Add release notes for 2.6.0 for #7864

docs/releasenotes/10.3.0.rst

@@ -91,7 +91,13 @@ Release GIL when fetching WebP frames
 Python's Global Interpreter Lock is now released when fetching WebP frames from
 the libwebp decoder.
 
-Add release notes for 2.3.1, 2.3.2, 2.5.2
+Added release notes for past releases
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-TODO
+Added release notes for past releases: ``2.6.0``, ``2.5.2``,
+``2.3.2``, ``2.3.1``. This effort is intended to provide a comprehensive
+look at CVE data from 1995 to 2024 across three noteworthy periods:
+
+- 1995-2010: No CVEs
+- 2010-2019: A few CVEs
+- 2019-2024: Many CVEs

docs/releasenotes/2.6.0.rst

@@ -0,0 +1,22 @@
+2.6.0
+-----
+
+Security
+========
+
+:cve:`2014-3589`: Fix DOS attack
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and
+2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted
+block size.
+
+Found and reported by Andrew Drake of dropbox.com
+
+Other Changes
+=============
+
+Relaxed precision of some tests
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Relaxed imagedraw tests to allow slight errors for x86 vs x64.

docs/releasenotes/index.rst

@@ -69,6 +69,7 @@ expected to be backported to earlier versions.
   3.0.0
   2.8.0
   2.7.0
+  2.6.0
   2.5.2
   2.3.2
   2.3.1