moderate: librabbitmq/python-pillow security update
moderate
An update for librabbitmq/python-pillow is now available for NewStart CGSL MAIN 5.05/CGSL CORE 5.05.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
librabbitmq: This is a C-language AMQP client library for use with v2.0+ of the RabbitMQ broker.
python-pillow: This package provides debug information for package python-pillow. Debug information is useful when developing applications that use this package or when debugging this package.
Security Fix(es):
librabbitmq: An issue was discovered in amqp_handle_input in amqp_connection.c in rabbitmq-c 0.9.0. There is an integer overflow that leads to heap memory corruption in the handling of CONNECTION_STATE_HEADER. A rogue server could return a malicious frame header that leads to a smaller target_size value than needed. This condition is then carried on to a memcpy function that copies too much data into a heap buffer.(CVE-2019-18609)
librabbitmq: bugfix
python-pillow: An out-of-bounds read was discovered in python-pillow in the way it decodes FLI images. An application that uses python-pillow to load untrusted images may be vulnerable to this flaw, which can allow an attacker to read the memory of the application they should be not allowed to read.(CVE-2020-5313)
python-pillow: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.05.F11B5.