Mandate Pillow>=10.0.1 because of libwebp CVE (#16347)

2024-05-17 11:03:46 +02:00 · 2023-09-18 15:01:23 +02:00 · 2023-09-18 15:01:23 +02:00 · 4663d55502
parent 5ad1714d42
commit 4663d55502
2 changed files with 4 additions and 1 deletions
--- a/changelog.d/16347.misc
+++ b/changelog.d/16347.misc
@ -0,0 +1 @@
+Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels.
--- a/pyproject.toml
+++ b/pyproject.toml
@ -180,7 +180,9 @@ PyYAML = ">=3.13"
 pyasn1 = ">=0.1.9"
 pyasn1-modules = ">=0.0.7"
 bcrypt = ">=3.1.7"
-Pillow = ">=5.4.0"
+# 10.0.1 minimum is mandatory here because of libwebp CVE-2023-4863.
+# Packagers that already took care of libwebp can lower that down to 5.4.0.
+Pillow = ">=10.0.1"
 # We use SortedDict.peekitem(), which was added in sortedcontainers 1.5.2.
 sortedcontainers = ">=1.5.2"
 pymacaroons = ">=0.13.0"
				`@ -0,0 +1 @@`
				`Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels.`