Operating System:

[Debian]

Published:

03 October 2023

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2023.5607 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.5607
                     python-reportlab security update
                              3 October 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           python-reportlab
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-28463 CVE-2019-19450 CVE-2019-17626

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html

Comment: CVSS (Max):  9.8 CVE-2019-19450 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: NIST
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3590-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
September 29, 2023                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python-reportlab
Version        : 3.5.13-1+deb10u2
CVE ID         : CVE-2019-19450 CVE-2020-28463

Security issues were discovered in python-reportlab, a Python library
for generating PDFs and graphics, which could lead to remote code
execution or authorization bypass.

CVE-2019-19450

    Ravi Prakash Giri discovered a remote code execution vulnerability
    via crafted XML document where ‘<unichar code="’ is followed by
    arbitrary Python code.

    This issue is similar to CVE-2019-17626.

CVE-2020-28463

    Karan Bamal discovered a Server-side Request Forgery (SSRF)
    vulnerability via ‘<img>’ tags.  New settings ‘trustedSchemes’ and
    ‘trustedHosts’ have been added as part of the fix/mitigation: they
    can be used to specify an explicit allowlist for remote sources.

For Debian 10 buster, these problems have been fixed in version
3.5.13-1+deb10u2.

We recommend that you upgrade your python-reportlab packages.

For the detailed security status of python-reportlab please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-reportlab

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmUXLCsACgkQ05pJnDwh
pVJ14A//SHGE0fWWi2v6VLZ9iT12HJ44xUteEpgDtV6FyvhcACcTVtjbDq3vB8xt
LXJQBzD3pNKDZ1jw/p+PzCZgbwy71RQQpkSGiM85pWG58k9xHqZFJ6etA2cSdkF6
DirIPhr83up0j3fvcpP19EyN5rMje4DQ3QO2MJNfSMPAY25zaxniFgj4S3xWhgCR
9inE9MNhKxiSuty9mP1BxnI+4e2wBy7hHQxHHmaYPh6Yfs/wszk+zpbcnIdOwBRM
5KRpgCW4bCc1ZlAbSXtk02p3UHUSCxBF2V/7yzp/9TW5NspUHFPTtiIgg0dkciAC
EmI8ilhHO91pG7cdU3+wEHh4/tRRuSrm5V/JAzCgc0G/yzVuis34+QKEtYn5Bp1G
k7nY7UyzfirUH/xverEmqgOxfUK0qvUgCUrBbeRB52dDYdrWYKTJ0nYVbYZ0pwoA
CsSr5KGi+74QbNE4UcP0Qwj+a7EaEdUeGQltLHaHIDqf+6N6RQwfiEsV/cp7I7ZR
d0f4D4BN6gaUvwU5VVg0mkWfazNuETFXdXFHtqDCpDctWvG9ZRDba05dh7ceDot0
9Rt3i5NVat46BSEZfRsoU8kJdFLASc8gvmGnBSmZWq2lupd7W90seGSpALa56SRs
sx03aiqM+nxnnJyVNBf2+n/fF1zP6Og4B0RnCq+iPGaG4bhbEAo=
=HKU/
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZRtqpskNZI30y1K9AQhXVQ/+LNfDTOl1+4y8imxLVQ5LtKwNJRJs9DtR
cDeDj3mCxI5VunyBQZ5MyuexvqVcsCm2M397MK9l1KKbLnpyM20nMalzFALkg2QT
nvtRbWI8W9RmXVIFJBM5uEgyX1cmKP9e7QYEarkxVMDDy/5WkAoVtgywgjiwSThK
Kn2Fle3fCMf3uJz/nFa4m38Qk/QWaTNKB3tHUcteglI4F04X9VAPOZSJ2GQZKHUX
/ccOuIZvH+EO3WxnH8jMlCY6BQMXr8RJCuo1nXO1uARLNsIZYEGcVhS/0ECDZtDh
kkhh7VOqYqWmJH4E9KdhJr8GN7GBHDwl7ACJyv8yMXsuefnAp9khchWEl79eUVmm
ljCP1oOcaukpcJaunLSyq4f108qpr10vpovoI2eSqEI/msVx3479Zu7SYbOy/aEr
ZNl0pC3RTTJ10GW5H3LKc8/WSwmVA9HeLfdTGK/e1zPMh4wsQtV4EZKLSo1Rm/tr
cE45P5f5vgJ6bGv9W9cdSa2UQ/9VdniTYeuubunzxrAlcNhvAVdVimdAfv071YbP
QJJSdUoGc68zljD2BLSMYxfdUpIKosNRlRzE/CLraQFgDIku16Xl6ERfc3CxobkQ
oBMSje+eIv7gpydfNYBWD+YicmsKObtsCkdeczQcyE0/Iq+6XWy5WfeNGW2hUNku
8/1HBrTlafY=
=4riz
-----END PGP SIGNATURE-----