801-4183-11e7-b291-b499baebfeaf
I will commit the update tomorrow. I had my own patch already, and was testing it in poudriere. As much as I like, I don't think secteam will be happy with a straight 1:1 MFH due to the shared library bumps....
A commit references this bug: Author: kwm Date: Fri May 26 08:19:38 UTC 2017 New revision: 441760 URL: https://svnweb.freebsd.org/changeset/ports/441760 Log: Update ImageMagick to 6.9.8.6. PR: 219497 Security: 50776801-4183-11e7-b291-b499baebfeaf Changes: head/graphics/ImageMagick/Makefile head/graphics/ImageMagick/distinfo head/graphics/ImageMagick/pkg-plist head/graphics/ImageMagick-nox11/Makefile
*** Bug 219565 has been marked as a duplicate of this bug. ***
Created attachment 183027 [details] security/vuxml: Fix uncorrect naming of ImageMagick and add v7 to vulnerable too Use the same name as for the vulnerabilities befor: -> https://www.vuxml.org/freebsd/pkg-ImageMagick.html v7 is also vulnerable -> See here: bug #219627
A commit references this bug: Author: brnrd Date: Tue May 30 08:01:34 UTC 2017 New revision: 442053 URL: https://svnweb.freebsd.org/changeset/ports/442053 Log: security/vuxml: Fix latest ImageMagick entry - Fix case in pkgname - Add version 7 - add -nox pkgnamesuffix PR: 219497 Submitted by: Dani <i.dani@outlook.com> Changes: head/security/vuxml/vuln.xml
As the wiki says when updating a page: Your attention to detail is appreciated! Thanks Dani!
(In reply to Bernard Spil from comment #8) You're very welcome! Enjoy the nice weather and greetings from switzerland, Dani
Please still MT2017Q2! ;)
A commit references this bug: Author: kwm Date: Wed May 31 09:00:33 UTC 2017 New revision: 442142 URL: https://svnweb.freebsd.org/changeset/ports/442142 Log: Manualy backport CVE patches, due to shared library bump in ImageMagick. PR: 219497 Approved by: ports-secteam@ (feld@) Security: 50776801-4183-11e7-b291-b499baebfeaf Changes: branches/2017Q2/graphics/ImageMagick/Makefile branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5506 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5507 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5508 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5509 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5510 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5511 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6497 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6498 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6499 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6500 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6501 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6502 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7275 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7606 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7619 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7941 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7942 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7943 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8343 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8344 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8345 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8346 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8347 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8348 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8349 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8350 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8351 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8352 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8353 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8354 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8355 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8356 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8357 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8765 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8830 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-9141 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-9142 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-9143 branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-9144