| tag name | v1.92.3 (06efd310f279c3306dc64028df7ccfed751dbdf6) |
| tag date | 2023-09-18 16:04:41 +0200 |
| tagged by | Mathieu Velten <mathieuv@matrix.org> |
| tagged object | commit e36990c00e... |
| download | synapse-1.92.3.tar.xz |
|---|
This is again a security update targeted at mitigating [CVE-2023-4863](https://cve.org/CVERecord?id=CVE-2023-4863).
It turns out that libwebp is bundled statically in Pillow wheels so we need to update this dependency instead of libwebp package at the OS level. Unlike what was advertised in 1.92.2 changelog this release also impacts PyPI wheels and Debian packages from matrix.org. We encourage admins to upgrade as soon as possible. - Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels. ([\#16347](https://github.com/matrix-org/synapse/issues/16347)) * Bump pillow from 10.0.0 to 10.0.1. ([\#16344](https://github.com/matrix-org/synapse/issues/16344)) -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQSTI7xPaHQ1yo0PA8uSL1esuTqr+QUCZQhY+QAKCRCSL1esuTqr +bMqAQDqRpYdK0XdLw3PkHTCVc+XrgyN2y+KT1PlSsrGkdjeMgD/fiGsiWdf+gck yngNrQhIIp3Co1J/zTfrRN5Hy9dCqwI= =dVcZ -----END PGP SIGNATURE-----