python310-CairoSVG-2.7.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13218 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python310-CairoSVG-2.7.1-1.1 on GA media These are all security issues fixed in the python310-CairoSVG-2.7.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13218 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13218 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-21236/ SUSE CVE CVE-2021-21236 page https://www.suse.com/security/cve/CVE-2023-27586/ SUSE CVE CVE-2023-27586 page openSUSE Tumbleweed python310-CairoSVG-2.7.1-1.1 python311-CairoSVG-2.7.1-1.1 python39-CairoSVG-2.7.1-1.1 python310-CairoSVG-2.7.1-1.1 as a component of openSUSE Tumbleweed python311-CairoSVG-2.7.1-1.1 as a component of openSUSE Tumbleweed python39-CairoSVG-2.7.1-1.1 as a component of openSUSE Tumbleweed CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information. CVE-2021-21236 openSUSE Tumbleweed:python310-CairoSVG-2.7.1-1.1 openSUSE Tumbleweed:python311-CairoSVG-2.7.1-1.1 openSUSE Tumbleweed:python39-CairoSVG-2.7.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-21236.html CVE-2021-21236 https://bugzilla.suse.com/1180648 SUSE Bug 1180648 CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability to access other files online by default. CVE-2023-27586 openSUSE Tumbleweed:python310-CairoSVG-2.7.1-1.1 openSUSE Tumbleweed:python311-CairoSVG-2.7.1-1.1 openSUSE Tumbleweed:python39-CairoSVG-2.7.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-27586.html CVE-2023-27586 https://bugzilla.suse.com/1209538 SUSE Bug 1209538