CVE for <7.1.0 references non-existent 6.2.3 release #4750
Comments
|
There was discussion about adding security patches to the 6.2.x series, since it was the last Pillow version to support Python 2.7. However, that discussion did not result in a release, and there are no active plans to do so. |
radarhere
changed the title
|
Actually, the CVE description also references 7.0.1, which doesn't exist either. I have submitted a request to have this corrected. |
|
Thanks! The Mitre pages for the first three CVEs of #4538 say "Pillow before 6.2.3 and 7.x before 7.0.1", and the last two say "Pillow before 7.0.0". All should say "Pillow before 7.1.0" and links to 404 |
@radarhere is there a public link to that discussion? |
|
No. It was had in a context of discussing the security vulnerabilities before the fixes had been released. You can make your argument here, but overall, Pillow has pledged to drop support for Python 2.7 as part of https://python3statement.org/ |
|
@radarhere I've got no argument, I was just interested to see the discussion |
|
Please announce EOL of version ranges beforehand and with intent, not opportunistically. It is distressing to see support being dropped as soon as the CVE gets out. |
|
The end of Python 2.7 support was announced in the Pillow 6.0.0 release notes, 9 months before support was ended. |
|
To be fair, those notes don't imply that 6.x will not continue to get security fixes
My incorrect interpretation was that there would be continued support for v6, but no new features would be backported |
These are vulnerabilities related to processing of malicious images, and since we don't expose image uploading to 3rd parties on this site, somewhat reasonable to ignore. There is no planned 6.2.3 release of pillow to fix this (see python-pillow/Pillow#4750) and wagtail 2.7.x requires this as of today. Possibly the 2.7 branch of wagail will relax this requirement, but until then I think it's best to ignore these.
These are vulnerabilities related to processing of malicious images, and since we don't expose image uploading to 3rd parties on this site, somewhat reasonable to ignore. There is no planned 6.2.3 release of pillow to fix this (see python-pillow/Pillow#4750) and wagtail 2.7.x requires this as of today. Possibly the 2.7 branch of wagail will relax this requirement, but until then I think it's best to ignore these.
These are vulnerabilities related to processing of malicious images, and since we don't expose image uploading to 3rd parties on this site, somewhat reasonable to ignore. There is no planned 6.2.3 release of pillow to fix this (see python-pillow/Pillow#4750) and wagtail 2.7.x requires this as of today. Possibly the 2.7 branch of wagail will relax this requirement, but until then I think it's best to ignore these.
This allows users on the 2.7 LTS branch to upgrade Pillow to address [CVE-2020-10379](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10379), as Pillow 6.x is EOL (python-pillow/Pillow#4750).
This allows users on the 2.7 LTS branch to upgrade Pillow to address [CVE-2020-10379](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10379), as Pillow 6.x is EOL (python-pillow/Pillow#4750).
|
@hugovk the first four CVEs have now been updated. The last one does not actually say that the problem applies 'before 7.0.0', it says that it applies 'through 7.0.0'. |
|
Please backport security fixes to 6.2.x especially if it's somewhat easily possible. In a perfect world everyone was on Python 3 right now and thus be able to use Pillow 7.x. However, the world is not perfect and there are some projects where migrating to Python 3 takes time (still happening this year) and more important where the last version that supports Python 2 is still supported for a while. |
CVE-2020-10379 references the changelog of release 6.2.3, a release that does not exist. I don't see any attempt to backport the relevant security fixes to the 6.2.x branch. Please clarify whether 6.2.3 will be released or 6.2 is EOL.
The text was updated successfully, but these errors were encountered: