ChrisInEdmonton's questions

CVE-2016-3714 was announced on May 3, 2016. This vulnerability unfortunately goes by the name, ImageTragick and has received some press (for example, this ArsTechnica article).

Until updated ImageMagick packages are released in the near future, we need a workaround. The workaround is fairly straight-forward. Simply use a policy file to disable the vulnerable coders. The policy file must look something like this:

<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
</policymap>

If a sysadmin has installed the policy.xml file shown above, how would they go about independently confirming that the installation of ImageMagick is no longer vulnerable?

The company I work for runs a web site that gets a little over fifty million hits a month. We are looking at replacing our existing custom-written ad server with a prepackaged solution. It fundamentally must be able to scale up to this level of traffic, which eliminates a substantial number of solutions.

Our servers run Linux and so any ad server would obviously need to run in Linux.

Anyone have any software and (less important) hardware recommendations for ad serving that can easily handle 50,000,000 hits per month, and that can scale up modestly into the low nine figure hits/month? Happy to hear about Windows solutions, though we definitely will not be running those.