PublicDateAtUSN: 2021-09-03 16:15:00 UTC
Candidate: CVE-2021-23437
PublicDate: 2021-09-03 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23437
 https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443
 https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html
 https://ubuntu.com/security/notices/USN-5227-1
 https://ubuntu.com/security/notices/USN-5227-2
Description:
 The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular
 Expression Denial of Service (ReDoS) via the getrgb function.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]

Patches_pillow:
 upstream: https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b
upstream_pillow: released (8.3.2)
trusty_pillow: ignored (out of standard support)
trusty/esm_pillow: released (2.3.0-1ubuntu3.4+esm3)
xenial_pillow: ignored (end of standard support, was needs-triage)
esm-infra/xenial_pillow: released (3.1.2-0ubuntu1.6+esm1)
bionic_pillow: released (5.1.0-1ubuntu0.7)
focal_pillow: released (7.0.0-4ubuntu0.5)
hirsute_pillow: released (8.1.2-1ubuntu0.2)
impish_pillow: released (8.1.2+dfsg-0.3ubuntu0.1)
jammy_pillow: released (9.0.0-1)
devel_pillow: released (9.0.0-1)

Patches_pillow-python2:
upstream_pillow-python2: needs-triage
trusty_pillow-python2: DNE
trusty/esm_pillow-python2: DNE
xenial_pillow-python2: DNE
bionic_pillow-python2: DNE
focal_pillow-python2: needs-triage
hirsute_pillow-python2: DNE
impish_pillow-python2: DNE
jammy_pillow-python2: DNE
devel_pillow-python2: DNE

Patches_python-imaging:
upstream_python-imaging:  needs-triage
trusty_python-imaging: DNE
trusty/esm_python-imaging: DNE
xenial_python-imaging: DNE
bionic_python-imaging: DNE
focal_python-imaging: DNE
hirsute_python-imaging: DNE
impish_python-imaging: DNE
jammy_python-imaging: DNE
devel_python-imaging: DNE