Security update for python-Pillow
SUSE Security Update: Security update for python-Pillow
| Announcement ID: | SUSE-SU-2015:0777-1 |
| Rating: | moderate |
| References: | #921566 |
| Affected Products: |
An update that fixes 5 vulnerabilities is now available. It includes one version update.
Description:
python-pillow has been updated to 2.7.0 to fix three security issues.
The following vulnerabilities have been fixed:
- CVE-2014-9601: Remote attackers could have caused a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed.
- CVE-2014-3598: Remote attackers could have caused a denial of service using specially crafted image files via Jpeg2KImagePlugin.
- CVE-2014-3589: Remote attackers could have caused a denial of service using specially crafted image files via IcnsImagePlugin.
- CVE-2014-1932: A local user could have overwritten arbitrary files and obtain sensitive information via a symlink attack on the temporary file.
- CVE-2014-1933: A local user could have gained information helpful for symlink attacks by listing process information which uses the names of temporary files on the command line.
Security Issues:
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Cloud 5:
zypper in -t patch sleclo50sp3-python-Pillow=10630
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Cloud 5 (x86_64) [New Version: 2.7.0]:
- python-Pillow-2.7.0-0.7.1
References:
- https://www.suse.com/security/cve/CVE-2014-1932.html
- https://www.suse.com/security/cve/CVE-2014-1933.html
- https://www.suse.com/security/cve/CVE-2014-3589.html
- https://www.suse.com/security/cve/CVE-2014-3598.html
- https://www.suse.com/security/cve/CVE-2014-9601.html
- https://bugzilla.suse.com/921566
- https://download.suse.com/patch/finder/?keywords=acbb43326b3ecd6dec41437a7b4202ac