mirror of
https://github.com/python-pillow/Pillow.git
synced 2024-12-25 17:36:18 +03:00
Update release notes to match template for #7864
This commit is contained in:
parent
b5f77799ca
commit
45975e482d
|
@ -11,10 +11,10 @@ These issues reported in
|
|||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The (1) load_djpeg function in ``JpegImagePlugin.py``, (2) Ghostscript function
|
||||
in EpsImagePlugin.py, (3) load function in ``IptcImagePlugin.py``, and (4) _copy
|
||||
function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and
|
||||
Pillow before 2.3.1 do not properly create temporary files, which allow local
|
||||
users to overwrite arbitrary files and obtain sensitive information via a
|
||||
in EpsImagePlugin.py, (3) load function in ``IptcImagePlugin.py``, and (4)
|
||||
``_copy`` function in Image.py in Python Image Library (PIL) 1.1.7 and earlier
|
||||
and Pillow before 2.3.1 do not properly create temporary files, which allow
|
||||
local users to overwrite arbitrary files and obtain sensitive information via a
|
||||
symlink attack on the temporary file.
|
||||
|
||||
:cve:`2014-1933`: Fix insecure use of :py:func:`tempfile.mktemp`
|
||||
|
|
|
@ -1,6 +1,29 @@
|
|||
4.2.0
|
||||
-----
|
||||
|
||||
Deprecations
|
||||
============
|
||||
|
||||
Several deprecated items have been removed
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* The methods ``PIL.ImageWin.Dib.fromstring``,
|
||||
``PIL.ImageWin.Dib.tostring`` and
|
||||
``PIL.TiffImagePlugin.ImageFileDirectory_v2.as_dict`` have
|
||||
been removed.
|
||||
|
||||
* Before Pillow 4.2.0, attempting to save an RGBA image as JPEG would
|
||||
discard the alpha channel. From Pillow 3.4.0, a deprecation warning
|
||||
was shown. From Pillow 4.2.0, the deprecation warning is removed and
|
||||
an :py:exc:`IOError` is raised.
|
||||
|
||||
Removed Core Image Function
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The unused function ``Image.core.new_array`` was removed. This is an
|
||||
internal function that should not have been used by user code, but it
|
||||
was accessible from the python layer.
|
||||
|
||||
Other Changes
|
||||
=============
|
||||
|
||||
|
@ -30,26 +53,3 @@ New DecompressionBomb Warning
|
|||
:py:meth:`PIL.Image.Image.crop` now may raise a DecompressionBomb
|
||||
warning if the crop region enlarges the image over the threshold
|
||||
specified by :py:data:`PIL.Image.MAX_IMAGE_PIXELS`.
|
||||
|
||||
Deprections
|
||||
===========
|
||||
|
||||
Several deprecated items have been removed
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* The methods ``PIL.ImageWin.Dib.fromstring``,
|
||||
``PIL.ImageWin.Dib.tostring`` and
|
||||
``PIL.TiffImagePlugin.ImageFileDirectory_v2.as_dict`` have
|
||||
been removed.
|
||||
|
||||
* Before Pillow 4.2.0, attempting to save an RGBA image as JPEG would
|
||||
discard the alpha channel. From Pillow 3.4.0, a deprecation warning
|
||||
was shown. From Pillow 4.2.0, the deprecation warning is removed and
|
||||
an :py:exc:`IOError` is raised.
|
||||
|
||||
Removed Core Image Function
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The unused function ``Image.core.new_array`` was removed. This is an
|
||||
internal function that should not have been used by user code, but it
|
||||
was accessible from the python layer.
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
Security
|
||||
========
|
||||
|
||||
This release fixes several buffer overruns and DOS attacks.
|
||||
This release fixes several buffer overflow issues and a DOS attack vulnerability.
|
||||
|
||||
:cve:`2019-19911`: DOS attack vulnerability
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
|
|
@ -4,11 +4,11 @@
|
|||
Security
|
||||
========
|
||||
|
||||
:cve:`2021-34552`: Buffer overflow
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
:cve:`2021-34552`: Fix buffer overflow
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert function to trigger
|
||||
buffer overflow in Convert.c.
|
||||
PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert
|
||||
function to trigger buffer overflow in ``Convert.c``.
|
||||
|
||||
Parsing XML
|
||||
^^^^^^^^^^^
|
||||
|
|
Loading…
Reference in New Issue
Block a user