Mandate Pillow>=10.0.1 because of libwebp CVE (#16347)

author: Mathieu Velten <mathieuv@matrix.org> 2023-09-18 15:01:23 +0200
committer: Mathieu Velten <mathieuv@matrix.org> 2023-09-18 15:02:16 +0200
commit: 053155a2af52aa66910e4a22dad60109607b1098 (patch)
tree: 35028a4483bcc17e25ce49580a5a3206665df26f
parent: Bump pillow from 10.0.0 to 10.0.1 (#16344) (diff)
download: synapse-053155a2af52aa66910e4a22dad60109607b1098.tar.xz
2 files changed, 4 insertions, 1 deletions
diff --git a/changelog.d/16347.misc b/changelog.d/16347.misc
new file mode 100644
index 0000000000..f4f5bfb2de
--- /dev/null
+++ b/changelog.d/16347.misc
@@ -0,0 +1 @@
+Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels.
diff --git a/pyproject.toml b/pyproject.toml
index 1144114041..d66089a67d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -174,7 +174,9 @@ PyYAML = ">=3.13"
 pyasn1 = ">=0.1.9"
 pyasn1-modules = ">=0.0.7"
 bcrypt = ">=3.1.7"
-Pillow = ">=5.4.0"
+# 10.0.1 minimum is mandatory here because of libwebp CVE-2023-4863.
+# Packagers that already took care of libwebp can lower that down to 5.4.0.
+Pillow = ">=10.0.1"
 # We use SortedDict.peekitem(), which was added in sortedcontainers 1.5.2.
 sortedcontainers = ">=1.5.2"
 pymacaroons = ">=0.13.0"
author	Mathieu Velten <mathieuv@matrix.org>	2023-09-18 15:01:23 +0200
committer	Mathieu Velten <mathieuv@matrix.org>	2023-09-18 15:02:16 +0200
commit	053155a2af52aa66910e4a22dad60109607b1098 (patch)
tree	35028a4483bcc17e25ce49580a5a3206665df26f
parent	Bump pillow from 10.0.0 to 10.0.1 (#16344) (diff)
download	synapse-053155a2af52aa66910e4a22dad60109607b1098.tar.xz