Debian 10262 Published by

A pillow security update has been released for Debian GNU/Linux 8 Extended LTS to address multiple vulnerabilities.



ELA-383-1 pillow security update

Package pillow
Version 2.6.1-2+deb8u6
Related CVEs CVE-2020-35653 CVE-2021-25290

Multiple vulnerabilities were discovered in Pillow, a Python Imaging Library. An attacker could cause a denial-of-service (DoS) with crafted image files.

CVE-2020-35653

PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.

CVE-2021-25290

In TiffDecode.c, there is a negative-offset memcpy with an invalid size.

For Debian 8 jessie, these problems have been fixed in version 2.6.1-2+deb8u6.

We recommend that you upgrade your pillow packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-383-1 pillow security update