Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0051 pillow security update 7 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: pillow Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-5313 CVE-2020-5312 CVE-2019-19911 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2057 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : pillow Version : 2.6.1-2+deb8u4 CVE IDs : CVE-2019-19911 CVE-2020-5312 CVE-2020-5313 Debian Bug : #948224 It was discovered that there were three vulnerabilities in Pillow, an imaging library for the Python programming language: * CVE-2019-19911: Prevent a denial-of-service vulnerability caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. * CVE-2020-5312: PCX "P mode" buffer overflow. * CVE-2020-5313: FLI buffer overflow. For Debian 8 "Jessie", these issues have been fixed in pillow version 2.6.1-2+deb8u4. We recommend that you upgrade your pillow packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Regards, - - -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `- - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl4TZYIACgkQHpU+J9Qx Hlh4IA//YwhffHVQIfNhU4Fszslo1IGNs+p1dvnv1Q5Nvmw0JxeuOXee2nR1hKHf VbV8j5x4aTGqN1JulYwcM97l/y8DAa/ECocsqpeN3zGKrwdnnJPc89joenNGC/FW 5dOleuzzGmEcmir4duqIiEb+tLRfHP4VNXnJEg5EcxAvCEXR5kaIDcrYFM9C1esa ohzxHIElaY2bC4q7bLtCYM0QbZ1ncj+kymAQWoqlfZ620j57HI+//tIfO4nAYBde yPVReUtFiepUs5zAjozENPxZwiDTVoz24uVivGoIalK4ZYO+me58b/pnpkrNy4YM cGheRjM0rLadO4wDqUxz9KZAo2zmWzQriPOTmHYgJA1o34Tqj7zQnQYc6oH/s8Xd qlv5INfxSHyFUyQ1X/gaD/9/vLlV8NZUSapnsvIET4OpnE75oWhFAEN37vPNxvBx pa0K/AX/QBI2fV8kPxNQ+jrUTGInZahffv2gnzdD1z1tTQ7sF5QxxN9Reob7tvME 5qAqcLcJ/8yH+cHBW4Ng8oFQwEDHhTdmfReTSsXEy+VjdJ778Ft76yNagQLfjY3Y Z1x23k3RveALsimmMYUBsnaoohSi2XiKx5YMLkdtM1AS/p8p/SBguiquxMCnhojy tHM9rtqgpSCuaMYblEZ0V7RWfRSmE/zsqH+MMT6hNOSVMM56ECU= =2Pei - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXhQTYGaOgq3Tt24GAQggmw//cTVsrKhuGjDRkgY2/E/HovzKAfNW1H2w 7zQagnu+E8NlNuzdgQldulDD/py7ccVFvtxsj2jf8QbiHyaDL+tQD1hPXIYzQbOT aDbM5oL4WoN70MtDYGh9AokFC78Io7nl2jwBanPDWXYLXU8/eAKRC0opGTX6BKvn nRBTXSpch0iptL6Oq3yvyYWboKmz2Op+pUB4ARdhd9Q5G+/VKyXwTTHdEn9JQMMr SX1+mHNaYWzBr7+28Mkc80fQ0ZDdXWkO/K84PVVAKTj5qZpg9vInnD9uyHVFOo1q Fgwh9YGzM+vHm+zY+59MiALQSun7T66IS6wyAPX93uAgt+V48rmiSjg3Zi5WlW6Y MKDdZZ2LXtopRCvnKC1CiHf8HZ8dYPuelafTIN7FW5sllemVr97BDvaJmwdwNFyy YCEGNO/xjisDtdzOGkTEPoQzEVxf/Jr7SWaVUgfAPzipSVVdHp82Io+9syDztI7J /RKxYWnc8WO3SccYkC0fsWWV6p+l8k4lc3yGwz2AA+ogPSWj8PxHtcuezx/MDnA6 NNIQO4DyzEbZ1OU+K9pag9pQNf9f88NilmlP+gJ+1u7n7aKple8Xx0BXtYs3r89A JxpMw2AejbDqlvO4458xvdVzdcg1pcFFuRF+19K/YPCGIduJg7v1NlOO62t+PKtV aO3k1A7HirU= =HdMy -----END PGP SIGNATURE-----