python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-02-05 06:00:58 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add release notes for 8.0.1

Browse Source
This commit is contained in:
Hugo van Kemenade 2020-10-22 15:45:58 +03:00
parent 982b6c27a9
commit 44fe3545c3
3 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGES.rst
View File

@ -2,6 +2,12 @@
Changelog (Pillow)
==================
8.0.1 (2020-10-22)
------------------
- Update FreeType used in binary wheels to 2.10.4 to fix CVE-2020-15999
[radarhere]
8.0.0 (2020-10-15)
------------------

23
docs/releasenotes/8.0.1.rst Normal file
View File

@ -0,0 +1,23 @@
8.0.1
-----
Security
========
Update FreeType used in binary wheels to `2.10.4`_ to fix CVE-2020-15999_:
- A heap buffer overflow has been found in the handling of embedded PNG bitmaps,
introduced in FreeType version 2.6.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
If you use option ``FT_CONFIG_OPTION_USE_PNG`` you should upgrade immediately.
Before Pillow 8.0.0 bitmap fonts were disabled with ``FT_LOAD_NO_BITMAP``, but it is not
clear if this prevents the exploit and we recommend updating to Pillow 8.0.1.
Pillow 8.0.0 and earlier are potentially vulnerable releases, including the last release
to support Python 2.7, namely Pillow 6.2.2.
.. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
.. _CVE-2020-15999: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999

1
docs/releasenotes/index.rst
View File

@ -13,6 +13,7 @@ expected to be backported to earlier versions.
.. toctree::
:maxdepth: 2
8.0.1
8.0.0
7.2.0
7.1.2