Christopher Allan Webber writes: > Leo Famulari writes: > >>> I'm trying to figure out where the patches for this are, but I can't >>> find them. I expected them to maybe be here, but I don't see them here: >> >> I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues. >> >> When I did that, CVE-2016-2533 wasn't named yet, but my understanding is >> that the update does address it: >> https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be >> >> Python2-pil *is* vulnerable. However, it seems to have no users in our >> source tree. Should we remove it? > > I think so. Here's a patch to remove it. Look good? (Not sure if this > needs a review or not :)) > > - Chris
Leo gave me some comments on the description on IRC, so I changed those and pushed!
