Overview

File matrix-synapse-older-pillow.patch of Package matrix-synapse

From 425f8e2c0beb7119db5e48b00a3b456a929d2505 Mon Sep 17 00:00:00 2001
From: Oleg Girko <ol@infoserver.lv>
Date: Mon, 18 Sep 2023 18:14:32 +0100
Subject: [PATCH] Revert "Mandate Pillow>=10.0.1 because of libwebp CVE
 (#16347)"

It's not needed to update Pillow in Fedora because it has
no bundled libwebp.

Fedora has older version of Pillow, and it's OK because it's not
vulnerable to this bug.

This reverts commit 053155a2af52aa66910e4a22dad60109607b1098.
---
 pyproject.toml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 8f4f1b8568..8cb0b3a43b 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -51,9 +51,7 @@ dependencies = [
     "pyasn1>=0.1.9",
     "pyasn1-modules>=0.0.7",
     "bcrypt>=3.1.7",
-    # 10.0.1 minimum is mandatory here because of libwebp CVE-2023-4863.
-    # Packagers that already took care of libwebp can lower that down to 5.4.0.
-    "Pillow>=10.0.1",
+    "Pillow>=5.4.0",
     # We use SortedDict.peekitem(), which was added in sortedcontainers 1.5.2.
     # 2.0.5 updates collections.abc imports to avoid Python 3.10 incompatibility.
     "sortedcontainers>=2.0.5",
-- 
2.54.0
Places