[Git][security-tracker-team/security-tracker][master] pillow, pysaml DSAs

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0f603273 by Moritz Muehlenhoff at 2020-02-21T21:13:03+01:00
pillow, pysaml DSAs

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -8865,11 +8865,13 @@ CVE-2020-5312 (libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode bu
 	NOTE: https://github.com/python-pillow/Pillow/commit/93b22b846e0269ee9594ff71a72bec02d2bea8fd (6.2.2)
 CVE-2020-5311 (libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer ove ...)
 	- pillow 7.0.0-1 (bug #948224)
+	[buster] - pillow 5.4.1-2+deb10u1
 	[stretch] - pillow <not-affected> (Vulnerable code not present)
 	[jessie] - pillow <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3 (6.2.2)
 CVE-2020-5310 (libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding int ...)
 	- pillow 7.0.0-1 (bug #948224)
+	[stretch] - pillow <not-affected> (Vulnerable code not present)
 	[jessie] - pillow <not-affected> (The vulnerable code was introduced later)
 	NOTE: Introduced by: https://github.com/python-pillow/Pillow/commit/f0436a4ddc954541fa10a531e2d9ea0c5ae2065d (5.3.0)
 	NOTE: and https://github.com/python-pillow/Pillow/commit/e91b851fdc1c914419543f485bdbaa010790719f (6.0.0)
@@ -28804,7 +28806,8 @@ CVE-2015-9409 (The alo-easymail plugin before 2.6.01 for WordPress has CSRF with
 	NOT-FOR-US: Wordpress plugin
 CVE-2019-16865 (An issue was discovered in Pillow before 6.2.0. When reading specially ...)
 	- pillow 6.2.0-1 (low)
-	[stretch] - pillow <no-dsa> (Minor issue)
+	[buster] - pillow 5.4.1-2+deb10u1
+	[stretch] - pillow <ignored> (Minor issue, too intrusive to backport)
 	[jessie] - pillow <no-dsa> (Risk of regressions is too high)
 	- python-imaging <removed>
 	NOTE: https://github.com/python-pillow/Pillow/commit/b36c1bc943d554ba223086c7efb502d080f73905


=====================================
data/DSA/list
=====================================
@@ -1,3 +1,11 @@
+[21 Feb 2020] DSA-4631-1 pillow - security update
+	{CVE-2019-19911 CVE-2020-5312 CVE-2020-5313}
+	[stretch] - pillow 4.0.0-4+deb9u1
+	[buster] - pillow 5.4.1-2+deb10u1
+[21 Feb 2020] DSA-4630-1 python-pysaml2 - security update
+	{CVE-2020-5390}
+	[stretch] - python-pysaml2 3.0.0-5+deb9u1
+	[buster] - python-pysaml2 4.5.0-4+deb10u1
 [19 Feb 2020] DSA-4629-1 python-django - security update
 	{CVE-2020-7471}
 	[stretch] - python-django 1:1.10.7-2+deb9u8


=====================================
data/dsa-needed.txt
=====================================
@@ -32,17 +32,12 @@ nodejs
 nss/oldstable (jmm)
   Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508
 --
-pillow (jmm)
---
 poppler (jmm)
 --
 ppp (carnil)
 --
 python-reportlab (hle)
 --
-python-pysaml2 (jmm)
-  Maintainer prepared an update for buster
---
 smarty3/oldstable
 --
 squid3/oldstable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f6032739ec517025f0a145ffe147226c05d2846

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f6032739ec517025f0a145ffe147226c05d2846
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200221/56ae7047/attachment-0001.html>