Bugzilla – Bug 1190229
VUL-0: CVE-2021-23437: python-Pillow: Regular Expression Denial of Service (ReDoS) via the getrgb function
Last modified: 2024-06-13 12:36:33 UTC
The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23437 http://www.cvedetails.com/cve/CVE-2021-23437/ https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23437 https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443
Affected packages: - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Pillow 4.2.1 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Pillow 5.2.0 - openSUSE:Backports:SLE-15-SP2/python-Pillow 5.0.0 - openSUSE:Backports:SLE-15-SP3/python-Pillow 7.2.0 - openSUSE:Backports:SLE-15-SP4/python-Pillow 7.2.0 - openSUSE:Factory/python-Pillow 8.3.1 Upstream patch: https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b
SUSE-SU-2021:3234-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1190229 CVE References: CVE-2021-23437 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): python-Pillow-4.2.1-3.20.2 SUSE OpenStack Cloud 8 (src): python-Pillow-4.2.1-3.20.2 HPE Helion Openstack 8 (src): python-Pillow-4.2.1-3.20.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:3235-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1190229 CVE References: CVE-2021-23437 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): python-Pillow-5.2.0-3.14.1 SUSE OpenStack Cloud 9 (src): python-Pillow-5.2.0-3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Solution for the affected SOC versions delivered. Back to Security team.
SUSE-SU-2024:1673-1: An update that solves 12 vulnerabilities can now be installed. Category: security (critical) Bug References: 1180833, 1183101, 1183102, 1183103, 1183105, 1183107, 1183108, 1183110, 1188574, 1190229, 1194551, 1194552 CVE References: CVE-2020-35654, CVE-2021-23437, CVE-2021-25289, CVE-2021-25290, CVE-2021-25292, CVE-2021-25293, CVE-2021-27921, CVE-2021-27922, CVE-2021-27923, CVE-2021-34552, CVE-2022-22815, CVE-2022-22816 Maintenance Incident: [SUSE:Maintenance:33871](https://smelt.suse.de/incident/33871/) Sources used: openSUSE Leap 15.3 (src): python-Pillow-7.2.0-150300.3.15.1 openSUSE Leap 15.5 (src): python-Pillow-7.2.0-150300.3.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1673-2: An update that solves 12 vulnerabilities can now be installed. Category: security (critical) Bug References: 1180833, 1183101, 1183102, 1183103, 1183105, 1183107, 1183108, 1183110, 1188574, 1190229, 1194551, 1194552 CVE References: CVE-2020-35654, CVE-2021-23437, CVE-2021-25289, CVE-2021-25290, CVE-2021-25292, CVE-2021-25293, CVE-2021-27921, CVE-2021-27922, CVE-2021-27923, CVE-2021-34552, CVE-2022-22815, CVE-2022-22816 Maintenance Incident: [SUSE:Maintenance:33871](https://smelt.suse.de/incident/33871/) Sources used: SUSE Package Hub 15 15-SP6 (src): python-Pillow-7.2.0-150300.3.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.