Bug 215615 - graphics/py-pillow: Update to 3.4.2 (security fixes)
Summary: graphics/py-pillow: Update to 3.4.2 (security fixes)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Mark Felder
URL: https://reviews.freebsd.org/D8927
Keywords: patch, security
Depends on:
Blocks: 214412
  Show dependency treegraph
 
Reported: 2016-12-27 17:17 UTC by Po-Chuan Hsieh
Modified: 2017-01-09 18:06 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (koobs)
feld: merge-quarterly+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Po-Chuan Hsieh freebsd_committer freebsd_triage 2016-12-27 17:17:16 UTC 
- Update to 3.4.2
- Add JPEG2000 option

Changes:        https://github.com/python-pillow/Pillow/blob/master/CHANGES.rst

py-pillow in the ports tree is 3.1.1 which is vulnerable [1].

[1] https://vuxml.freebsd.org/freebsd/bc4898d5-a794-11e6-b2d3-60a44ce6887b.html
Comment 1 VK 2017-01-06 02:19:06 UTC 
Maintainer TIMEOUT, back to the pool. Looks good. Running build tests now.
Comment 2 VK 2017-01-06 03:12:31 UTC 
Build passed:

* Poudriere 11.0, amd64, python35
* Poudriere 11.0, amd64, python27
* Poudriere 10.3, amd64, python35
* Poudriere 10.3, amd64, python27
Comment 3 VK 2017-01-06 03:21:02 UTC 
Port's unit tests passed, Ran 785 tests in 6.355s, skipped 119.
Comment 4 Po-Chuan Hsieh freebsd_committer freebsd_triage 2017-01-06 21:20:43 UTC 
(In reply to Vladimir Krstulja from comment #1)

@Vladimir, thank you for testing. I think this should be MFH'd to 2017Q1.
BTW, it seems the timeout will be Jan 10 (14 days from Dec 27).
Comment 5 Mark Felder freebsd_committer freebsd_triage 2017-01-09 17:40:27 UTC 
When it's security related we don't need maintainer approval / wait for timeout.
Comment 6 Po-Chuan Hsieh freebsd_committer freebsd_triage 2017-01-09 17:57:16 UTC 
(In reply to Mark Felder from comment #5)

Ok, so it's covered by portmgr blanket or ports-secteam blanket?
Comment 7 Mark Felder freebsd_committer freebsd_triage 2017-01-09 18:00:50 UTC 
committed, thanks!
Comment 8 commit-hook freebsd_committer freebsd_triage 2017-01-09 18:00:58 UTC 
A commit references this bug:

Author: feld
Date: Mon Jan  9 18:00:01 UTC 2017
New revision: 430992
URL: https://svnweb.freebsd.org/changeset/ports/430992

Log:
  graphics/py-pillow: Update to 3.4.2 (security fixes)

  - Update to 3.4.2
  - Add JPEG2000 option

  Changes:	https://github.com/python-pillow/Pillow/blob/master/CHANGES.rst

  PR:		215615
  MFH:		2017Q1

Changes:
  head/graphics/py-pillow/Makefile
  head/graphics/py-pillow/distinfo
Comment 9 commit-hook freebsd_committer freebsd_triage 2017-01-09 18:01:00 UTC 
A commit references this bug:

Author: feld
Date: Mon Jan  9 18:00:36 UTC 2017
New revision: 430993
URL: https://svnweb.freebsd.org/changeset/ports/430993

Log:
  MFH: r430992

  graphics/py-pillow: Update to 3.4.2 (security fixes)

  - Update to 3.4.2
  - Add JPEG2000 option

  Changes:	https://github.com/python-pillow/Pillow/blob/master/CHANGES.rst

  PR:		215615

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2017Q1/
  branches/2017Q1/graphics/py-pillow/Makefile
  branches/2017Q1/graphics/py-pillow/distinfo
Comment 10 Mark Felder freebsd_committer freebsd_triage 2017-01-09 18:01:44 UTC 
(In reply to Po-Chuan Hsieh from comment #6)

ports-secteam approval generally overrides need of maintainer approval (of course common sense presides)
Comment 11 VK 2017-01-09 18:06:04 UTC 
(In reply to Po-Chuan Hsieh from comment #4)

The reason I stated timeout, beside it being a security issue like feld said, is that I already have an issue open about it from November (the dependent bug #214412). I just never got around to producing a patch like you did :)