From 3a855cb6475238431b1640a7939d16bf7b40fe39 Mon Sep 17 00:00:00 2001 From: Frederick Price Date: Fri, 31 Mar 2023 14:58:40 -0400 Subject: [PATCH] Initial change of release notes --- CHANGES.rst | 9 +++++++++ docs/releasenotes/6.2.2.5.rst | 11 +++++++++++ 2 files changed, 20 insertions(+) create mode 100644 docs/releasenotes/6.2.2.5.rst diff --git a/CHANGES.rst b/CHANGES.rst index acc90a38d..07b533488 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -2,6 +2,13 @@ Changelog (Pillow) ================== +6.2.2.5 (date TBD) +------------------ + +- Fix CVE-2020-35654 +[rickprice] + + 6.2.2.4 (2023-03-29) ------------------ @@ -14,8 +21,10 @@ since Pillow 4.3.0. - Fix CVE-2021-27921 [rickprice] + - Fix CVE-2021-27922 [rickprice] + - Fix CVE-2021-27923 [rickprice] diff --git a/docs/releasenotes/6.2.2.5.rst b/docs/releasenotes/6.2.2.5.rst new file mode 100644 index 000000000..f8eef2065 --- /dev/null +++ b/docs/releasenotes/6.2.2.5.rst @@ -0,0 +1,11 @@ +6.2.2.4 +------- + +Security +======== + +This release addresses several critical CVEs. + +:cve:`CVE-2020-35654`: In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. + +