In T141739#2785767, @Dereckson wrote:

To summarize a discussion on wikimedia operations IRC channel:

• ImageMagick 7 API evolved, A porting guide is available.
• A locally maintained package would offer more coherence when we use several OSes to deploy the same version everywhere, at the cost to require package maintenance
• To fix this issue, pending ImageMagick 7 testing, per T141739#2785739, the more careful path should be to use 6.8.3, a version we should recommend on mediawiki.org documentation, and deploy on wmf cluster

So for the initial version, 6.8.3 has been identified by @matmarex as the last 6.x before the bug introduction.

This version couldn't be the optimal choice from a security point of view:

• https://www.debian.org/security/2016/dsa-3675 for versions < 6.9.5.10
• Buffer overflow in magick/drag.c/DrawStrokePolygon() for versions < 6.9.4.1 (changelog)
• Some issues with a CVE reference for < 6.9.3.9 (including the notorious one, with mitigation possible through policy configuration)

We should evaluate if one of these issues could be triggered by our image processing, and if so, focus on ImageMagick 7.

Finally, @matmarex reported the issue upstream. If they backport the fix to 6.9, the last 6.9 version will be clearly the optimal choice, as it will keep some stability and will include security fixes.

In T141739#2797820, @Jdforrester-WMF wrote:

OK, upstream have released ImageMagick 6.9.6-5 with a fix for the issue. https://github.com/ImageMagick/ImageMagick/issues/299#issuecomment-260824152

So this is the version we want. It will be satisfactory AND for the security issues fixed, AND for the bug fix.

The Thumbor servers have also been upgraded.