Debian alert DLA-4462-1 (pillow)
| From: | Daniel Leidert <dleidert@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4462-1] pillow security update | |
| Date: | Sun, 01 Feb 2026 04:25:29 +0100 | |
| Message-ID: | <0e9f5d3af845808206abb1995414e240e25b5d37.camel@debian.org> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4462-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Daniel Leidert February 01, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : pillow Version : 8.1.2+dfsg-0.3+deb11u3 CVE ID : CVE-2021-23437 CVE-2022-24303 CVE-2022-45198 Multiple vulnerabilities have been found in Pillow, an image processing library for Python. CVE-2021-23437 The getrgb function is susceptible to a ReDoS. CVE-2022-24303 A possible path traversal vulnerability allows attackers to delete files. CVE-2022-45198 An improper handling of highly compressed GIF data can lead to a decompression bomb. For Debian 11 bullseye, these problems have been fixed in version 8.1.2+dfsg-0.3+deb11u3. We recommend that you upgrade your pillow packages. For the detailed security status of pillow please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pillow Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQJIBAABCgAyFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAml+x6kUHGRsZWlkZXJ0 QGRlYmlhbi5vcmcACgkQS80FZ8KW0F33Ng//Zi54dIq/jCACL11DKPabvo+6Yhbo X905C7srbkce168x84mi6/GN1bfufLALjoYlKpj/lMJ0fGqHaatcnARctMbqGvhO B5tfe+xqUdF7L9vUbRy5fLLkiL5ruKG8RxhJkFFAlOirPh+7RaiHu3k5269kMbnB AZ2C4F1IGszkP5xVNhxUd6aVDnVkNpAOQp3X7D3Ocg8QumImtGIyKxwJzZm0h0V7 rodFwl9TF8sq7PHDaYQojNRpAOHmMU5KrPhOBsFkNSuNnxygt45OYZHltRueLJ44 5Vn8vLZqdRdLMe66e55yNt3e/QR0ulL6UOaI15urHyP92QI1p5jSrP6fwNhAhC4v e2i4YqqiSUqMzidoAnCy2lnlXhnY2c95gB9QUWLi1ACSw9BE2U6Ee6CDGI1YuqMz Lx+AcwKlSiCXKFGWkpV16XMQnnl70x4exzYNWOtlnTppoi7x4i0Ca4EyF8sezttK OUyKz8BlkDFTr44gHUJYW4b5geAlBlG9xAeplDD8zeSOc58PtdhDAYMUhLoHu9R+ H3GaHPbDPsUfQDuk0+KOSobQzQBXYdwfUenaLlA0xPSwpDrmu4zbc76lW6wPEhsS 8DI5hWF21BYo9vZr+VFEPgOmzFxrTBCdJdSlm02Ir/0PKFw9q9kFL9vYKTX7atJ7 CXkLKpzMrYVz24Q= =GPxD -----END PGP SIGNATURE-----