Debian LTS: DLA-3590-1: python-reportlab security update
Summary
------------------------------------------------------------------------- Debian LTS Advisory DLA-3590-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin September 29, 2023 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : python-reportlab Version : 3.5.13-1+deb10u2 CVE ID : CVE-2019-19450 CVE-2020-28463 Security issues were discovered in python-reportlab, a Python library for generating PDFs and graphics, which could lead to remote code execution or authorization bypass. CVE-2019-19450 Ravi Prakash Giri discovered a remote code execution vulnerability via crafted XML document where â<unichar code="â is followed by arbitrary Python code. This issue is similar to CVE-2019-17626. CVE-2020-28463 Karan Bamal discovered a Server-side Request Forgery (SSRF) vulnerability via â<img>â tags. New settings âtrustedSchemesâ and âtrustedHostsâ have been added as part of the fix/mitigation: they can be used to specify an explicit allowlist for remote sources. For Debian 10 buster, these problems have been fixed in version 3.5.13-1+deb10u2. We recommend that you upgrade your python-reportlab packages. For the detailed security status of python-reportlab please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/python-reportlab Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS