From f2ea25780a97360bbe42f8c3ff1f97c97b2646cd Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sat, 6 Mar 2021 13:21:30 +1100 Subject: [PATCH] Added release notes for 8.1.2 --- docs/releasenotes/8.1.1.rst | 8 -------- docs/releasenotes/8.1.2.rst | 12 ++++++++++++ docs/releasenotes/index.rst | 1 + 3 files changed, 13 insertions(+), 8 deletions(-) create mode 100644 docs/releasenotes/8.1.2.rst diff --git a/docs/releasenotes/8.1.1.rst b/docs/releasenotes/8.1.1.rst index 90a786ec4..4081c49ca 100644 --- a/docs/releasenotes/8.1.1.rst +++ b/docs/releasenotes/8.1.1.rst @@ -1,7 +1,6 @@ 8.1.1 ----- - Security ======== @@ -20,13 +19,6 @@ that could be used as a DOS attack. :cve:`CVE-2021-25293`: There is an out-of-bounds read in ``SgiRleDecode.c``, since Pillow 4.3.0. -There is an exhaustion of memory DOS in the BLP (:cve:`CVE-2021-27921`), -ICNS (:cve:`CVE-2021-27922`) and ICO (:cve:`CVE-2021-27923`) container formats -where Pillow did not properly check the reported size of the contained image. -These images could cause arbitrarily large memory allocations. This was reported -by Jiayi Lin, Luke Shaffer, Xinran Xie, and Akshay Ajayan of -`Arizona State University `_. - Other Changes ============= diff --git a/docs/releasenotes/8.1.2.rst b/docs/releasenotes/8.1.2.rst new file mode 100644 index 000000000..50d132f33 --- /dev/null +++ b/docs/releasenotes/8.1.2.rst @@ -0,0 +1,12 @@ +8.1.2 +----- + +Security +======== + +There is an exhaustion of memory DOS in the BLP (:cve:`CVE-2021-27921`), +ICNS (:cve:`CVE-2021-27922`) and ICO (:cve:`CVE-2021-27923`) container formats +where Pillow did not properly check the reported size of the contained image. +These images could cause arbitrarily large memory allocations. This was reported +by Jiayi Lin, Luke Shaffer, Xinran Xie, and Akshay Ajayan of +`Arizona State University `_. diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst index 38aed08cf..117738675 100644 --- a/docs/releasenotes/index.rst +++ b/docs/releasenotes/index.rst @@ -15,6 +15,7 @@ expected to be backported to earlier versions. :maxdepth: 2 8.2.0 + 8.1.2 8.1.1 8.1.0 8.0.1