| Package | python-reportlab |
|---|---|
| Version | 3.3.0-2+deb9u2 (stretch) |
| Related CVEs | CVE-2019-19450 CVE-2020-28463 |
Vulnerabilities were found in python-reportlab, a Python library for creating PDF documents.
CVE-2019-19450
The start_unichar function in paraparser.py was found to evaluate untrusted
user input, which could permit remote code execution.
CVE-2020-28463
It was discovered that img tags could be used for Server-side Request Forgery
(SSRF). The issue can be mitigated by using the new trustedSchemes and
trustedHosts rl_config variables. See “Inline Images” in ch. 6 of the
reportlab user manual.
For Debian 9 stretch, these problems have been fixed in version 3.3.0-2+deb9u2.
We recommend that you upgrade your python-reportlab packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.