Pillow: CVE for <7.1.0 references non-existent 6.2.3 release
CVE-2020-10379 references the changelog of release 6.2.3, a release that does not exist. I don't see any attempt to backport the relevant security fixes to the 6.2.x branch. Please clarify whether 6.2.3 will be released or 6.2 is EOL.
untitaker
All 11 comments
There was discussion about adding security patches to the 6.2.x series, since it was the last Pillow version to support Python 2.7. However, that discussion did not result in a release, and there are no active plans to do so.
radarhere
on 1 Jul 2020
Actually, the CVE description also references 7.0.1, which doesn't exist either. I have submitted a request to have this corrected.
radarhere
on 4 Jul 2020
Thanks!
The Mitre pages for the first three CVEs of https://github.com/python-pillow/Pillow/pull/4538 say "Pillow before 6.2.3 and 7.x before 7.0.1", and the last two say "Pillow before 7.0.0".
All should say "Pillow before 7.1.0" and links to 404
https://pillow.readthedocs.io/en/stable/releasenotes/6.2.3.html removed.
hugovk
on 4 Jul 2020
There was discussion about adding security patches to the 6.2.x series,
@radarhere is there a public link to that discussion?
graingert
on 7 Jul 2020
No. It was had in a context of discussing the security vulnerabilities before the fixes had been released.
You can make your argument here, but overall, Pillow has pledged to drop support for Python 2.7 as part of https://python3statement.org/
radarhere
on 7 Jul 2020
@radarhere I've got no argument, I was just interested to see the discussion
graingert
on 7 Jul 2020
Please announce EOL of version ranges beforehand and with intent, not opportunistically. It is distressing to see support being dropped as soon as the CVE gets out.
untitaker
on 7 Jul 2020
The end of Python 2.7 support was announced in the Pillow 6.0.0 release notes, 9 months before support was ended.
radarhere
on 7 Jul 2020
To be fair, those notes don't imply that 6.x will not continue to get security fixes
Pillow 6.x the last series to support Python 2.
My incorrect interpretation was that there would be continued support for v6, but no new features would be backported
graingert
on 7 Jul 2020
@hugovk the first four CVEs have now been updated. The last one does not actually say that the problem applies 'before 7.0.0', it says that it applies 'through 7.0.0'.
radarhere
on 11 Jul 2020
Please backport security fixes to 6.2.x especially if it's somewhat easily possible.
In a perfect world everyone was on Python 3 right now and thus be able to use Pillow 7.x. However, the world is not perfect and there are some projects where migrating to Python 3 takes time (still happening this year) and more important where the last version that supports Python 2 is still supported for a while.
ThiefMaster
on 28 Jul 2020
Related issues
indirectlylit
路
4Comments
damianmoore
路
4Comments
amithnikhade
路
4Comments
steph-ben
路
4Comments
boskicthebrain
路
4Comments
Most helpful comment
Please backport security fixes to 6.2.x especially if it's somewhat easily possible.
In a perfect world everyone was on Python 3 right now and thus be able to use Pillow 7.x. However, the world is not perfect and there are some projects where migrating to Python 3 takes time (still happening this year) and more important where the last version that supports Python 2 is still supported for a while.