Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add release notes for 8.0.1 #5000

Merged
merged 2 commits into from
Oct 22, 2020
Merged

Add release notes for 8.0.1 #5000

merged 2 commits into from
Oct 22, 2020

Conversation

hugovk
Copy link
Member

@hugovk hugovk commented Oct 22, 2020

For #4764.

Changes proposed in this pull request:

  • Release notes for the FreeType security update.

This was referenced Oct 22, 2020
Closed
Closed
radarhere
radarhere reviewed Oct 22, 2020
View reviewed changes
docs/releasenotes/8.0.1.rst
Before Pillow 8.0.0 bitmap fonts were disabled with ``FT_LOAD_NO_BITMAP``, but it is not
clear if this prevents the exploit and we recommend updating to Pillow 8.0.1.

Pillow 8.0.0 and earlier are potentially vulnerable releases, including the last release
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically speaking, it is only Pillow 2.9.0 onwards that are potentially vulnerable. Freetype 2.6 wasn't available before that.

Copy link
Contributor

@nulano nulano Oct 22, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also note that FT_LOAD_NO_BITMAP was added in Pillow 2.8.0, before the release of FreeType 2.6, in #1072, so 8.0.0 is the only version that is very likely to be vulnerable.

nulano
nulano reviewed Oct 22, 2020
View reviewed changes
docs/releasenotes/8.0.1.rst Outdated Show resolved Hide resolved
@hugovk @nulano
Clarify wording [CI skip]
ac348ea 
Co-authored-by: nulano <nulano@nulano.eu>
@hugovk hugovk merged commit 23b747c into python-pillow:master Oct 22, 2020
@hugovk hugovk deleted the add-8.0.1 branch October 22, 2020 14:23
@hugovk hugovk added this to the 8.0.0 milestone Oct 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nulano nulano nulano left review comments

@radarhere radarhere radarhere approved these changes

Assignees
No one assigned
Labels
Documentation Release
Projects
None yet
Milestone
8.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@hugovk @radarhere @nulano