Apparently the CVE has not been published yet but the changelogs says: +- CVE-2021-23437 Raise ValueError if color specifier is too long + [hugovk, radarhere]
CVE says it's a ReDoS.
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=489350a86a27cbf30814583641081d7f76bad69a commit 489350a86a27cbf30814583641081d7f76bad69a Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-11-14 08:08:10 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-11-14 08:16:38 +0000 dev-python/pillow: Remove old Bug: https://bugs.gentoo.org/811450 Bug: https://bugs.gentoo.org/802090 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/pillow/Manifest | 3 -- dev-python/pillow/pillow-8.2.0.ebuild | 98 ----------------------------------- dev-python/pillow/pillow-8.3.0.ebuild | 98 ----------------------------------- dev-python/pillow/pillow-8.3.1.ebuild | 98 ----------------------------------- 4 files changed, 297 deletions(-)
Thanks!
There are new bugs affecting versions < 9.0.0: https://bugs.gentoo.org/830934