The repositorys LICENSE file contains BSD-3-Clause license text, so
update the relevant recipe information field to match.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15.
QuerySet.values() and values_list() methods on models with a JSONField are
subject to SQL injection in column aliases via a crafted JSON object key
as a passed *arg.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-42005
Upstream-patch:
f4af67b9b4
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
To fix crash due to missing module:
File "/usr/lib/python3.11/site-packages/twisted/internet/defer.py", line 42, in <module>
from typing_extensions import Literal, ParamSpec, Protocol
ModuleNotFoundError: No module named 'typing_extensions'
Signed-off-by: Hains van den Bosch <hainsvdbosch@ziggo.nl>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
To fix crash due to missing module:
from twisted.internet import defer
File "/usr/lib/python3.11/site-packages/twisted/internet/defer.py", line 14, in <module>
from asyncio import AbstractEventLoop, Future, iscoroutine
ModuleNotFoundError: No module named 'asyncio'
Signed-off-by: Hains van den Bosch <hainsvdbosch@ziggo.nl>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
aiohttp is an asynchronous HTTP client/server framework
for asyncio and Python.When using aiohttp as a web server
and configuring static routes, it is necessary to specify
the root path for static files. Additionally, the option
'follow_symlinks' can be used to determine whether to
follow symbolic links outside the static root directory.
When 'follow_symlinks' is set to True, there is no
validation to check if reading a file is within the root
directory. This can lead to directory traversal
vulnerabilities, resulting in unauthorized access to
arbitrary files on the system, even when symlinks are not
present. Disabling follow_symlinks and using a reverse proxy
are encouraged mitigations. Version 3.9.2 fixes this issue.
References:
https://security-tracker.debian.org/tracker/CVE-2024-23334https://github.com/aio-libs/aiohttp/releases/tag/v3.9.2
Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Upgrade to 1.4.1 to make it work with setuptools 59.x as it doesn't
support pep 621 [1], so remove pyproject.toml and add setup.cfg back [2].
* Add python3-toml to RDEPENDS to fix below error:
self = <yamlinclude.readers.TomlReader object at 0x7faceccdbd30>
def __call__(self):
if sys.version_info >= (3, 11):
with open(self._path, "rb") as fp:
return tomllib.load(fp)
else:
try:
import toml
except ImportError as err: # pragma: no cover
> raise ImportError(f'Un-supported file "{self._path}".\n`pip install toml` should solve the problem.\n\n{err}')
E ImportError: Un-supported file "tests/data/include.d/1.toml".
E `pip install toml` should solve the problem.
E
E No module named 'toml'
../../python3.10/site-packages/yamlinclude/readers.py:69: ImportError
[1] https://setuptools.pypa.io/en/latest/userguide/pyproject_config.html
[2] https://github.com/tanbro/pyyaml-include/issues/43
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add a recipe for the pyyaml-include package that extends PyYAML to include
YAML files within YAML files. Add a ptest to run the unit tests and include
the tests as part of the package lists in meta-python
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bf011a9f5e)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The delta between 4.2.5 and 4.2.7 contains the fixes for
CVE-2023-43665, CVE-2023-46695 and other bugfixes.
git log --oneline 4.2.5..4.2.7 shows:
d254a54e7f (tag: 4.2.7) [4.2.x] Bumped version for 4.2.7 release.
048a9ebb6e [4.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.
3fae5d92da [4.2.x] Refs #30601 -- Fixed typos in docs/topics/db/transactions.txt.
a8aa94062b [4.2.x] Refs #15578 -- Made cosmetic edits to fixtures docs.
109f39a38b [4.2.x] Fixed#34932 -- Restored varchar_pattern_ops/text_pattern_ops index creation when deterministic collaction is set.
61612990d8 [4.2.x] Fixed typos in docs/ref/models/expressions.txt.
696fbc32d6 [4.2.x] Fixed#30601 -- Doc'd the need to manually revert all app state on transaction rollbacks.
ffba63180c [4.2.x] Fixed typo in docs/ref/contrib/gis/geos.txt.
43a3646070 [4.2.x] Fixed#15578 -- Stated the processing order of fixtures in the fixtures docs.
0cd8b867a0 [4.2.x] Added stub release notes and release date for 4.2.7, 4.1.13, and 3.2.23.
510a512119 [4.2.x] Fixed typo in docs/releases/4.2.txt.
b644f8bc1f [4.2.x] Corrected note about using accents in writing documentation contributing guide.
a576ef98ae [4.2.x] Refs #34900, Refs #34118 -- Updated assertion in test_skip_class_unless_db_feature() test on Python 3.12.1+.
803caec60b [4.2.x] Fixed#34798 -- Fixed QuerySet.aggregate() crash when referencing expressions containing subqueries.
caec4f4a6f [4.2.x] Refs #34840 -- Improved release note describing index regression.
b6bb2f8099 [4.2.x] Refs #34840 -- Fixed test_validate_nullable_textfield_with_isnull_true() on databases that don's support table check constraints.
e8fe48d3a0 [4.2.x] Fixed#34808 -- Doc'd aggregate function's default argument.
830990fa6c [4.2.x] Reorganized tutorial's part 4 to better understand changes needed in URLConf.
0cbc92bc3a [4.2.x] Refs #26029 -- Improved get_storage_class() deprecation warning with stacklevel=2.
9c7627da30 [4.2.x] Refs #34043 -- Clarified how to test UI changes.
0bd53ab86a [4.2.x] Added backticks to setuptools in docs.
99dcba90b4 [4.2.x] Refs #32275 -- Added scrypt password hasher to PASSWORD_HASHERS setting docs.
6697880219 [4.2.x] Refs #31435 -- Doc'd potential infinite recursion when accessing model fields in __init__.
a9a3317a95 [4.2.x] Corrected wrap_socket() reference in docs/ref/settings.txt.
9962f94a97 [4.2.x] Added CVE-2023-43665 to security archive.
b2d95bb301 [4.2.x] Added stub release notes for 4.2.7.
08d54f83a9 [4.2.x] Post release version bump.
c22017bd1d (tag: 4.2.6) [4.2.x] Bumped version for 4.2.6 release.
be9c27c4d1 [4.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.
39fc3f46a8 [4.2.x] Added stub release notes and release date for 4.2.6, 4.1.12, and 3.2.22.
dd0bf63d3e [4.2.x] Added warning about flatpages and untrusted users.
fec4ed0a25 [4.2.x] Refs #34320 -- Skipped SchemaTests.test_rename_field_with_check_to_truncated_name on MariaBD 10.5.2+.
a148461f1f [4.2.x] Fixed#34840 -- Avoided casting string base fields on PostgreSQL.
b08f53ff46 [4.2.x] Refs #34808 -- Doc'd that aggregation functions on empty groups can return None.
c70f08c4aa [4.2.x] Added updating the Django release process on Trac to release steps.
d485aa2732 [4.2.x] Fixed typo in docs/howto/custom-file-storage.txt.
ff26e6ad84 [4.2.x] Corrected QuerySet.prefetch_related() note about GenericRelation().
866122690d [4.2.x] Doc'd HttpResponse.cookies.
97e8a2afb1 [4.2.x] Fixed#34821 -- Prevented DEFAULT_FILE_STORAGE/STATICFILES_STORAGE settings from mutating the main STORAGES.
39cb3b08bc [4.2.x] Bumped checkout version in Github actions configuration.
592ebd8920 [4.2.x] Added stub release notes for 4.2.6.
a1dd785139 [4.2.x] Added CVE-2023-41164 to security archive.
a9686cb871 [4.2.x] Post-release version bump.
Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.7/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The delta between 3.2.21 and 3.2.23 contains the fixes for
CVE-2023-43665, CVE-2023-46695 and other bugfixes.
git log --oneline 3.2.21..3.2.23 shows:
60e648a7ae (tag: 3.2.23) [3.2.x] Bumped version for 3.2.23 release.
f9a7fb8466 [3.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.
e6d2591d9e [3.2.x] Added stub release notes for 3.2.23.
3c04b74293 [3.2.x] Added CVE-2023-43665 to security archive.
86a14d653f [3.2.x] Post release version bump.
3106e94e52 (tag: 3.2.22) [3.2.x] Bumped version for 3.2.22 release.
ccdade1a02 [3.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.
6caf7b313d [3.2.x] Added stub release notes for 3.2.22.
9e814c3a5e [3.2.x] Added CVE-2023-41164 to security archive.
4b439dcd05 [3.2.x] Post-release version bump.
Release Notes: https://docs.djangoproject.com/en/dev/releases/3.2.23/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2023-43665:
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the
django.utils.text.Truncator chars() and words() methods (when used with
html=True) are subject to a potential DoS (denial of service) attack via
certain inputs with very long, potentially malformed HTML text. The chars()
and words() methods are used to implement the truncatechars_html and
truncatewords_html template filters, which are thus also vulnerable.
NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
CVE-2023-46695:
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and
4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence,
django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of
service) attack via certain inputs with a very large number of Unicode characters.
References:
https://www.djangoproject.com/weblog/2023/oct/04/security-releases/https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The command "bitbake universe -c fetch" currently throws a ton of warnings
as there are many 'impossible' dependencies.
In some cases these variants may never have worked and were just added by copy
and paste of recipes. In some cases they once clearly did work but became
broken somewhere along the way. Users may also be carrying local bbappend files
which add further BBCLASSEXTEND.
Having universe fetch work without warnings is desireable so clean up the broken
variants. Anyone actually needing something dropped here can propose adding it
and the correct functional dependencies back quite easily. This also then
ensures we're not carrying or fixing things nobody uses.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d4aa17dc43)
Backport:
* Adapted paths to follow PV changes
* Adapted modified recipes to the ones generating warnings
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
python3-beautifulsoup4 does depend on python3-soupsieve but
python3-soupsieve does not depend on python3-beautifulsoup4.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The delta between 4.2.3 and 4.2.5 contains the CVE-2023-41164 fix
and other bugfixes. git log --oneline 4.2.3..4.2.5 shows:
b8b2f74512 (tag: 4.2.5) [4.2.x] Bumped version for 4.2.5 release.
9c51b4dcfa [4.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri().
acfb427522 [4.2.x] Fixed#34803 -- Fixed queryset crash when filtering againts deeply nested OuterRef annotations.
55a0b9c32e [4.2.x] Added stub release notes and release date for 4.2.5, 4.1.11, and 3.2.21.
8e8c318449 [4.2.x] Avoided counting exceptions in AsyncClient docs.
dcb9d7a0e4 [4.2.x] Improved formset docs by using a set instead of a list in the custom validation example.
f55b420277 [4.2.x] Fixed#34781 -- Updated logging ref docs for django.server's request extra context value.
46b2b08e45 [4.2.x] Fixed#34779 -- Avoided unnecessary selection of non-nullable m2m fields without natural keys during serialization.
d34db6602e [4.2.x] Fixed#34773 -- Fixed syncing DEFAULT_FILE_STORAGE/STATICFILES_STORAGE settings with STORAGES.
a22aeef555 [4.2.x] Fixed#15799 -- Doc'd that Storage._open() should raise FileNotFoundError when file doesn't exist.
936afc2deb [4.2.x] Refs #34754 -- Added missing FullResultSet import.
3a1863319c [4.2.x] Fixed#34754 -- Fixed JSONField check constraints validation on NULL values.
951dcbb2e6 [4.2.x] Fixed#34756 -- Fixed docs HTML build on Sphinx 7.1+.
a750fd0d7f [4.2.x] Added stub release notes for 4.2.5.
a56c46642d [4.2.x] Post-release version bump.
6f4c7c124a (tag: 4.2.4) [4.2.x] Bumped version for 4.2.4 release.
e53d6239df [4.2.x] Added release date for 4.2.4.
8808d9da6b [4.2.x] Fixed#34750 -- Fixed QuerySet.count() when grouping by unused multi-valued annotations.
2ef2b2ffc0 [4.2.x] Corrected pycon formatting in some docs.
8db9a0b5a0 [4.2.x] Fixed warnings per flake8 6.1.0.
739da73164 [4.2.x] Fixed#34748 -- Fixed queryset crash when grouping by a reference in a subquery.
a52a2b6678 [4.2.x] Fixed#34749 -- Corrected QuerySet.acreate() signature in docs.
12ebd9a1ac [4.2.x] Refs #34712 -- Doc'd that defining STORAGES overrides the default configuration.
1f9d00ef9f [4.2.x] Added missing backticks in docs.
c99d935600 [4.2.x] Fixed typo in docs/ref/models/querysets.txt.
da92a971a0 [4.2.x] Refs #30052 -- Clarified that defer() and only() do not work with aggregated fields.
7a67b065d7 [4.2.x] Fixed#34717 -- Fixed QuerySet.aggregate() crash when referencing window functions.
c646412a75 Added reference to TypedChoiceField in ChoiceField docs.
f474ba4cb5 [4.2.x] Fixed#34309 -- Doc'd how to fully delete an app.
e54f711d42 [4.2.x] Fixed#33405, Refs #7177 -- Clarified docs for filter escapejs regarding safe and unsafe usages.
047844270b [4.2.x] Added stub release notes for 4.2.4.
Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.5/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The delta between 3.2.20 and 3.2.21 contains the CVE-2023-41164 fix
and other bugfixes. git log --oneline 3.2.20..3.2.21 shows:
fd0ccd7fb3 (tag: 3.2.21) [3.2.x] Bumped version for 3.2.21 release.
6f030b1149 [3.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri().
73350a6369 [3.2.x] Added stub release notes for 3.2.21.
75418f8c0e [3.2.x] Fixed#34756 -- Fixed docs HTML build on Sphinx 7.1+.
848fe70f3e [3.2.x] Added CVE-2023-36053 to security archive.
4012a87a58 [3.2.x] Post-release version bump.
Release Notes: https://docs.djangoproject.com/en/dev/releases/3.2.21/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
At least one of the following DISTRO_FEATURES needs to be present: X11
or Wayland. The recipe now work with pure Wayland.
Signed-off-by: Marine Vovard <m.vovard@phytec.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3,
EmailValidator and URLValidator are subject to a potential ReDoS
(regular expression denial of service) attack via a very large
number of domain name labels of emails and URLs.
Since, there is no ptest available for python3-django so have not
tested the patch changes at runtime.
References:
https://github.com/advisories/GHSA-jh3w-4vvf-mjgr454f2fb934
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The delta between 3.2.19 and 3.2.20 contains the CVE-2023-36053 fix
and other bugfixes. git log --oneline 3.2.19..3.2.20 shows:
19bc11f636 (tag: 3.2.20) [3.2.x] Bumped version for 3.2.20 release.
454f2fb934 [3.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.
07cc014cb3 [3.2.x] Added stub release notes for 3.2.20.
e1bbbbe6ac [3.2.x] Fixed MultipleFileFieldTest.test_file_multiple_validation() test if Pillow isn't installed.
47ef12e69c [3.2.x] Added CVE-2023-31047 to security archive.
15f90ebff3 [3.2.x] Post-release version bump.
Release Notes: https://docs.djangoproject.com/en/dev/releases/3.2.20/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
gcc-11 has metadata line "-: 0:Source is newer than graph" which throws an
error.
Backported from gcovr 5.2, as kirkstone release uses gcc-11.
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
sqlparse is a non-validating SQL parser module for Python. In affected
versions the SQL parser contains a regular expression that is vulnerable
to ReDoS (Regular Expression Denial of Service). This issue was introduced
by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS).
This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users
are advised to upgrade. There are no known workarounds for this issue.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1,
it was possible to bypass validation when using one form field to
upload multiple files. This multiple upload has never been supported
by forms.FileField or forms.ImageField (only the last uploaded file was
validated). However, Django's "Uploading multiple files" documentation
suggested otherwise.
Since, there is no ptest available for python3-django so have not tested
the patch changes at runtime.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Werkzeug is a comprehensive WSGI web application library. Browsers may allow
"nameless" cookies that look like `=value` instead of `key=value`. A vulnerable
browser may allow a compromised application on an adjacent subdomain to exploit
this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug
prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`.
If a Werkzeug application is running next to a vulnerable or malicious subdomain
which sets such a cookie using a vulnerable browser, the Werkzeug application
will see the bad cookie value but the valid cookie key. The issue is fixed in
Werkzeug 2.2.3.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
A flaw was found in all released versions of m2crypto, where they are
vulnerable to Bleichenbacher timing attacks in the RSA decryption API
via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest
threat from this vulnerability is to confidentiality.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Werkzeug is a comprehensive WSGI web application library. Prior to
version 2.2.3, Werkzeug's multipart form data parser will parse an
unlimited number of parts, including file parts. Parts can be a
small amount of bytes, but each requires CPU time to parse and may
use more memory as Python data. If a request can be made to an
endpoint that accesses `request.data`, `request.form`, `request.files`,
or `request.get_data(parse_form_data=False)`, it can cause unexpectedly
high resource usage. This allows an attacker to cause a denial of
service by sending crafted multipart data to an endpoint that will
parse it. The amount of CPU time required can block worker processes
from handling legitimate requests. The amount of RAM required can
trigger an out of memory kill of the process. Unlimited file parts
can use up memory and file handles. If many concurrent requests are
sent continuously, this can exhaust or kill all available workers.
Version 2.2.3 contains a patch for this issue.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
ptest results:
====== 3600 passed, 324 skipped, 2 xfailed, 1 xpassed in 74.41s (0:01:14) ======
for qemux86-64 with 2 GB RAM which is the same as seen on master.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
License-Updated: copyright year updated to 2023
Changelog:
==========
Fixed null pointer dereference crash with malformed font #6846
Return from ImagingFill early if image has a zero dimension #6842
Reversed deprecations for Image constants, except for duplicate Resampling attributes #6830
Improve exception traceback readability #6836
Do not attempt to read IFD1 if absent #6840
Fixed writing int as ASCII tag #6800
If available, use wl-paste or xclip for grabclipboard() on Linux #6783
Added signed option when saving JPEG2000 images #6709
Patch OpenJPEG to include ARM64 fix#6718
Added support for I;16 modes in putdata() #6825
Added conversion from RGBa to RGB #6708
Added DDS support for uncompressed L and LA images #6820
Added LightSource tag values to ExifTags #6749
Fixed PyAccess after changing ICO size #6821
Do not use EXIF from info when saving PNG images #6819
Fixed saving EXIF data to MPO #6817
Added Exif hide_offsets() #6762
Only compare to previous frame when checking for duplicate GIF frames while saving #6787
Always initialize all plugins in registered_extensions() #6811
Ignore non-opaque WebP background when saving as GIF #6792
Only set tile in ImageFile __setstate__ #6793
When reading BLP, do not trust JPEG decoder to determine image is CMYK #6767
Added IFD enum to ExifTags #6748
Fixed bug combining GIF frame durations #6779
Support saving JPEG comments #6774
Added getxmp() to WebPImagePlugin #6758
Added "exact" option when saving WebP #6747
Use fractional coordinates when drawing text #6722
Fixed writing int as BYTE tag #6740
Added MP Format Version when saving MPO #6735
Added Interop to ExifTags #6724
CVE-2007-4559 patch when building on Windows #6704
Fix compiler warning: accessing 64 bytes in a region of size 48 #6714
Use verbose flag for pip install #6713
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b73867b9d7)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
=========
Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [wiredfool]
Initialize libtiff buffer when saving #6699 [radarhere]
Inline fname2char to fix memory leak #6329 [nulano]
Fix memory leaks related to text features #6330 [nulano]
Use double quotes for version check on old CPython on Windows #6695 [hugovk]
Remove backup implementation of Round for Windows platforms #6693 [cgohlke]
Fixed set_variation_by_name offset #6445 [radarhere]
Fix malloc in _imagingft.c:font_setvaraxes #6690 [cgohlke]
Release Python GIL when converting images using matrix operations #6418 [hmaarrfk]
Added ExifTags enums #6630 [radarhere]
Do not modify previous frame when calculating delta in PNG #6683 [radarhere]
Added support for reading BMP images with RLE4 compression #6674 [npjg, radarhere]
Decode JPEG compressed BLP1 data in original mode #6678 [radarhere]
Added GPS TIFF tag info #6661 [radarhere]
Added conversion between RGB/RGBA/RGBX and LAB #6647 [radarhere]
Do not attempt normalization if mode is already normal #6644 [radarhere]
Fixed seeking to an L frame in a GIF #6576 [radarhere]
Consider all frames when selecting mode for PNG save_all #6610 [radarhere]
Don't reassign crc on ChunkStream close#6627 [wiredfool, radarhere]
Raise a warning if NumPy failed to raise an error during conversion #6594 [radarhere]
Show all frames in ImageShow #6611 [radarhere]
Allow FLI palette chunk to not be first #6626 [radarhere]
If first GIF frame has transparency for RGB_ALWAYS loading strategy, use RGBA mode #6592 [radarhere]
Round box position to integer when pasting embedded color #6517 [radarhere, nulano]
Removed EXIF prefix when saving WebP #6582 [radarhere]
Pad IM palette to 768 bytes when saving #6579 [radarhere]
Added DDS BC6H reading #6449 [ShadelessFox, REDxEYE, radarhere]
Added support for opening WhiteIsZero 16-bit integer TIFF images #6642 [JayWiz, radarhere]
Raise an error when allocating translucent color to RGB palette #6654 [jsbueno, radarhere]
Added reading of TIFF child images #6569 [radarhere]
Improved ImageOps palette handling #6596 [PososikTeam, radarhere]
Defer parsing of palette into colors #6567 [radarhere]
Apply transparency to P images in ImageTk.PhotoImage #6559 [radarhere]
Use rounding in ImageOps contain() and pad() #6522 [bibinhashley, radarhere]
Fixed GIF remapping to palette with duplicate entries #6548 [radarhere]
Allow remap_palette() to return an image with less than 256 palette entries #6543 [radarhere]
Corrected BMP and TGA palette size when saving #6500 [radarhere]
Do not call load() before draft() in Image.thumbnail #6539 [radarhere]
Copy palette when converting from P to PA #6497 [radarhere]
Allow RGB and RGBA values for PA image putpixel #6504 [radarhere]
Removed support for tkinter in PyPy before Python 3.6 #6551 [nulano]
Do not use CCITTFaxDecode filter if libtiff is not available #6518 [radarhere]
Fallback to not using mmap if buffer is not large enough #6510 [radarhere]
Fixed writing bytes as ASCII tag #6493 [radarhere]
Open 1 bit EPS in mode 1 #6499 [radarhere]
Removed support for tkinter before Python 1.5.2 #6549 [radarhere]
Allow default ImageDraw font to be set #6484 [radarhere, hugovk]
Save 1 mode PDF using CCITTFaxDecode filter #6470 [radarhere]
Added support for RGBA PSD images #6481 [radarhere]
Parse orientation from XMP tag contents #6463 [bigcat88, radarhere]
Added support for reading ATI1/ATI2 (BC4/BC5) DDS images #6457 [REDxEYE, radarhere]
Do not clear GIF tile when checking number of frames #6455 [radarhere]
Support saving multiple MPO frames #6444 [radarhere]
Do not double quote Pillow version for setuptools >= 60 #6450 [radarhere]
Added ABGR BMP mask mode #6436 [radarhere]
Fixed PSDraw rectangle #6429 [radarhere]
Raise ValueError if PNG sRGB chunk is truncated #6431 [radarhere]
Handle missing Python executable in ImageShow on macOS #6416 [bryant1410, radarhere]
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4e075c7dc8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
=========
Fixed null check for fribidi_version_info in FriBiDi shim
Added GIF decompression bomb check
Handle PCF fonts files with less than 256 characters
Improved GIF optimize condition
Reverted to array_interface with the release of NumPy 1.23
Pad PCX palette to 768 bytes when saving
Fixed bug with rounding pixels to palette colors
Use gnome-screenshot on Linux if available
Fixed loading L mode BMP RLE8 images
Fixed incorrect operator in ImageCms error
Limit FPX tile size to avoid extending outside image
Added support for decoding plain PPM formats
Added apply_transparency()
Fixed behaviour change from endian fix
Use python3
Allow remapping P images with RGBA palettes
Revert "Skip test_realloc_overflow unless libtiff 4.0.4 or higher"
[pre-commit.ci] pre-commit autoupdate
Only import ImageFont in ImageDraw when necessary
Fixed drawing translucent 1px high polygons
Pad COLORMAP to 768 items when saving TIFF
Fix P -> PA conversion
Once exif data is parsed, do not reload unless it changes
Only try to connect discontiguous corners at the end of edges
Improve transparency handling when saving GIF images
Do not update GIF frame position until local image is found
Netscape GIF extension belongs after the global color table
Only write GIF comments at the beginning of the file
Separate multiple GIF comment blocks with newlines
Always use GIF89a for comments
Ignore compression value from BMP info dictionary when saving as TIFF
If font is file-like object, do not re-read from object to get variant
Raise ValueError when trying to access internal fp after close
Support more affine expression forms in im.point()
Include 'twine check' in 'make sdist'
Ensure that furthest v is set in quantize2
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
