Two days ago we announced that paperclip was not affected by the ImageTragick vulnerability. Since then we learned that paperclip is affected by the ImageTragick vulnerability, and users of paperclip should upgrade to ImageMagick 7.0.1-1 or newer, which includes the fix. Another workaround is to edit the policy to disable the vulnerable ImageMagick coders.
If you deploy to Heroku’s Cedar-14 stack (check with the heroku stack
command), you are already
protected.
Thank you Phill Sparks for letting us know.