python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2024-11-11 04:07:21 +03:00
Code Issues Packages Projects Releases Wiki Activity
558b2e6cf6
Pillow/docs/releasenotes/8.0.1.rst
Hugo van Kemenade 558b2e6cf6 Add release notes for 8.0.1
2020-10-22 15:47:02 +03:00

24 lines
848 B
ReStructuredText
Raw Blame History

8.0.1
-----
Security
========
Update FreeType used in binary wheels to `2.10.4`_ to fix CVE-2020-15999_:
- A heap buffer overflow has been found in the handling of embedded PNG bitmaps,
introduced in FreeType version 2.6.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
If you use option ``FT_CONFIG_OPTION_USE_PNG`` you should upgrade immediately.
Before Pillow 8.0.0 bitmap fonts were disabled with ``FT_LOAD_NO_BITMAP``, but it is not
clear if this prevents the exploit and we recommend updating to Pillow 8.0.1.
Pillow 8.0.0 and earlier are potentially vulnerable releases, including the last release
to support Python 2.7, namely Pillow 6.2.2.
.. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
.. _CVE-2020-15999: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
Reference in New Issue View Git Blame Copy Permalink