Bug 1190229 - (CVE-2021-23437) VUL-0: CVE-2021-23437: python-Pillow: Regular Expression Denial of Service (ReDoS) via the getrgb function
(CVE-2021-23437)
VUL-0: CVE-2021-23437: python-Pillow: Regular Expression Denial of Service (R...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/309103/
CVSSv3.1:SUSE:CVE-2021-23437:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-06 14:13 UTC by Gabriele Sonnu
Modified: 2021-11-10 09:23 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Gabriele Sonnu 2021-09-06 14:14:07 UTC
Affected packages:

 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Pillow  4.2.1
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Pillow  5.2.0
 - openSUSE:Backports:SLE-15-SP2/python-Pillow                  5.0.0
 - openSUSE:Backports:SLE-15-SP3/python-Pillow                  7.2.0
 - openSUSE:Backports:SLE-15-SP4/python-Pillow                  7.2.0
 - openSUSE:Factory/python-Pillow                               8.3.1

Upstream patch:

https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b
Comment 4 Swamp Workflow Management 2021-09-27 19:23:18 UTC
SUSE-SU-2021:3234-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1190229
CVE References: CVE-2021-23437
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-Pillow-4.2.1-3.20.2
SUSE OpenStack Cloud 8 (src):    python-Pillow-4.2.1-3.20.2
HPE Helion Openstack 8 (src):    python-Pillow-4.2.1-3.20.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-09-27 19:24:27 UTC
SUSE-SU-2021:3235-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1190229
CVE References: CVE-2021-23437
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python-Pillow-5.2.0-3.14.1
SUSE OpenStack Cloud 9 (src):    python-Pillow-5.2.0-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Christian Almeida de Oliveira 2021-11-10 09:23:10 UTC
Solution for the affected SOC versions delivered. Back to Security team.