| Package | python-reportlab |
|---|---|
| Version | 3.1.8-3+deb8u3 (jessie) |
| Related CVEs | CVE-2019-19450 CVE-2020-28463 |
- CVE-2019-19450
-
Ravi Prakash Giri discovered a remote code execution vulnerability via crafted XML document where
<unichar code="is followed by arbitrary Python code.This issue is similar to CVE-2019-17626.
- CVE-2020-28463
-
Karan Bamal discovered a Server-side Request Forgery (SSRF) vulnerability via
<img>tags. New settingstrustedSchemesandtrustedHostshave been added as part of the fix/mitigation: they can be used to specify an explicit allowlist for remote sources.
For Debian 8 jessie, these problems have been fixed in version 3.1.8-3+deb8u3.
We recommend that you upgrade your python-reportlab packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.