mirror of
https://github.com/python-pillow/Pillow.git
synced 2024-12-25 17:36:18 +03:00
c69dcc1c29
- Include CVE link in title (via @hugovk) - Retro-add release notes for 2.3.2, 2.5.2 for CVE-2014-3589
24 lines
860 B
ReStructuredText
24 lines
860 B
ReStructuredText
8.0.1
|
|
-----
|
|
|
|
Security
|
|
========
|
|
|
|
:cve:`2020-15999`: Update FreeType in wheels to `2.10.4`_
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
* A heap buffer overflow has been found in the handling of embedded PNG bitmaps,
|
|
introduced in FreeType version 2.6.
|
|
|
|
* If you use option ``FT_CONFIG_OPTION_USE_PNG`` you should upgrade immediately.
|
|
|
|
We strongly recommend updating to Pillow 8.0.1 if you are using Pillow 8.0.0, which improved support for bitmap fonts.
|
|
|
|
In Pillow 7.2.0 and earlier bitmap fonts were disabled with ``FT_LOAD_NO_BITMAP``, but it is not
|
|
clear if this prevents the exploit and we recommend updating to Pillow 8.0.1.
|
|
|
|
Pillow 8.0.0 and earlier are potentially vulnerable releases, including the last release
|
|
to support Python 2.7, namely Pillow 6.2.2.
|
|
|
|
.. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
|