[SECURITY] [DLA 3724-1] pillow security update

2024-01-2920:03:58

lists.debian.org

pillow

python

vulnerability

code execution

debian lts

debian 10 buster

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

32.2%

JSON

Debian LTS Advisory DLA-3724-1 [email protected]
https://www.debian.org/lts/security/ Chris Lamb
January 29, 2024 https://wiki.debian.org/LTS

Package : pillow
Version : 5.4.1-2+deb10u4
CVE ID : CVE-2023-50447
Debian Bug : 1061172

It was discovered that there was a potential arbitrary code execution
vulnerability in pillow, a popular library for manipulating images
used by Python applications.

For Debian 10 buster, this problem has been fixed in version
5.4.1-2+deb10u4.

We recommend that you upgrade your pillow packages.

For the detailed security status of pillow please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pillow

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian12i386python3-pil< 9.4.0-1.1+deb12u1python3-pil_9.4.0-1.1+deb12u1_i386.deb
Debian12mipselpython3-pil.imagetk-dbgsym< 9.4.0-1.1+deb12u1python3-pil.imagetk-dbgsym_9.4.0-1.1+deb12u1_mipsel.deb
Debian12arm64python3-pil.imagetk< 9.4.0-1.1+deb12u1python3-pil.imagetk_9.4.0-1.1+deb12u1_arm64.deb
Debian10allpython-pil-doc< 5.4.1-2+deb10u4python-pil-doc_5.4.1-2+deb10u4_all.deb
Debian12armelpython3-pil.imagetk-dbgsym< 9.4.0-1.1+deb12u1python3-pil.imagetk-dbgsym_9.4.0-1.1+deb12u1_armel.deb
Debian12mips64elpython3-pil.imagetk< 9.4.0-1.1+deb12u1python3-pil.imagetk_9.4.0-1.1+deb12u1_mips64el.deb
Debian12arm64python3-pil-dbgsym< 9.4.0-1.1+deb12u1python3-pil-dbgsym_9.4.0-1.1+deb12u1_arm64.deb
Debian12i386python3-pil-dbgsym< 9.4.0-1.1+deb12u1python3-pil-dbgsym_9.4.0-1.1+deb12u1_i386.deb
Debian12mipselpython3-pil-dbgsym< 9.4.0-1.1+deb12u1python3-pil-dbgsym_9.4.0-1.1+deb12u1_mipsel.deb
Debian10arm64python-pil-dbg< 5.4.1-2+deb10u4python-pil-dbg_5.4.1-2+deb10u4_arm64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	i386	python3-pil	< 9.4.0-1.1+deb12u1	python3-pil_9.4.0-1.1+deb12u1_i386.deb
Debian	12	mipsel	python3-pil.imagetk-dbgsym	< 9.4.0-1.1+deb12u1	python3-pil.imagetk-dbgsym_9.4.0-1.1+deb12u1_mipsel.deb
Debian	12	arm64	python3-pil.imagetk	< 9.4.0-1.1+deb12u1	python3-pil.imagetk_9.4.0-1.1+deb12u1_arm64.deb
Debian	10	all	python-pil-doc	< 5.4.1-2+deb10u4	python-pil-doc_5.4.1-2+deb10u4_all.deb
Debian	12	armel	python3-pil.imagetk-dbgsym	< 9.4.0-1.1+deb12u1	python3-pil.imagetk-dbgsym_9.4.0-1.1+deb12u1_armel.deb
Debian	12	mips64el	python3-pil.imagetk	< 9.4.0-1.1+deb12u1	python3-pil.imagetk_9.4.0-1.1+deb12u1_mips64el.deb
Debian	12	arm64	python3-pil-dbgsym	< 9.4.0-1.1+deb12u1	python3-pil-dbgsym_9.4.0-1.1+deb12u1_arm64.deb
Debian	12	i386	python3-pil-dbgsym	< 9.4.0-1.1+deb12u1	python3-pil-dbgsym_9.4.0-1.1+deb12u1_i386.deb
Debian	12	mipsel	python3-pil-dbgsym	< 9.4.0-1.1+deb12u1	python3-pil-dbgsym_9.4.0-1.1+deb12u1_mipsel.deb
Debian	10	arm64	python-pil-dbg	< 5.4.1-2+deb10u4	python-pil-dbg_5.4.1-2+deb10u4_arm64.deb