Merge pull request #6012 from radarhere/releasenotes

Added release notes for 9.0.1
2025-01-13 18:56:17 +03:00 · 2022-02-03 10:41:04 +11:00 · 2022-02-03 10:41:04 +11:00 · e3d98c9aca
commit e3d98c9aca
parent 596eaf35cc 8ef2d987ab
2 changed files with 24 additions and 0 deletions
--- a/docs/releasenotes/9.0.1.rst
+++ b/docs/releasenotes/9.0.1.rst
@ -0,0 +1,23 @@
+9.0.1
+-----
+
+Security
+========
+
+This release addresses several security problems.
+
+:cve:`CVE-2022-24303`: If the path to the temporary directory on Linux or macOS
+contained a space, this would break removal of the temporary image file after
+``im.show()`` (and related actions), and potentially remove an unrelated file. This
+been present since PIL.
+
+:cve:`CVE-2022-22817`: While Pillow 9.0 restricted top-level builtins available to
+:py:meth:`PIL.ImageMath.eval`, it did not prevent builtins available to lambda
+expressions. These are now also restricted.
+
+Other Changes
+=============
+
+Pillow 9.0 added support for ``xdg-open`` as an image viewer, but there have been
+reports that the temporary image file was removed too quickly to be loaded into the
+final application. A delay has been added.
--- a/docs/releasenotes/index.rst
+++ b/docs/releasenotes/index.rst
@ -14,6 +14,7 @@ expected to be backported to earlier versions.
 .. toctree::
  :maxdepth: 2

+  9.0.1
  9.0.0
  8.4.0
  8.3.2