Updated order

CHANGES.rst

@@ -2,6 +2,15 @@
 Changelog (Pillow)
 ==================
 
+10.0.1 (2023-09-15)
+-------------------
+
+- Updated libwebp to 1.3.2 #7395
+  [radarhere]
+
+- Updated zlib to 1.3 #7344
+  [radarhere]
+
 10.0.0 (2023-07-01)
 -------------------
 

Tests/test_file_png.py

@@ -79,7 +79,7 @@ class TestFilePng:
 
     def test_sanity(self, tmp_path):
         # internal version number
-        assert re.search(r"\d+\.\d+\.\d+(\.\d+)?$", features.version_codec("zlib"))
+        assert re.search(r"\d+(\.\d+){1,3}$", features.version_codec("zlib"))
 
         test_file = str(tmp_path / "temp.png")
 

depends/install_webp.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 # install webp
 
-archive=libwebp-1.3.1
+archive=libwebp-1.3.2
 
 ./download-and-extract.sh $archive https://raw.githubusercontent.com/python-pillow/pillow-depends/main/$archive.tar.gz
 

docs/releasenotes/10.0.1.rst

@@ -0,0 +1,14 @@
+10.0.1
+------
+
+Security
+========
+
+This release addresses :cve:`2023-4863`, by providing an updated install script and
+updated wheels to include libwebp 1.3.2, preventing a potential heap buffer overflow
+in WebP.
+
+Updated tests to pass with latest zlib version
+==============================================
+
+The release of zlib 1.3 caused one of the tests in the Pillow test suite to fail.

docs/releasenotes/index.rst

@@ -14,6 +14,7 @@ expected to be backported to earlier versions.
 .. toctree::
   :maxdepth: 2
 
+  10.0.1
   10.0.0
   9.5.0
   9.4.0

src/PIL/_version.py

@@ -1,2 +1,2 @@
 # Master version for Pillow
-__version__ = "10.0.0"
+__version__ = "10.0.1"

winbuild/build_prepare.py

@@ -130,9 +130,9 @@ deps = {
         "bins": ["cjpeg.exe", "djpeg.exe"],
     },
     "zlib": {
-        "url": "https://zlib.net/zlib1213.zip",
+        "url": "https://zlib.net/zlib13.zip",
-        "filename": "zlib1213.zip",
+        "filename": "zlib13.zip",
-        "dir": "zlib-1.2.13",
+        "dir": "zlib-1.3",
         "license": "README",
         "license_pattern": "Copyright notice:\n\n(.+)$",
         "build": [
@@ -157,9 +157,9 @@ deps = {
         "libs": [r"liblzma.lib"],
     },
     "libwebp": {
-        "url": "http://downloads.webmproject.org/releases/webp/libwebp-1.3.1.tar.gz",
+        "url": "http://downloads.webmproject.org/releases/webp/libwebp-1.3.2.tar.gz",
-        "filename": "libwebp-1.3.1.tar.gz",
+        "filename": "libwebp-1.3.2.tar.gz",
-        "dir": "libwebp-1.3.1",
+        "dir": "libwebp-1.3.2",
         "license": "COPYING",
         "build": [
             cmd_rmdir(r"output\release-static"),  # clean