An update for python-fonttools is now available for openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1080 Final 1.0 1.0 2024-01-19 Initial 2024-01-19 2024-01-19 openEuler SA Tool V1.0 2024-01-19 python-fonttools security update An update for python-fonttools is now available for openEuler-22.03-LTS-SP3. FontTools is a library for manipulating fonts, written in Python. The project includes the TTX tool, that can convert TrueType and OpenType fonts to and from an XML text format, which is also called TTX. It supports TrueType, OpenType, AFM and to an extent Type 1 and some Mac-specific formats. The project has an MIT open-source licence. Security Fix(es): fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.(CVE-2023-45139) An update for python-fonttools is now available for openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High python-fonttools https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1080 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-45139 https://nvd.nist.gov/vuln/detail/CVE-2023-45139 openEuler-22.03-LTS-SP3 python3-fonttools-4.39.4-2.oe2203sp3.noarch.rpm fonttools-4.39.4-2.oe2203sp3.noarch.rpm fonttools-help-4.39.4-2.oe2203sp3.noarch.rpm fonttools-4.39.4-2.oe2203sp3.src.rpm fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0. 2024-01-19 CVE-2023-45139 openEuler-22.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N python-fonttools security update 2024-01-19 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1080