Security notice to administrators - additional configuration recommendations
102 views
Skip to first unread message
Anton Georgiev
Dec 2, 2025, 7:06:51 PM (2 days ago) Dec 2
to BigBlueButton-dev
Hi everyone,
We recently became aware of a vulnerability on BigBlueButton servers in the way we configure and use ImageMagick (one of the dependencies we rely on for presentation conversion). There are two configuration changes we recommend for administrators to do.
1) Update /etc/ImageMagick-6/policy.xml to disallow / restrict SVG processing
We recommend a more strict configuration and include it (by default going forward) in bbb-install.sh
If you use bbb-install.sh to install and update your BigBlueButton 3.0 servers, please re-run the command you typically use.
Otherwise, we recommend you use other means (manually even) to replace the policy.xml file present by default with the version we've customized.
For the content of policy.xml, please refer to https://github.com/bigbluebutton/bbb-install/blob/0de832b6ace0d2977071f33648891ccaa79efcbb/bbb-install.sh#L405-L513 (or if reading this page days after it's initially published, check for the latest version of bbb-install.sh)
2) (optional but improves usability) Disallow SVG as a supported presentation file format.
One way to do this is:
Adding to /etc/bigbluebutton/bbb-html5.yml (and restart BBB afterwards)
public:
presentation:
uploadValidMimeTypes:
- extension: .pdf
mime: application/pdf
- extension: .doc
mime: application/msword
- extension: .docx
mime: application/vnd.openxmlformats-officedocument.wordprocessingml.document
- extension: .xls
mime: application/vnd.ms-excel
- extension: .xlsx
mime: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
- extension: .ppt
mime: application/vnd.ms-powerpoint
- extension: .pptx
mime: application/vnd.openxmlformats-officedocument.presentationml.presentation
- extension: .txt
mime: text/plain
- extension: .rtf
mime: application/rtf
- extension: .odt
mime: application/vnd.oasis.opendocument.text
- extension: .ods
mime: application/vnd.oasis.opendocument.spreadsheet
- extension: .odp
mime: application/vnd.oasis.opendocument.presentation
- extension: .odg
mime: application/vnd.oasis.opendocument.graphics
- extension: .jpg
mime: image/jpeg
- extension: .jpeg
mime: image/jpeg
- extension: .png
mime: image/png
- extension: .webp
mime: image/webp
public:
presentation:
uploadValidMimeTypes:
- extension: .pdf
mime: application/pdf
- extension: .doc
mime: application/msword
- extension: .docx
mime: application/vnd.openxmlformats-officedocument.wordprocessingml.document
- extension: .xls
mime: application/vnd.ms-excel
- extension: .xlsx
mime: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
- extension: .ppt
mime: application/vnd.ms-powerpoint
- extension: .pptx
mime: application/vnd.openxmlformats-officedocument.presentationml.presentation
- extension: .txt
mime: text/plain
- extension: .rtf
mime: application/rtf
- extension: .odt
mime: application/vnd.oasis.opendocument.text
- extension: .ods
mime: application/vnd.oasis.opendocument.spreadsheet
- extension: .odp
mime: application/vnd.oasis.opendocument.presentation
- extension: .odg
mime: application/vnd.oasis.opendocument.graphics
- extension: .jpg
mime: image/jpeg
- extension: .jpeg
mime: image/jpeg
- extension: .png
mime: image/png
- extension: .webp
mime: image/webp
-----------------
Note also: While this fix works on BigBlueButton 3.0.16 (and prior from what I tested), there are side effects (16:9 slides appear cropped, right-hand side missing) specifically on 3.0.16, so we recommend updating BigBlueButton to 3.0.17 as well.
There will be a GitHub security advisory about this (with some more details, credits, etc) at https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v28f-mvg5-mv7m (not published yet at time of writing this).
Anton and team
Reply all
Reply to author
Forward
0 new messages