important: OpenEXR/python-requests security update
important
An update for OpenEXR/python-requests is now available for NewStart CGSL MAIN 7.02.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
OpenEXR:
python-requests:
Security Fix(es):
OpenEXR: An issue in Academy Software Foundation openexr v.3.2.3 and before allows a local attacker to cause a denial of service (DoS) via the convert function of exrmultipart.cpp.(CVE-2024-31047)
OpenEXR: A vulnerability was found in the Academy Software Foundation OpenEXR and requires that a malicious EXR file image is parsed by the target device or environment using OpenEXR. This issue occurs due to a failure in validating the number of scanline samples of an OpenEXR file containing deep scanline data, allowing a read or write primitive based on the provided EXR file attributes. This flaw could be used to read or write memory to a compromised device through an attacker-placed EXR image.(CVE-2023-5841)
OpenEXR: bugfix
python-requests: An incorrect control flow implementation vulnerability was found in Requests. If the first request in a session is made with verify=False, all subsequent requests to the same host will continue to ignore cert verification.(CVE-2024-35195)
python-requests: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 7.02.03B8.