From f6596d529399a80fb89daf2675987f1fd92cbd64 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Tue, 26 Mar 2024 06:32:42 +1100
Subject: [PATCH] Added release notes and document deprecation

---
 docs/deprecations.rst        |  8 ++++++++
 docs/releasenotes/10.3.0.rst | 18 +++++++++++++++---
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/docs/deprecations.rst b/docs/deprecations.rst
index 33bc14187..c3d1ba4f0 100644
--- a/docs/deprecations.rst
+++ b/docs/deprecations.rst
@@ -92,6 +92,14 @@ Deprecated                                    Use instead
                                               :py:data:`sys.version_info`, and ``PIL.__version__``
 ============================================  ====================================================
 
+ImageMath eval()
+^^^^^^^^^^^^^^^^
+
+.. deprecated:: 10.3.0
+
+``ImageMath.eval()`` has been deprecated. Use :py:meth:`~PIL.ImageMath.lambda_eval` or
+:py:meth:`~PIL.ImageMath.unsafe_eval` instead.
+
 Removed features
 ----------------
 
diff --git a/docs/releasenotes/10.3.0.rst b/docs/releasenotes/10.3.0.rst
index a73efcee4..607f0b262 100644
--- a/docs/releasenotes/10.3.0.rst
+++ b/docs/releasenotes/10.3.0.rst
@@ -4,10 +4,15 @@
 Security
 ========
 
-TODO
-^^^^
+ImageMath eval()
+^^^^^^^^^^^^^^^^
 
-TODO
+.. danger::
+  ``ImageMath.eval()`` uses Python's ``eval()`` function to process the expression
+  string, and carries the security risks of doing so. A direct replacement for this is
+  the new :py:meth:`~PIL.ImageMath.unsafe_eval`, but that carries the same risks. It is
+  not recommended to process expressions without considering this.
+  :py:meth:`~PIL.ImageMath.lambda_eval` is a more secure alternative.
 
 :cve:`YYYY-XXXXX`: TODO
 ^^^^^^^^^^^^^^^^^^^^^^^
@@ -58,6 +63,13 @@ Deprecated                                    Use instead
                                               :py:data:`sys.version_info`, and ``PIL.__version__``
 ============================================  ====================================================
 
+ImageMath.eval()
+^^^^^^^^^^^^^^^^
+
+``ImageMath.eval()`` has been deprecated. Use :py:meth:`~PIL.ImageMath.lambda_eval` or
+:py:meth:`~PIL.ImageMath.unsafe_eval` instead. See earlier security notes for more
+information.
+
 API Changes
 ===========