I received an email about this and I'm wondering if our servers are affected by this and will they need the patch fix?
Here's the info:
US-CERT Technical Cyber Security Alert
Would like to hear from the tech people about this.
Thanks.
Full Version: Security Problem With Libpng Library
Miriam,
I cannot answer definitively, but I will make sure it is called to the attention of the paid staff for a response here.
Thanks for calling attention to this potential hazard
I cannot answer definitively, but I will make sure it is called to the attention of the paid staff for a response here.
Thanks for calling attention to this potential hazard
Minor security package updates such as these are done transparently to end users.
Plus the level of exposure for a server that has this vulnerability is considerably low. First, it only allows execution of code as the user the process is running as, and it requires the ability for a user to introduce a malicious .png file to the server and get the server to process the file using the png libraries. This would generally only potentially apply if someone has something like an application that does png conversions from an untrusted source, such as allowing anyone to upload files.
This vulnerability is more of an issue for client machines that are using libpng (desktop linux, *bsd, etc...) as you could be targetted by websites hosting malicious .png files when you browse them.
Plus the level of exposure for a server that has this vulnerability is considerably low. First, it only allows execution of code as the user the process is running as, and it requires the ability for a user to introduce a malicious .png file to the server and get the server to process the file using the png libraries. This would generally only potentially apply if someone has something like an application that does png conversions from an untrusted source, such as allowing anyone to upload files.
This vulnerability is more of an issue for client machines that are using libpng (desktop linux, *bsd, etc...) as you could be targetted by websites hosting malicious .png files when you browse them.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.