CVE-2020-5312

Advisory

Chartify 3.0.3 includes a version of 'pillow' (6.2.0) affected by several CVEs.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

------------------

Bugfixes:

* Updated default yaml loader to move off of
deprecated method (Thanks vh920!)
* Updated legend handling to adjust for deprecated methods
in recent versions of Bokeh (Thanks for reporting jpkoc)
* Updated license in setup.py (Thanks for reporting jsignell)
* Bump base Pillow dependency to avoid insecure version.
* Update MANIFEST to include missing files (Thanks toddrme2178!)

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5312
• https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html
• https://github.com/python-pillow/Pillow/commit/93b22b846e0269ee9594ff71a72bec02d2bea8fd
• https://lists.fedoraproject.org/archives/list/[email protected]/message/2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A/
• https://usn.ubuntu.com/4272-1/
• https://access.redhat.com/errata/RHSA-2020:0566
• https://lists.fedoraproject.org/archives/list/[email protected]/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P/
• https://www.debian.org/security/2020/dsa-4631
• https://access.redhat.com/errata/RHSA-2020:0580
• https://access.redhat.com/errata/RHSA-2020:0578
• https://access.redhat.com/errata/RHSA-2020:0683
• https://access.redhat.com/errata/RHSA-2020:0681
• https://access.redhat.com/errata/RHSA-2020:0694