Mirrors
/
synapse
mirror of https://github.com/element-hq/synapse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Mandate Pillow>=10.0.1 because of libwebp CVE (#16347)

This commit is contained in:
Mathieu Velten 2023-09-18 15:01:23 +02:00 committed by GitHub
parent 5ad1714d42
commit 4663d55502
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changelog.d/16347.misc Normal file
View File

@ -0,0 +1 @@
Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels.

4
pyproject.toml
View File

@ -180,7 +180,9 @@ PyYAML = ">=3.13"
pyasn1 = ">=0.1.9" pyasn1 = ">=0.1.9"
pyasn1-modules = ">=0.0.7" pyasn1-modules = ">=0.0.7"
bcrypt = ">=3.1.7" bcrypt = ">=3.1.7"
Pillow = ">=5.4.0" # 10.0.1 minimum is mandatory here because of libwebp CVE-2023-4863.
# Packagers that already took care of libwebp can lower that down to 5.4.0.
Pillow = ">=10.0.1"
# We use SortedDict.peekitem(), which was added in sortedcontainers 1.5.2. # We use SortedDict.peekitem(), which was added in sortedcontainers 1.5.2.
sortedcontainers = ">=1.5.2" sortedcontainers = ">=1.5.2"
pymacaroons = ">=0.13.0" pymacaroons = ">=0.13.0"