Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.5607 python-reportlab security update 3 October 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python-reportlab Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2020-28463 CVE-2019-19450 CVE-2019-17626 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html Comment: CVSS (Max): 9.8 CVE-2019-19450 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NIST Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3590-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin September 29, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : python-reportlab Version : 3.5.13-1+deb10u2 CVE ID : CVE-2019-19450 CVE-2020-28463 Security issues were discovered in python-reportlab, a Python library for generating PDFs and graphics, which could lead to remote code execution or authorization bypass. CVE-2019-19450 Ravi Prakash Giri discovered a remote code execution vulnerability via crafted XML document where ‘<unichar code="’ is followed by arbitrary Python code. This issue is similar to CVE-2019-17626. CVE-2020-28463 Karan Bamal discovered a Server-side Request Forgery (SSRF) vulnerability via ‘<img>’ tags. New settings ‘trustedSchemes’ and ‘trustedHosts’ have been added as part of the fix/mitigation: they can be used to specify an explicit allowlist for remote sources. For Debian 10 buster, these problems have been fixed in version 3.5.13-1+deb10u2. We recommend that you upgrade your python-reportlab packages. For the detailed security status of python-reportlab please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-reportlab Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmUXLCsACgkQ05pJnDwh pVJ14A//SHGE0fWWi2v6VLZ9iT12HJ44xUteEpgDtV6FyvhcACcTVtjbDq3vB8xt LXJQBzD3pNKDZ1jw/p+PzCZgbwy71RQQpkSGiM85pWG58k9xHqZFJ6etA2cSdkF6 DirIPhr83up0j3fvcpP19EyN5rMje4DQ3QO2MJNfSMPAY25zaxniFgj4S3xWhgCR 9inE9MNhKxiSuty9mP1BxnI+4e2wBy7hHQxHHmaYPh6Yfs/wszk+zpbcnIdOwBRM 5KRpgCW4bCc1ZlAbSXtk02p3UHUSCxBF2V/7yzp/9TW5NspUHFPTtiIgg0dkciAC EmI8ilhHO91pG7cdU3+wEHh4/tRRuSrm5V/JAzCgc0G/yzVuis34+QKEtYn5Bp1G k7nY7UyzfirUH/xverEmqgOxfUK0qvUgCUrBbeRB52dDYdrWYKTJ0nYVbYZ0pwoA CsSr5KGi+74QbNE4UcP0Qwj+a7EaEdUeGQltLHaHIDqf+6N6RQwfiEsV/cp7I7ZR d0f4D4BN6gaUvwU5VVg0mkWfazNuETFXdXFHtqDCpDctWvG9ZRDba05dh7ceDot0 9Rt3i5NVat46BSEZfRsoU8kJdFLASc8gvmGnBSmZWq2lupd7W90seGSpALa56SRs sx03aiqM+nxnnJyVNBf2+n/fF1zP6Og4B0RnCq+iPGaG4bhbEAo= =HKU/ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZRtqpskNZI30y1K9AQhXVQ/+LNfDTOl1+4y8imxLVQ5LtKwNJRJs9DtR cDeDj3mCxI5VunyBQZ5MyuexvqVcsCm2M397MK9l1KKbLnpyM20nMalzFALkg2QT nvtRbWI8W9RmXVIFJBM5uEgyX1cmKP9e7QYEarkxVMDDy/5WkAoVtgywgjiwSThK Kn2Fle3fCMf3uJz/nFa4m38Qk/QWaTNKB3tHUcteglI4F04X9VAPOZSJ2GQZKHUX /ccOuIZvH+EO3WxnH8jMlCY6BQMXr8RJCuo1nXO1uARLNsIZYEGcVhS/0ECDZtDh kkhh7VOqYqWmJH4E9KdhJr8GN7GBHDwl7ACJyv8yMXsuefnAp9khchWEl79eUVmm ljCP1oOcaukpcJaunLSyq4f108qpr10vpovoI2eSqEI/msVx3479Zu7SYbOy/aEr ZNl0pC3RTTJ10GW5H3LKc8/WSwmVA9HeLfdTGK/e1zPMh4wsQtV4EZKLSo1Rm/tr cE45P5f5vgJ6bGv9W9cdSa2UQ/9VdniTYeuubunzxrAlcNhvAVdVimdAfv071YbP QJJSdUoGc68zljD2BLSMYxfdUpIKosNRlRzE/CLraQFgDIku16Xl6ERfc3CxobkQ oBMSje+eIv7gpydfNYBWD+YicmsKObtsCkdeczQcyE0/Iq+6XWy5WfeNGW2hUNku 8/1HBrTlafY= =4riz -----END PGP SIGNATURE-----