[Git][security-tracker-team/security-tracker][master] Reserve DLA-4462-1 for pillow

Sun Feb 1 03:16:59 GMT 2026


Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6942342e by Daniel Leidert at 2026-02-01T04:16:45+01:00
Reserve DLA-4462-1 for pillow

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -312332,7 +312332,6 @@ CVE-2022-45199 (Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL
 	NOTE: https://github.com/python-pillow/Pillow/pull/6700
 CVE-2022-45198 (Pillow before 9.2.0 performs Improper Handling of Highly Compressed GI ...)
 	- pillow 9.2.0-1
-	[bullseye] - pillow <no-dsa> (Minor issue)
 	[buster] - pillow <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/python-pillow/Pillow/commit/11918eac0628ec8ac0812670d9838361ead2d6a4 (9.2.0)
 	NOTE: https://github.com/python-pillow/Pillow/pull/6402
@@ -374675,7 +374674,6 @@ CVE-2022-24304
 	REJECTED
 CVE-2022-24303 (Pillow before 9.0.1 allows attackers to delete files because spaces in ...)
 	- pillow 9.0.1-1
-	[bullseye] - pillow <ignored> (Minor issue)
 	[buster] - pillow <ignored> (Minor issue)
 	[stretch] - pillow <not-affected> (Vulnerable code introduced later)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2052682
@@ -446076,7 +446074,6 @@ CVE-2021-23438 (This affects the package mpath before 0.8.4. A type confusion vu
 CVE-2021-23437 (The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Ex ...)
 	{DLA-3768-1}
 	- pillow 8.3.2-1
-	[bullseye] - pillow <no-dsa> (Minor issue)
 	[stretch] - pillow <postponed> (Minor issue, can be fixed in the next DLA)
 	NOTE: https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b
 	NOTE: https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[01 Feb 2026] DLA-4462-1 pillow - security update
+	{CVE-2021-23437 CVE-2022-24303 CVE-2022-45198}
+	[bullseye] - pillow 8.1.2+dfsg-0.3+deb11u3
 [01 Feb 2026] DLA-4461-1 python-tornado - security update
 	{CVE-2025-67724 CVE-2025-67725 CVE-2025-67726}
 	[bullseye] - python-tornado 6.1.0-1+deb11u3


=====================================
data/dla-needed.txt
=====================================
@@ -323,10 +323,6 @@ php-laravel-framework
   NOTE: 20251027: tests is required to prevent regressions, but I could not get the upstream
   NOTE: 20251027: test suite to work. It is not exercised as part of Debian packages build. (paride)
 --
-pillow (dleidert)
-  NOTE: 20251206: Added by Front-Desk. Avoid a regression from buster (rouca)
-  NOTE: 20251222: WIP (dleidert)
---
 pyasn1 (utkarsh)
   NOTE: 20260119: Added by Front-Desk (dleidert)
   NOTE: 20260119: Follow DSA and maybe help the security team here (dleidert)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6942342ef541de77a440a4e59322d2d79b6f5b2f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6942342ef541de77a440a4e59322d2d79b6f5b2f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260201/68d5fe06/attachment-0001.htm>
