Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade pillow to 7.1.0? #2820

Open
willgearty opened this issue Oct 23, 2019 · 4 comments · May be fixed by #3616
Open

Upgrade pillow to 7.1.0? #2820

willgearty opened this issue Oct 23, 2019 · 4 comments · May be fixed by #3616
Assignees
@willgearty
Labels
Security
Milestone
Stable Release 16

Comments

@willgearty
Copy link
Member

willgearty commented Oct 23, 2019
edited
Loading

Apparently there's a low severity security vulnerability in all versions < 6.2.0. We're on 3.3.3, which means upgrading involves a LOT of changes. @hwatheod made the last upgrade to pillow, so maybe he's the best to figure out if we need to address any changes? My understanding is that it's only used for the imagefield in the teacher bios?

Changelog is here: https://github.com/python-pillow/Pillow/blob/master/CHANGES.rst
@milescalabresi milescalabresi added this to the Stable Release 13 milestone Jul 16, 2020
@willgearty willgearty changed the title Upgrade pillow to 6.2.0 Upgrade pillow to 7.1.0? Oct 16, 2020
@willgearty
Copy link
Member Author

willgearty commented Oct 16, 2020
edited
Loading

Looks like we now need to upgrade to 7.1.0 due to even more security vulnerabilities (although it's unclear to me whether they are relevant to our use case of ImageField). Unfortunately, 7.1.0 dropped support for Python 2.7 (see support here). Looks like our options are:

  1. Upgrade to pillow 6.2.2, which fixes some of the security problems, but not all, but still supports python 2.7.
  2. Wait to upgrade pillow to 7.1.0 when we upgrade to python 3 (Upgrade to Python 3 #2576)
  3. Use FileField (ImageField without the image checks), some derived form of ImageField, or some other implementation of ImageField that doesn't require Pillow (I haven't found any options yet from my limited googling)
  4. Ignore the security vulnerabilities altogether (#1 is probably a better option)

@willgearty
Copy link
Member Author

@hwatheod or @milescalabresi, any thoughts?

@milescalabresi
Copy link
Contributor

I like 3 and 1 (then 2 when the time comes). Do we know how much/severe vulnerability there is in 6.2?

@willgearty willgearty mentioned this issue Oct 17, 2020
Merged
@willgearty willgearty assigned willgearty and unassigned hwatheod Oct 17, 2020
@willgearty willgearty mentioned this issue Sep 13, 2021
Closed
14 tasks
@milescalabresi
Copy link
Contributor

milescalabresi commented May 16, 2024
edited
Loading

Fixed by #3616. I revise my statement: let's do option 2!

@milescalabresi milescalabresi linked a pull request May 17, 2024 that will close this issue
Migration to Python3 #3616
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@willgearty willgearty

Labels
Security
Projects
None yet
Milestone
Stable Release 16
3 participants
@hwatheod @milescalabresi @willgearty