------------------------------------------------------------------------- Debian LTS Advisory DLA-3768-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sean Whitton March 22, 2024 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : pillow Version : 5.4.1-2+deb10u5 CVE ID : CVE-2021-23437 CVE-2022-22817 CVE-2023-44271 Multiple vulnerabilities were discovered in the Python Imaging Library (PIL), an image processing library for Python. CVE-2021-23437 It was discovered that the getrgb function was vulnerable to a regular expression denial-of-service attack. CVE-2022-22817 A fix for this CVE was announced in DSA-5053-1. It was discovered that this fix was incomplete. This update completes the fix. CVE-2023-44271 It was discovered that an overlong text length argument passed to an ImageDraw instance could cause uncontrollable memory allocation and denial-of-service. For Debian 10 buster, these problems have been fixed in version 5.4.1-2+deb10u5. We recommend that you upgrade your pillow packages. For the detailed security status of pillow please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pillow Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature