CVE for <7.1.0 references non-existent 6.2.3 release

[untitaker]

CVE-2020-10379 references the changelog of release 6.2.3, a release that does not exist. I don't see any attempt to backport the relevant security fixes to the 6.2.x branch. Please clarify whether 6.2.3 will be released or 6.2 is EOL.

[radarhere]

There was discussion about adding security patches to the 6.2.x series, since it was the last Pillow version to support Python 2.7. However, that discussion did not result in a release, and there are no active plans to do so.

[radarhere]

Actually, the CVE description also references 7.0.1, which doesn't exist either. I have submitted a request to have this corrected.

[hugovk]

Thanks!

The Mitre pages for the first three CVEs of #4538 say "Pillow before 6.2.3 and 7.x before 7.0.1", and the last two say "Pillow before 7.0.0".

All should say "Pillow before 7.1.0" and links to 404
https://pillow.readthedocs.io/en/stable/releasenotes/6.2.3.html removed.

[graingert]

There was discussion about adding security patches to the 6.2.x series,

@radarhere is there a public link to that discussion?

[radarhere]

No. It was had in a context of discussing the security vulnerabilities before the fixes had been released.

You can make your argument here, but overall, Pillow has pledged to drop support for Python 2.7 as part of https://python3statement.org/

[graingert]

@radarhere I've got no argument, I was just interested to see the discussion

[untitaker]

Please announce EOL of version ranges beforehand and with intent, not opportunistically. It is distressing to see support being dropped as soon as the CVE gets out.

[radarhere]

The end of Python 2.7 support was announced in the Pillow 6.0.0 release notes, 9 months before support was ended.

[graingert]

To be fair, those notes don't imply that 6.x will not continue to get security fixes

Pillow 6.x the last series to support Python 2.

My incorrect interpretation was that there would be continued support for v6, but no new features would be backported