Explore top 10 tips to secure your open-source projects now. Read More
×An update that solves one vulnerability can now be installed.. # Security update for python-Pillow Announcement ID: SUSE-SU-2026:21382-1 Release Date: 2026-04-22T21:45:29Z Rating: important References: * bsc#1262184 Cross-References: * CVE-2026-40192 CVSS scores: * CVE-2026-40192 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-40192 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-40192 ( NVD ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-40192 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Enterprise Server 16.0 * SUSE Linux Enterprise Server for SAP applications 16.0 An update that solves one vulnerability can now be installed. ## Description: This update for python-Pillow fixes the following issue: * CVE-2026-40192: Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks (bsc#1262184). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server for SAP applications 16.0 zypper in -t patch SUSE-SLES-16.0-629=1 * SUSE Linux Enterprise Server 16.0 zypper in -t patch SUSE-SLES-16.0-629=1 ## Package List: * SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64) * python313-Pillow-debuginfo-11.3.0-160000.4.1 * python313-Pillow-tk-debuginfo-11.3.0-160000.4.1 * python313-Pillow-11.3.0-160000.4.1 * python-Pillow-debugsource-11.3.0-160000.4.1 *python313-Pillow-tk-11.3.0-160000.4.1 * python-Pillow-debuginfo-11.3.0-160000.4.1 * SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64) * python313-Pillow-debuginfo-11.3.0-160000.4.1 * python313-Pillow-tk-debuginfo-11.3.0-160000.4.1 * python313-Pillow-11.3.0-160000.4.1 * python-Pillow-debugsource-11.3.0-160000.4.1 * python313-Pillow-tk-11.3.0-160000.4.1 * python-Pillow-debuginfo-11.3.0-160000.4.1 ## References: * https://www.suse.com/security/cve/CVE-2026-40192.html * https://bugzilla.suse.com/show_bug.cgi?id=1262184 . A critical security update for python-Pillow addressing CVE-2026-40192 to mitigate decompression bomb risks on SUSE.. SUSE Python Pillow Update, CVE-2026-40192 Fix, SUSE Security Advisory. . LinuxSecurity.com Team
An update that solves one vulnerability and has one bug fix can now be installed.. openSUSE security update: security update for python-pillow ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20617-1 Rating: important References: * bsc#1262184 Cross-References: * CVE-2026-40192 CVSS scores: * CVE-2026-40192 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-40192 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves one vulnerability and has one bug fix can now be installed. Description: This update for python-Pillow fixes the following issue: - CVE-2026-40192: Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks (bsc#1262184). Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-629=1 Package List: - openSUSE Leap 16.0: python313-Pillow-11.3.0-160000.4.1 python313-Pillow-tk-11.3.0-160000.4.1 References: * https://www.suse.com/security/cve/CVE-2026-40192.html . An important security update for python-Pillow on openSUSE addresses decompression bomb vulnerabilities.. openSUSE python-Pillow security important CVE-2026-40192 update. . LinuxSecurity.com Team
MGASA-2026-0011 - Updated python-urllib3 packages fix security vulnerabilities. MGASA-2026-0011 - Updated python-urllib3 packages fix security vulnerabilities Publication date: 17 Jan 2026 URL: https://advisories.mageia.org/MGASA-2026-0011.html Type: security Affected Mageia releases: 9 CVE: CVE-2025-66418, CVE-2026-21441 Description: urllib3 allows an unbounded number of links in the decompression chain. (CVE-2025-66418) urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API). (CVE-2026-21441) References: - https://bugs.mageia.org/show_bug.cgi?id=34809 - https://www.openwall.com/lists/oss-security/2025/12/05/4 - https://ubuntu.com/security/notices/USN-7955-1 - https://www.cve.org/CVERecord?id=CVE-2025-66418 - https://www.cve.org/CVERecord?id=CVE-2026-21441 SRPMS: - 9/core/python-urllib3-1.26.20-1.2.mga9 . Updated python-urllib3 packages in Mageia address important security issues related to decompression attacks and HTTP redirects.. Mageia python-urllib3 updates, python urllib3 vulnerabilities, security advisories Mageia. . LinuxSecurity.com Team
Update brotli to 1.2.0. This update provides the necessary Python APIs in python3-brotli to fix denial- of-service security issues related to \u201cdecompression bombs,\u201d such as CVE-2025-66471 or CVE-2025-6176, but actually fixing them would require separate updates in affected packages.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-9e233a4e22 2025-12-18 01:10:20.380939+00:00 -------------------------------------------------------------------------------- Name : perl-Alien-Brotli Product : Fedora 42 Version : 0.2.2 Release : 11.fc42 URL : http://metacpan.org/dist/Alien-Brotli Summary : Find and install the Brotli compressor Description : This distribution installs the brotli compressor, so that it can be used by other distributions, and provides a way to find the executable. -------------------------------------------------------------------------------- Update Information: Update brotli to 1.2.0. This update provides the necessary Python APIs in python3-brotli to fix denial- of-service security issues related to \u201cdecompression bombs,\u201d such as CVE-2025-66471 or CVE-2025-6176, but actually fixing them would require separate updates in affected packages. -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 10 2025 Miro Hron\u010dok - 0.2.2-11 - Rebuilt for brotli 1.2.0 * Fri Jul 25 2025 Fedora Release Engineering - 0.2.2-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2419491 - CVE-2025-6176 brotli: Brotli decompression bomb DoS in scrapy/scrapy [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2419491 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisoryFEDORA-2025-9e233a4e22' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Critical update for perl-Alien-Brotli in Fedora to address DoS issues from decompression bombs effectively.. perl Alien Brotli update DoS Fedora. . LinuxSecurity.com Team
An update that fixes 8 vulnerabilities is now available. . SUSE Security Update: Security update for python-Pillow ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:2057-1 Rating: important References: #1153191 #1160152 #1160153 #1160192 #1173413 #1173416 #1173418 #965582 Cross-References: CVE-2016-0775 CVE-2019-16865 CVE-2019-19911 CVE-2020-10177 CVE-2020-10378 CVE-2020-10994 CVE-2020-5312 CVE-2020-5313 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for python-Pillow fixes the following issues: - Add 0019-FLI-overflow-error-fix-and-testcase.patch * Fixes CVE-2016-0775, bsc#965582 - Add 0020-Fix-OOB-reads-in-FLI-decoding.patch * Fixes CVE-2020-10177, bsc#1173413 - Add 0021-Fix-bounds-overflow-in-JPEG-2000-decoding.patch * Fixes CVE-2020-10994, bsc#1173418 - Add 0022-Fix-bounds-overflow-in-PCX-decoding.patch * Fixes CVE-2020-10378, bsc#1173416 - Add 0008-Corrected-negative-seeks.patch * Fixes part of CVE-2019-16865, bsc#1153191 - Add 0009-Make-Image.crop-an-immediate-operation.patch * Fixes https://github.com/python-pillow/Pillow/issues/1077 * Used by 0012-Added-decompression-bomb-checks.patch - Add 0010-Crop-decompression.patch * Used by 0012-Added-decompression-bomb-checks.patch - Add 0011-Added-DecompressionBombError.patch * Used by 0012-Added-decompression-bomb-checks.patch - Add 0012-Added-decompression-bomb-checks.patch * Fixes part of CVE-2019-16865, bsc#1153191 - Add 0013-Raise-error-if-dimension-is-a-string.patch * Fixes part of CVE-2019-16865, bsc#1153191 - Add 0014-Catch-buffer-overruns.patch * Fixes part of CVE-2019-16865, bsc#1153191 - Add0015-Catch-PCX-P-mode-buffer-overrun.patch * Fixes CVE-2020-5312, bsc#1160152 - Add 0016-Ensure-previous-FLI-frame-is-loaded.patch * Fixes https://github.com/python-pillow/Pillow/issues/2649 * Uncovers CVE-2020-5313, bsc#1160153 - Add 0017-Catch-FLI-buffer-overrun.patch * Fixes CVE-2020-5313, bsc#1160153 - Add 018-Invalid-number-of-bands-in-FPX-image.patch * Fixes CVE-2019-19911, bsc#1160192 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-2057=1 Package List: - SUSE Enterprise Storage 5 (aarch64 x86_64): python-Pillow-2.8.1-3.9.1 python-Pillow-debuginfo-2.8.1-3.9.1 python-Pillow-debugsource-2.8.1-3.9.1 References: https://www.suse.com/security/cve/CVE-2016-0775.html https://www.suse.com/security/cve/CVE-2019-16865.html https://www.suse.com/security/cve/CVE-2019-19911.html https://www.suse.com/security/cve/CVE-2020-10177.html https://www.suse.com/security/cve/CVE-2020-10378.html https://www.suse.com/security/cve/CVE-2020-10994.html https://www.suse.com/security/cve/CVE-2020-5312.html https://www.suse.com/security/cve/CVE-2020-5313.html https://bugzilla.suse.com/1153191 https://bugzilla.suse.com/1160152 https://bugzilla.suse.com/1160153 https://bugzilla.suse.com/1160192 https://bugzilla.suse.com/1173413 https://bugzilla.suse.com/1173416 https://bugzilla.suse.com/1173418 https://bugzilla.suse.com/965582 _______________________________________________ sle-security-updates mailing list
Get the latest Linux and open source security news straight to your inbox.