Bug#991628: buster-pu: package pillow/5.4.1-2+deb10u2
On Sat, 2021-12-04 at 17:49 +0000, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Thu, 2021-07-29 at 09:54 +0100, Neil Williams wrote:
> > Fix for CVE-2021-34552 (#991293) is mitigated by FORTIFY_SOURCE, so
> > this upload targets proposed-updates instead of security after
> > discussion with Moritz.
> >
> > Other pending CVEs in pillow for buster have been set to ignored
> > as
> > the patches would be too intrusive in buster due mainly to binary
> > changes in the test suite support files.
> >
> > Debdiff is attached.
> >
> > pillow (5.4.1-2+deb10u3) buster; urgency=medium
> > .
> > * Non-maintainer upload by the Security Team.
>
> That seems inaccurate.
>
> > [ Moritz Mühlenhoff ]
> > * CVE-2020-35653 CVE-2020-35655 CVE-2021-27921 CVE-2021-27922
> > CVE-2021-27923 CVE-2021-25290 CVE-2021-25292 CVE-2021-28677
> > CVE-2021-28678
> > .
> > [ Neil Williams ]
> > * CVE-2021-34552
> >
>
> I'd prefer more verbose changelog entries, but please go ahead.
Ping? We're in the process of organising the final point release for
buster, as support for it transitions over to the LTS team, so if you
would still like to fix it via pu then the upload needs to happen soon.
Regards,
Adam
Reply to: