Apparently the CVE has not been published yet but the changelogs says: +- CVE-2021-23437 Raise ValueError if color specifier is too long + [hugovk, radarhere]
CVE says it's a ReDoS.
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=489350a86a27cbf30814583641081d7f76bad69a commit 489350a86a27cbf30814583641081d7f76bad69a Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-11-14 08:08:10 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-11-14 08:16:38 +0000 dev-python/pillow: Remove old Bug: https://bugs.gentoo.org/811450 Bug: https://bugs.gentoo.org/802090 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/pillow/Manifest | 3 -- dev-python/pillow/pillow-8.2.0.ebuild | 98 ----------------------------------- dev-python/pillow/pillow-8.3.0.ebuild | 98 ----------------------------------- dev-python/pillow/pillow-8.3.1.ebuild | 98 ----------------------------------- 4 files changed, 297 deletions(-)
Thanks!
There are new bugs affecting versions < 9.0.0: https://bugs.gentoo.org/830934
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=65e54c1c2d5aa2b4a2012ca5e8d6771961ac4118 commit 65e54c1c2d5aa2b4a2012ca5e8d6771961ac4118 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-11-22 03:53:26 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-22 03:59:40 +0000 [ GLSA 202211-10 ] Pillow: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/802090 Bug: https://bugs.gentoo.org/811450 Bug: https://bugs.gentoo.org/830934 Bug: https://bugs.gentoo.org/832598 Bug: https://bugs.gentoo.org/855683 Bug: https://bugs.gentoo.org/878769 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202211-10.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+)
GLSA released, all done!
