Summary: | <dev-python/pillow-7.2.0: Multiple vulnerabilities (CVE-2020-{11538,10994,10379,10378,10177}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mgorny, python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 717538, 732396, 732462, 743535, 763210 | ||
Bug Blocks: |
Description
Sam James
2020-06-25 22:44:58 UTC
Need to bump to 6.2.3 at least, but 7.1.2 is fine. (In reply to Sam James (sec padawan) from comment #1) > Need to bump to 6.2.3 at least, but 7.1.2 is fine. I don't see any 6.2.3 release. Let's stabilize what we have first. (In reply to Michał Górny from comment #2) > (In reply to Sam James (sec padawan) from comment #1) > > Need to bump to 6.2.3 at least, but 7.1.2 is fine. > > I don't see any 6.2.3 release. My fault. Don't trust CVE text, ever. Sorry! There is 6.2.x branch upstream but I don't see any new commits after 6.2.2. I don't think they're going to fix it there, so I guess another urgent py2 cleanup. Doesn't look that bad: https://github.com/gentoo/gentoo/pull/16520#issuecomment-652192856 (In reply to Michał Górny from comment #5) > There is 6.2.x branch upstream but I don't see any new commits after 6.2.2. > I don't think they're going to fix it there, so I guess another urgent py2 > cleanup. Yeah.. I was worried about this. We can backport it but what's the point? (In reply to Michał Górny from comment #6) > Doesn't look that bad: > https://github.com/gentoo/gentoo/pull/16520#issuecomment-652192856 Scipy will be the ugly one. > (In reply to Michał Górny from comment #6)
> > Doesn't look that bad:
> > https://github.com/gentoo/gentoo/pull/16520#issuecomment-652192856
>
> Scipy will be the ugly one.
Actually, nvm!
arm64 stable arm stable amd64 done x86 stable Unable to check for sanity:
> dependent bug #732462 is missing keywords
All sanity-check issues have been resolved The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cdabc307639bd105b7da526dddfef6fdf6f99e6 commit 1cdabc307639bd105b7da526dddfef6fdf6f99e6 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-07-13 11:27:02 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-07-13 11:28:42 +0000 package.mask: Last rite mid-profile <pillow-7 revdeps Bug: https://bugs.gentoo.org/729672 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/base/package.use.mask | 4 ++++ profiles/package.mask | 31 +++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) (In reply to Sam James from comment #7) > (In reply to Michał Górny from comment #5) > > There is 6.2.x branch upstream but I don't see any new commits after 6.2.2. > > I don't think they're going to fix it there, so I guess another urgent py2 > > cleanup. > > Yeah.. I was worried about this. We can backport it but what's the point? > > (In reply to Michał Górny from comment #6) > > Doesn't look that bad: > > https://github.com/gentoo/gentoo/pull/16520#issuecomment-652192856 > > Scipy will be the ugly one. pillow for python 2.7 (i.e., < version 7) is still required for media-tv/kodi-18.7 (no scipy dep). Thus a patch on pillow-6.2.2 would be very much welcome. I guess kodi-18 will still be around for some time before 19 is released. sparc stable Unable to check for sanity:
> no match for package: dev-python/pillow-7.1.2
All sanity-check issues have been resolved The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=acf1e47d617c6bfbec3c8b6a1f1c95bb0ebfedc3 commit acf1e47d617c6bfbec3c8b6a1f1c95bb0ebfedc3 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-11-10 10:19:08 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-11-10 10:21:05 +0000 package.mask: Mask vulnerable dev-python/pillow and revdeps (kodi) Bug: https://bugs.gentoo.org/729672 Bug: https://bugs.gentoo.org/717538 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a118277dadc83d19c50ff9628b4bc5bcfc0f4060 commit a118277dadc83d19c50ff9628b4bc5bcfc0f4060 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-11-19 19:51:08 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-11-19 19:51:14 +0000 dev-python/pillow: Remove old Bug: https://bugs.gentoo.org/729672 Closes: https://bugs.gentoo.org/717538 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/pillow/Manifest | 1 - dev-python/pillow/pillow-6.2.2.ebuild | 83 ----------------------------------- 2 files changed, 84 deletions(-) Unable to check for sanity:
> no match for package: dev-python/pillow-7.2.0
noglsa (it's covered by the more recent one), cleanup done. |