python-pillow/Pillow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
20,713 Commits 55 Branches 98 Tags 251 MiB
main
Commit Graph

20713 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jeffrey 'Alex' Clark
9f24881521 Add STRIDE threat model to security docs 
- Update .github/SECURITY.md with threat model summary and link to handbook
- Add docs/handbook/security.rst with full STRIDE analysis (14 threats
  across Spoofing, Tampering, Repudiation, Information Disclosure,
  Denial of Service, and Elevation of Privilege categories)
- Add prioritised mitigation recommendations
- Link security.rst into the handbook toctree

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-14 12:13:45 -04:00
Jeffrey 'Alex' Clark
a124ed208f Update template wording 2026-04-14 11:36:33 -04:00
Jeffrey 'Alex' Clark
ee24a11073 Update .github/INCIDENT_RESPONSE.md 
Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com>
 2026-04-14 11:26:03 -04:00
Hugo van Kemenade
6dd03edba8
Use GitLab as data source for FreeType 
Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com>
 2026-04-13 15:39:38 +03:00
Hugo van Kemenade
65767a0cf7
Use GitLab as data source for libtiff 
Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com>
 2026-04-12 12:08:07 +03:00
Hugo van Kemenade
a49c63208a Move dependency versions to single JSON and enable Renovate 2026-04-12 12:07:07 +03:00
Andrew Murray
3a3dab8bb0
Updated raqm to 0.10.5 (#9557) 2026-04-12 15:13:32 +10:00
Andrew Murray
4b911c889b
Correct environment URL (#9558) 2026-04-11 20:22:22 +10:00
Hugo van Kemenade
b04c9a3d2f
Add CVEs to 12.2.0 release notes (#9556) 2026-04-11 11:03:38 +03:00
Andrew Murray
3157407762
Remove or protect secrets in Actions (#9544) 2026-04-11 17:05:49 +10:00
Andrew Murray
fb1375d93b Added CVEs 2026-04-11 08:34:08 +10:00
Jeffrey 'Alex' Clark
6e1ccab749 Address review feedback on INCIDENT_RESPONSE.md 
- Update CVSS v3.1 to CVSS 4.0 throughout
- Remove 'Direct maintainer contact' from detection sources
- Fix 'before it stays public' wording for user bug reports
- Simplify sections 7.3 and 7.4 to reference RELEASING.md instead
  of duplicating release process steps
- Update RELEASING.md Point release section with security-specific
  steps (amend CVE in commits, publish GitHub Security Advisory)
- Fix PyPI API tokens entry (remove GitHub secrets reference)
- Fix 404 PyPI manage URL (use correct case and /releases/ path)
- Replace security@pypi.org mailto with https://pypi.org/security/
- Remove unconfirmed 'Notify GitHub Security' bullet
- Fix section numbering: 10.x → 9.x under Section 9. Dependency Map
- Reorder: move 9.3 Responding to Upstream Vulnerability before 9.3
  Downstream Dependencies (now 9.2 and 9.3 respectively)
- Add anchor link for Section 5 reference in 9.2
- Add #plugin-list anchor to third-party plugins handbook link
- Fix GitLab issue tracker URLs to use /-/work_items for libtiff,
  freetype2, and bzip2
- Add pyproject.toml reference for complete optional dependencies list

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-10 10:58:43 -04:00
Jeffrey 'Alex' Clark
0cbdd2eff9
Update .github/INCIDENT_RESPONSE.md 
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
 2026-04-10 10:37:34 -04:00
Hugo van Kemenade
eda14b6c4a Restrict nightly Anaconda uploads to environment 2026-04-10 16:33:18 +03:00
Jeffrey 'Alex' Clark
24b12dc84f Combine plan maintenance into a single paragraph 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-10 07:49:37 -04:00
Jeffrey 'Alex' Clark
d016c90108 Remove active exploitation escalation bullet from incident response 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-10 07:44:27 -04:00
Jeffrey 'Alex' Clark
6a0192a40a Update .github/INCIDENT_RESPONSE.md 
Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com>
 2026-04-10 07:44:16 -04:00
Jeffrey 'Alex' Clark
6fe81dd52e Remove Wand from downstream dependencies 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 18:19:22 -04:00
Jeffrey 'Alex' Clark
55989595ea Add private channels note to internal communication guidance 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 18:17:39 -04:00
Jeffrey 'Alex' Clark
b579577aa0 Link to section 1.3 in Plan Maintenance 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 18:15:25 -04:00
Jeffrey 'Alex' Clark
6f815c2d8d Clarify advisory thread purpose as reporter coordination 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 18:13:43 -04:00
Jeffrey 'Alex' Clark
80a91fdb4e Add setuptools to Python-level dependencies 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 18:08:44 -04:00
Jeffrey 'Alex' Clark
0d440b7d09 Trim Plan Maintenance section 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 18:04:00 -04:00
Jeffrey 'Alex' Clark
00ff8636a2 Remove section 7.5 Rollback Procedures 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 18:01:08 -04:00
Jeffrey 'Alex' Clark
e74a89f70e Trim version support matrix prose 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 17:59:29 -04:00
Jeffrey 'Alex' Clark
20af4ec89c Change Critical/High SLA targets to best effort 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 17:55:11 -04:00
Jeffrey 'Alex' Clark
3f90d5c4da Replace section sign (§) with plain Section references 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 17:53:04 -04:00
Jeffrey 'Alex' Clark
68be7f30ff Remove Tidelift notification step from triage 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 17:50:45 -04:00
Jeffrey 'Alex' Clark
e0f9e2b98e Fix severity classification cross-reference, remove incident lead assignment step 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 17:46:58 -04:00
Jeffrey 'Alex' Clark
ad582c1a8e Simplify Roles section note 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 17:38:34 -04:00
Jeffrey 'Alex' Clark
c2ac2da31c Inline Readiness Review procedure as prose 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 17:28:42 -04:00
Jeffrey 'Alex' Clark
3aa076129f Remove backport comment from version support matrix 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 17:25:32 -04:00
Jeffrey 'Alex' Clark
4a74a20b86 Update Readiness Review: quarterly cadence, trim checklist 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 17:23:52 -04:00
Jeffrey 'Alex' Clark
64ed4710b9 Fix version support matrix to reflect main-only security policy 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-09 16:59:41 -04:00
Jeffrey 'Alex' Clark
cdaa1bf9ef Add sections from Bootstrap example 
At the risk of making this document larger, add in sections in Bootstrap
IRP but not ours.

- https://github.com/twbs/bootstrap/blob/main/.github/INCIDENT_RESPONSE.md
 2026-04-09 12:57:16 -04:00
Jeffrey 'Alex' Clark
4d63d0b3a6 Fix links 2026-04-09 12:47:50 -04:00
Jeffrey 'Alex' Clark
cb5736ea3e Add INCIDENT_RESPONSE.md 2026-04-09 12:36:00 -04:00
Hugo van Kemenade
5ada8c8306
Use github.event.repository.fork (#9551) 2026-04-09 18:43:23 +03:00
Andrew Murray
6ede62874b
Update README with revised security policy (#9553) 2026-04-09 19:01:17 +10:00
Jeffrey 'Alex' Clark
b97034ae02 Link to New draft security advisory 2026-04-08 20:01:39 -04:00
Jeffrey 'Alex' Clark
77b2f6791a
Update security policy (#9552) 2026-04-08 16:23:51 -04:00
Jeffrey 'Alex' Clark
8f625f19ef
Update .github/SECURITY.md 
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
 2026-04-08 16:17:52 -04:00
Jeffrey 'Alex' Clark
8edb7734b5
Update .github/SECURITY.md 
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
 2026-04-08 14:52:36 -04:00
Jeffrey 'Alex' Clark
05860779a1
Update .github/SECURITY.md 
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
 2026-04-08 14:52:19 -04:00
Jeffrey 'Alex' Clark
ab02e810b0 Update security policy 2026-04-08 13:16:37 -04:00
Andrew Murray
ed89b93940 Use github.event.repository.fork 2026-04-08 21:51:43 +10:00
Hugo van Kemenade
7cf4dac7ae
Move Homebrew dependencies into Brewfile (#9546) 2026-04-07 19:09:30 +10:00
Trần Bách
117de2b181 fix(security)(_imagingtk.c): unsafe pointer dereference from unchecked python i 
In `_tkinit`, `PyLong_AsVoidPtr(arg)` converts an arbitrary Python object to a `void*` pointer which is then cast to `Tcl_Interp*` and passed to `TkImaging_Init`. If `PyLong_AsVoidPtr` fails (returns NULL and sets an error), or if the caller passes an arbitrary integer value, the code proceeds to dereference it without any validation, potentially leading to a crash or arbitrary memory access.

Affected files: _imagingtk.c

Signed-off-by: Trần Bách <45133811+barttran2k@users.noreply.github.com>
 2026-04-07 09:41:12 +07:00
Hugo van Kemenade
43a3e5ca21 Remove Codecov token 2026-04-06 23:35:44 +03:00
Hugo van Kemenade
c722aaec53
Do not precompute horizontal coefficients if not horizontal resizing (#9543) 2026-04-06 20:29:12 +03:00