[Git][security-tracker-team/security-tracker][master] Reserve DLA-3768-1 for pillow

Sean Whitton (@spwhitton) spwhitton at debian.org
Fri Mar 22 09:56:25 GMT 2024 


Sean Whitton pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dd5e8d59 by Sean Whitton at 2024-03-22T17:56:10+08:00
Reserve DLA-3768-1 for pillow

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -28595,7 +28595,6 @@ CVE-2023-44271 (An issue was discovered in Pillow before 10.0.0. It is a Denial
 	- pillow 10.0.0-1
 	[bookworm] - pillow <no-dsa> (Minor issue)
 	[bullseye] - pillow <no-dsa> (Minor issue)
-	[buster] - pillow <no-dsa> (Minor issue)
 	NOTE: https://github.com/python-pillow/Pillow/pull/7244
 	NOTE: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7 (10.0.0)
 CVE-2023-43982 (Bon Presta boninstagramcarousel between v5.2.1 to v7.0.0 was discovere ...)
@@ -226035,7 +226034,6 @@ CVE-2021-23438 (This affects the package mpath before 0.8.4. A type confusion vu
 CVE-2021-23437 (The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Ex ...)
 	- pillow 8.3.2-1
 	[bullseye] - pillow <no-dsa> (Minor issue)
-	[buster] - pillow <no-dsa> (Minor issue)
 	[stretch] - pillow <postponed> (Minor issue, can be fixed in the next DLA)
 	NOTE: https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b
 	NOTE: https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[22 Mar 2024] DLA-3768-1 pillow - security update
+	{CVE-2021-23437 CVE-2022-22817 CVE-2023-44271}
+	[buster] - pillow 5.4.1-2+deb10u5
 [20 Mar 2024] DLA-3767-1 imagemagick - security update
 	{CVE-2022-48541}
 	[buster] - imagemagick 8:6.9.10.23+dfsg-2.1+deb10u7


=====================================
data/dla-needed.txt
=====================================
@@ -211,10 +211,6 @@ pdns-recursor (dleidert)
   NOTE: 20240306: Added by Front-Desk (opal)
   NOTE: 20240319: Upload postponed due to #1067124 (dleidert)
 --
-pillow (Sean)
-  NOTE: 20240321: Added by Front-Desk (ta)
-  NOTE: 20240321: follow-up fix to CVE-2022-22817 discussed in ELA-1059-1
---
 putty
   NOTE: 20231224: Added by Front-Desk (ta)
   NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd5e8d59a6dcdbff7cf9afda00512cf90e8b3864

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd5e8d59a6dcdbff7cf9afda00512cf90e8b3864
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240322/124c89f2/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list