SUSE alert SUSE-SU-2021:1938-1 (python-Pillow)
| From: | sle-security-updates@lists.suse.com | |
| To: | sle-security-updates@lists.suse.com | |
| Subject: | SUSE-SU-2021:1938-1: important: Security update for python-Pillow | |
| Date: | Thu, 10 Jun 2021 15:22:16 +0200 | |
| Message-ID: | <20210610132216.40AF2FD14@maintenance.suse.de> |
SUSE Security Update: Security update for python-Pillow ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1938-1 Rating: important References: #1180832 #1180834 #1183101 #1183102 #1183105 #1183107 #1183108 #1183110 #1185784 #1185785 #1185786 #1185803 #1185804 #1185805 Cross-References: CVE-2020-35653 CVE-2020-35655 CVE-2021-25287 CVE-2021-25288 CVE-2021-25290 CVE-2021-25292 CVE-2021-25293 CVE-2021-27921 CVE-2021-27922 CVE-2021-27923 CVE-2021-28675 CVE-2021-28676 CVE-2021-28677 CVE-2021-28678 CVSS scores: CVE-2020-35653 (NVD) : 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H CVE-2020-35653 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2020-35655 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L CVE-2020-35655 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2021-25288 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2021-25290 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-25292 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-25293 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27921 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27922 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27923 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28675 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28677 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28677 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28678 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 ______________________________________________________________________________ An update that fixes 14 vulnerabilities is now available. Description: This update for python-Pillow fixes the following issues: - CVE-2020-35655: Fixed a buffer over-read when decoding crafted SGI RLE image files (bsc#1180832). - CVE-2021-25293: Fixed an out-of-bounds read in SGIRleDecode.c (bsc#1183102). - CVE-2021-25290: Fixed a negative-offset memcpy with an invalid size in TiffDecode.c (bsc#1183105). - CVE-2021-25292: Fixed a backtracking regex in PDF parser could be used as a DOS attack (bsc#1183101). - CVE-2021-27921,CVE-2021-27922,CVE-2021-27923: Fixed improper reported size of a contained image (bsc#1183110,bsc#1183108,bsc#1183107) - CVE-2020-35653: Fixed buffer over-read in PcxDecode when decoding a crafted PCX file (bsc#1180834). - CVE-2021-25287: Fixed out-of-bounds read in J2kDecode in j2ku_graya_la (bsc#1185805). - CVE-2021-25288: Fixed out-of-bounds read in J2kDecode in j2ku_gray_i (bsc#1185803). - CVE-2021-28675: Fixed DoS in PsdImagePlugin (bsc#1185804). - CVE-2021-28678: Fixed improper check in BlpImagePlugin (bsc#1185784). - CVE-2021-28677: Fixed DoS in the open phase via a malicious EPS file (bsc#1185785). - CVE-2021-28676: Fixed infinite loop in FliDecode.c (bsc#1185786). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1938=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1938=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): python-Pillow-5.2.0-3.8.1 python-Pillow-debuginfo-5.2.0-3.8.1 python-Pillow-debugsource-5.2.0-3.8.1 - SUSE OpenStack Cloud 9 (x86_64): python-Pillow-5.2.0-3.8.1 python-Pillow-debuginfo-5.2.0-3.8.1 python-Pillow-debugsource-5.2.0-3.8.1 References: https://www.suse.com/security/cve/CVE-2020-35653.html https://www.suse.com/security/cve/CVE-2020-35655.html https://www.suse.com/security/cve/CVE-2021-25287.html https://www.suse.com/security/cve/CVE-2021-25288.html https://www.suse.com/security/cve/CVE-2021-25290.html https://www.suse.com/security/cve/CVE-2021-25292.html https://www.suse.com/security/cve/CVE-2021-25293.html https://www.suse.com/security/cve/CVE-2021-27921.html https://www.suse.com/security/cve/CVE-2021-27922.html https://www.suse.com/security/cve/CVE-2021-27923.html https://www.suse.com/security/cve/CVE-2021-28675.html https://www.suse.com/security/cve/CVE-2021-28676.html https://www.suse.com/security/cve/CVE-2021-28677.html https://www.suse.com/security/cve/CVE-2021-28678.html https://bugzilla.suse.com/1180832 https://bugzilla.suse.com/1180834 https://bugzilla.suse.com/1183101 https://bugzilla.suse.com/1183102 https://bugzilla.suse.com/1183105 https://bugzilla.suse.com/1183107 https://bugzilla.suse.com/1183108 https://bugzilla.suse.com/1183110 https://bugzilla.suse.com/1185784 https://bugzilla.suse.com/1185785 https://bugzilla.suse.com/1185786 https://bugzilla.suse.com/1185803 https://bugzilla.suse.com/1185804 https://bugzilla.suse.com/1185805