ImageMagick 6.9.12

[laureengum-debug]

I understand that Image Magick version 6 is still being supported until 2027. If a large organization has version 6.9.12-86 installed on Linux Kernel 4.18.0-553.84.1.el8_10.x86_64 on Red Hat Enterprise Linux release 8.10 (Ootpa), are they currently on a supported version of Image Magick or would they have to be on the most current version of 6.9.13-x in order to be considered "supported"?

[dlemstra]

I am not sure what your question is but I will try to answer it. We are now only making security patches to ImageMagick 6 and we only publish those in new versions. Version 6.9.12-86 is almost three years old so it does not contain any of the security patches that we published after that release.

[laureengum-debug]

Thank you very much for your response. I am reviewing ACAS security scans for a cybersecurity assessment I am conducting and the organization I am assessing has this particular version installed. The ACAS Plugin that was reported was for 276810 and the solution on Tenable's website states: "Upgrade to ImageMagick version 6.9.13-32, 7.1.2-7 or later.". The organization is stating that the version they are running, 6.9.12-86, is the 64-bit version and therefore not vulnerable to this specific plugin as per the Tenable Website: *"This vulnerability only affects 32-bit builds of ImageMagick where default resource limits for width, height, and area have been manually increased beyond their defaults. 64-bit systems with size_t of 8 bytes are not vulnerable." (CVE-2025-62171).* Ok, I can see where the version they are running isn't vulnerable to this particular finding if they are running the 64-bit version, however, I feel like they are vulnerable to other unknown vulnerabilities because they are not running the current version of the legacy ImageMagick 6.9 that is available. So now I'm trying to see if the version that they have installed should fall under the "unsupported software" NIST 800-53 control which states *"The organization conducting the inspection/assessment [me] obtains and examines the documented process as well as the hardware and software lists to ensure the organization being inspected/assessed replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer."* or does it fall under the NIST 800-53 control for "missing security updates" which states: "*The organization installs security-relevant software updates within [30 days] time period of the release of the updates*"? 🧐

…

On Mon, Apr 6, 2026 at 2:36 PM Dirk Lemstra ***@***.***> wrote: I am not sure what your question is but I will try to answer it. We are now only making security patches to ImageMagick 6 and we only publish those in new versions. Version 6.9.12-86 <https://github.com/ImageMagick/ImageMagick6/releases/tag/6.9.12-86> is almost three years old so it does not contain any of the security patches that we released in that period. — Reply to this email directly, view it on GitHub <#413 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/CBLALGPHVW6LMJGU42S7S4D4UP2MNAVCNFSM6AAAAACXOMXUMSVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTMNBWG4YDEMI> . You are receiving this because you authored the thread.Message ID: ***@***.*** com>

[dlemstra]

I guess you have gotten your answer then 😁