From 558b2e6cf6143acd6323f0887c112043f34b5fb4 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <hugovk@users.noreply.github.com>
Date: Thu, 22 Oct 2020 15:45:58 +0300
Subject: [PATCH] Add release notes for 8.0.1

---
 CHANGES.rst                 |  6 ++++++
 docs/releasenotes/8.0.1.rst | 23 +++++++++++++++++++++++
 docs/releasenotes/index.rst |  1 +
 3 files changed, 30 insertions(+)
 create mode 100644 docs/releasenotes/8.0.1.rst

diff --git a/CHANGES.rst b/CHANGES.rst
index 6e1970cba..95a7d1c46 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -8,6 +8,12 @@ Changelog (Pillow)
 - Support raw rgba8888 for DDS #4760
   [qiankanglai]
 
+8.0.1 (2020-10-22)
+------------------
+
+- Update FreeType used in binary wheels to 2.10.4 to fix CVE-2020-15999.
+  [radarhere]
+
 8.0.0 (2020-10-15)
 ------------------
 
diff --git a/docs/releasenotes/8.0.1.rst b/docs/releasenotes/8.0.1.rst
new file mode 100644
index 000000000..be10d8e47
--- /dev/null
+++ b/docs/releasenotes/8.0.1.rst
@@ -0,0 +1,23 @@
+8.0.1
+-----
+
+Security
+========
+
+Update FreeType used in binary wheels to `2.10.4`_ to fix CVE-2020-15999_:
+
+  - A heap buffer overflow has been found  in the handling of embedded PNG bitmaps,
+    introduced in FreeType version 2.6.
+
+      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
+
+    If you use option ``FT_CONFIG_OPTION_USE_PNG`` you should upgrade immediately.
+
+Before Pillow 8.0.0 bitmap fonts were disabled with ``FT_LOAD_NO_BITMAP``, but it is not
+clear if this prevents the exploit and we recommend updating to Pillow 8.0.1.
+
+Pillow 8.0.0 and earlier are potentially vulnerable releases, including the last release
+to support Python 2.7, namely Pillow 6.2.2.
+
+.. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
+.. _CVE-2020-15999: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst
index ba81fbaf8..5c74bed9b 100644
--- a/docs/releasenotes/index.rst
+++ b/docs/releasenotes/index.rst
@@ -13,6 +13,7 @@ expected to be backported to earlier versions.
 .. toctree::
   :maxdepth: 2
 
+  8.0.1
   8.0.0
   7.2.0
   7.1.2