Many of our users depend on ImageMagick, and it's important to note that part of the fix for this vulnerability was to add safeguards in the systemwide ImageMagick policy.xml file, as
described here. If you find that the new systemwide policy causes problems with your application hosted on OpenShift, here is a workaround for providing your own policy:
In your git repository, create a directory for the policy file -- we'll call it .im in this example.
Create your desired policy.xml, storing it the directory we just created such as: .im/policy.xml
Within your application, set the MAGICK_CONFIGURE_PATH environment variable to $OPENSHIFT_REPO_DIR/.im
Commit and push your changes (make sure to test!)
Note that I am purposely
avoiding rhc set-env here because custom environment variables are not interpolated, and setting absolute directory paths in environment variables won't work for scaled applications unless you use a namespaced directory such as /tmp.
We apologize for any inconvenience this update may have caused, but given the widespread use of this library and the existence of well-documented exploits, we believed that patching quickly was the best way to protect our users. If you have any issues related to this,
please contact us. The OpenShift Operations Team continuously monitors applications and vulnerabilities. They work to quickly resolve and provide simple solutions with minimal impact to you applications.
About ImageMagick -- It is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. It is distributed under the Apache 2.0
The ultimate goal of almost every hacker is to go up. To step up. To grab root, and use it to go higher or lower on the stack, depending upon your perspective. That first foothold is the key element ...
We recently announced the release of a new edition of Red Hat OpenShift called OpenShift Platform Plus, which includes Red Hat Advanced Cluster Security for Kubernetes (powered by StackRox). In this ...