Security update for python-Pillow SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:3234-1 Final 1 1 2021-09-27T14:36:34Z current 2021-09-27T14:36:34Z 2021-09-27T14:36:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-Pillow This update for python-Pillow fixes the following issues: - CVE-2021-23437: Fixed regular expression denial of service (ReDoS) via the getrgb function (bsc#1190229). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). HPE-Helion-OpenStack-8-2021-3234,SUSE-2021-3234,SUSE-OpenStack-Cloud-8-2021-3234,SUSE-OpenStack-Cloud-Crowbar-8-2021-3234 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20213234-1/ Link for SUSE-SU-2021:3234-1 https://lists.suse.com/pipermail/sle-security-updates/2021-September/009513.html E-Mail link for SUSE-SU-2021:3234-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1190229 SUSE Bug 1190229 https://www.suse.com/security/cve/CVE-2021-23437/ SUSE CVE CVE-2021-23437 page HPE Helion OpenStack 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud Crowbar 8 python-Pillow-4.2.1-3.20.2 python3-Pillow-4.2.1-3.20.2 python-Pillow-4.2.1-3.20.2 as a component of HPE Helion OpenStack 8 python-Pillow-4.2.1-3.20.2 as a component of SUSE OpenStack Cloud 8 python-Pillow-4.2.1-3.20.2 as a component of SUSE OpenStack Cloud Crowbar 8 The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. CVE-2021-23437 HPE Helion OpenStack 8:python-Pillow-4.2.1-3.20.2 SUSE OpenStack Cloud 8:python-Pillow-4.2.1-3.20.2 SUSE OpenStack Cloud Crowbar 8:python-Pillow-4.2.1-3.20.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20213234-1/ https://www.suse.com/security/cve/CVE-2021-23437.html CVE-2021-23437 https://bugzilla.suse.com/1190229 SUSE Bug 1190229