SUSE-SU-2015:0777-1: moderate: Security update for python-Pillow

Mon Apr 27 09:04:49 MDT 2015

   SUSE Security Update: Security update for python-Pillow
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:0777-1
Rating:             moderate
References:         #921566 
Cross-References:   CVE-2014-1932 CVE-2014-1933 CVE-2014-3589
                    CVE-2014-3598 CVE-2014-9601
Affected Products:
                    SUSE Cloud 5
______________________________________________________________________________

   An update that fixes 5 vulnerabilities is now available. It
   includes one version update.

Description:

   python-pillow has been updated to 2.7.0 to fix three security issues.

   The following vulnerabilities have been fixed:

       * CVE-2014-9601: Remote attackers could have caused a denial of
         service via a compressed text chunk in a PNG image that has a large
         size when it is decompressed.
       * CVE-2014-3598: Remote attackers could have caused a denial of
         service using specially crafted image files via Jpeg2KImagePlugin.
       * CVE-2014-3589: Remote attackers could have caused a denial of
         service using specially crafted image files via IcnsImagePlugin.
       * CVE-2014-1932: A local user could have overwritten arbitrary files
         and obtain sensitive information via a symlink attack on the
         temporary file.
       * CVE-2014-1933: A local user could have gained information helpful
         for symlink attacks by listing process information which uses the
         names
         of temporary files on the command line.

   Security Issues:

       * CVE-2014-9601
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9601>
       * CVE-2014-3598
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3598>
       * CVE-2014-3589
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3589>
       * CVE-2014-1932
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1932>
       * CVE-2014-1933
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1933>

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Cloud 5:

      zypper in -t patch sleclo50sp3-python-Pillow=10630

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Cloud 5 (x86_64) [New Version: 2.7.0]:

      python-Pillow-2.7.0-0.7.1

References:

   https://www.suse.com/security/cve/CVE-2014-1932.html
   https://www.suse.com/security/cve/CVE-2014-1933.html
   https://www.suse.com/security/cve/CVE-2014-3589.html
   https://www.suse.com/security/cve/CVE-2014-3598.html
   https://www.suse.com/security/cve/CVE-2014-9601.html
   https://bugzilla.suse.com/921566
   https://download.suse.com/patch/finder/?keywords=acbb43326b3ecd6dec41437a7b4202ac