Update to 6.2.1 Changes: https://github.com/python-pillow/Pillow/blob/master/CHANGES.rst
@Sunpoet Can you include the proposed patch as an attachment please Upstream also now has 6.2.2 (last version supporting 2.x), which includes several security fixes (MFH). We also need a VuXML entry patch We also need to plan and coordinate at a date in the near future copying pillow -> pillow6, to enable the upgrade of pillow to 7.x (supporting 3.x only), which is already out: https://github.com/python-pillow/Pillow/blob/7.0.0/CHANGES.rst If someone could attach a (separate) patch updating the main port to 7.x and updating all existing consumers of pillow -> pillo6 6, this would go a long way
Created attachment 210978 [details] 6.2.2 & 7.0.0 Run "svn cp graphics/py-pillow graphics/py-pillow6" before applying the patch.
Kai has the lead. Thank you for the patch update Sunpoet
I'd do a small change in favor to MFH'ing the 6.2.2 release (which is security related): 1. Update graphics/py-pillow to 6.2.2 2. MFH'ing it to 2020Q1 3. Repocopy graphics/py-pillow to graphics/py-pillow6 with all required changes 4. Update graphics/py-pillow to 7.0 and adjust its consumers Once steps 1 and 2 are done we can fully work on the planning and introduction of the 7.0 release. I'm going to add a VuXML entry tonight and commit the 6.2.2 update to /head during the upcoming weekend. @koobs: I assume the update of graphics/py-pillow 6.2.2 has your approval?
A commit references this bug: Author: kai Date: Fri Jan 24 22:20:01 UTC 2020 New revision: 523993 URL: https://svnweb.freebsd.org/changeset/ports/523993 Log: security/vuxml: Document graphics/py-pillow issues PR: 243336 Security: CVE-2019-19911 CVE-2020-5310 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313 Changes: head/security/vuxml/vuln.xml
QA for the 6.2.2 update is fine: py37, py38: > ==== 1250 passed, 130 skipped, 4 warnings in 23.17 seconds ==== py36: > ==== 1249 passed, 131 skipped, 4 warnings in 23.26 seconds ==== py27, py35: > ==== 1248 passed, 132 skipped, 4 warnings in 25.00 seconds ==== Building against all consumers was also fine (11.3-RELEASE amd64 py27/py35/py36/py37/py38).
(In reply to Kai Knoblich from comment #4) * Yep, lets get the security update in first and merged * Everything is approved contingent on QA passing * If you'd like to track the pillow 7.x work in a separate issue, just create one and add it to this issues See Also so people can follow
A commit references this bug: Author: kai Date: Sat Jan 25 09:54:05 UTC 2020 New revision: 524023 URL: https://svnweb.freebsd.org/changeset/ports/524023 Log: graphics/py-pillow: Update to 6.2.2 Changelogs since 6.2.0: https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html https://pillow.readthedocs.io/en/stable/releasenotes/6.2.1.html PR: 243336 Submitted by: sunpoet Approved by: koobs (maintainer) MFH: 2020Q1 Security: 0700e76c-3eb0-11ea-8478-3085a9a95629 Changes: head/graphics/py-pillow/Makefile head/graphics/py-pillow/distinfo
A commit references this bug: Author: kai Date: Sat Jan 25 21:35:27 UTC 2020 New revision: 524135 URL: https://svnweb.freebsd.org/changeset/ports/524135 Log: MFH: r524023 graphics/py-pillow: Update to 6.2.2 Changelogs since 6.2.0: https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html https://pillow.readthedocs.io/en/stable/releasenotes/6.2.1.html PR: 243336 Submitted by: sunpoet Approved by: koobs (maintainer) Security: 0700e76c-3eb0-11ea-8478-3085a9a95629 Approved by: ports-secteam (riggs) Changes: _U branches/2020Q1/ branches/2020Q1/graphics/py-pillow/Makefile branches/2020Q1/graphics/py-pillow/distinfo
(In reply to Kubilay Kocak from comment #7) Ok, I close this issue as Pillow 6.2.2 is available in the /head and the 2020Q1 branches. We continue steps 3 and 4 from comment #4 in an separate issue (bug #243665) for the sake of brevity.