Daniel Leidert pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6942342e by Daniel Leidert at 2026-02-01T04:16:45+01:00
Reserve DLA-4462-1 for pillow
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -312332,7 +312332,6 @@ CVE-2022-45199 (Pillow before 9.3.0 allows denial of
service via SAMPLESPERPIXEL
NOTE: https://github.com/python-pillow/Pillow/pull/6700
CVE-2022-45198 (Pillow before 9.2.0 performs Improper Handling of Highly
Compressed GI ...)
- pillow 9.2.0-1
- [bullseye] - pillow <no-dsa> (Minor issue)
[buster] - pillow <not-affected> (Vulnerable code not present)
NOTE:
https://github.com/python-pillow/Pillow/commit/11918eac0628ec8ac0812670d9838361ead2d6a4
(9.2.0)
NOTE: https://github.com/python-pillow/Pillow/pull/6402
@@ -374675,7 +374674,6 @@ CVE-2022-24304
REJECTED
CVE-2022-24303 (Pillow before 9.0.1 allows attackers to delete files because
spaces in ...)
- pillow 9.0.1-1
- [bullseye] - pillow <ignored> (Minor issue)
[buster] - pillow <ignored> (Minor issue)
[stretch] - pillow <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2052682
@@ -446076,7 +446074,6 @@ CVE-2021-23438 (This affects the package mpath before
0.8.4. A type confusion vu
CVE-2021-23437 (The package pillow 5.2.0 and before 8.3.2 are vulnerable to
Regular Ex ...)
{DLA-3768-1}
- pillow 8.3.2-1
- [bullseye] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <postponed> (Minor issue, can be fixed in the next
DLA)
NOTE:
https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b
NOTE: https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[01 Feb 2026] DLA-4462-1 pillow - security update
+ {CVE-2021-23437 CVE-2022-24303 CVE-2022-45198}
+ [bullseye] - pillow 8.1.2+dfsg-0.3+deb11u3
[01 Feb 2026] DLA-4461-1 python-tornado - security update
{CVE-2025-67724 CVE-2025-67725 CVE-2025-67726}
[bullseye] - python-tornado 6.1.0-1+deb11u3
=====================================
data/dla-needed.txt
=====================================
@@ -323,10 +323,6 @@ php-laravel-framework
NOTE: 20251027: tests is required to prevent regressions, but I could not
get the upstream
NOTE: 20251027: test suite to work. It is not exercised as part of Debian
packages build. (paride)
--
-pillow (dleidert)
- NOTE: 20251206: Added by Front-Desk. Avoid a regression from buster (rouca)
- NOTE: 20251222: WIP (dleidert)
---
pyasn1 (utkarsh)
NOTE: 20260119: Added by Front-Desk (dleidert)
NOTE: 20260119: Follow DSA and maybe help the security team here (dleidert)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6942342ef541de77a440a4e59322d2d79b6f5b2f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6942342ef541de77a440a4e59322d2d79b6f5b2f
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
