From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id yDD5HGkVO2JOGQEAgWs5BA (envelope-from ) for ; Wed, 23 Mar 2022 13:41:13 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id 2I/YGWkVO2LkLgEAauVa8A (envelope-from ) for ; Wed, 23 Mar 2022 13:41:13 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 32A0AF6D7 for ; Wed, 23 Mar 2022 13:41:13 +0100 (CET) Received: from localhost ([::1]:55070 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nX0IZ-00050Y-NH for larch@yhetil.org; Wed, 23 Mar 2022 08:41:11 -0400 Received: from eggs.gnu.org ([209.51.188.92]:56620) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nX0HS-0004xc-OS for bug-guix@gnu.org; Wed, 23 Mar 2022 08:40:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:49110) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nX0HS-0003tl-DQ for bug-guix@gnu.org; Wed, 23 Mar 2022 08:40:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nX0HS-0006Wy-8o for bug-guix@gnu.org; Wed, 23 Mar 2022 08:40:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293 Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 23 Mar 2022 12:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47259 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Maxim Cournoyer , =?UTF-8?Q?L=C3=A9o?= Le Bouter Received: via spool by 47259-done@debbugs.gnu.org id=D47259.164803917625060 (code D ref 47259); Wed, 23 Mar 2022 12:40:02 +0000 Received: (at 47259-done) by debbugs.gnu.org; 23 Mar 2022 12:39:36 +0000 Received: from localhost ([127.0.0.1]:43005 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nX0H1-0006W6-QD for submit@debbugs.gnu.org; Wed, 23 Mar 2022 08:39:35 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:42762) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nX0Gz-0006Vl-Ih for 47259-done@debbugs.gnu.org; Wed, 23 Mar 2022 08:39:34 -0400 Received: from [IPv6:2a02:2c40:200:b001::1:66ec] ([IPv6:2a02:2c40:200:b001::1:66ec]) by baptiste.telenet-ops.be with bizsmtp id 9ofW2700G48ECPd01ofXil; Wed, 23 Mar 2022 13:39:32 +0100 Message-ID: <7318489400ae1f00a40463e55f9637fe41d8e35e.camel@telenet.be> From: Maxime Devos Date: Wed, 23 Mar 2022 13:39:25 +0100 In-Reply-To: <87r16tz87g.fsf@gmail.com> References: <932873dcc65d8416e419c95caf9ebb0536f2ae98.camel@zaclys.net> <87r16tz87g.fsf@gmail.com> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-A5pgcYY+txTQiPrtxBq7" User-Agent: Evolution 3.38.3-1 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1648039172; bh=37ZGnNKgive8iwBvgWUB57t3cFb3jhSEVoALYjYcpyE=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=f40xwS9qHYkt9umMxaWBQnwWPKt89bN5LNsTk8dL5WOihPBio33JRQacJpQbZUZNC bR35rJo6s8gM1nbrtahWc2AvWde6tr+nowMll4fB94Y833MPTZph5owHJUg8ZUvOgI 8oUYRC2SqUz6lBY8M0tIuhZJk7QtF94lKFSbv5VFbbbiol/omXBUfNHTdXCdyuxhhV tZ+F1Tz9lAT4Adhl8f3Uh5J2vN4AQeWWfjuRJks8jmKG5rWZkRHNM1B9s9gjXPmU1C q+kS2QG2wKvrU4hUymKZ8/lOJP0BcCFRuxnlV2VFmZjFtzg4wT2XrMQ79LwVojes6D ckfoEYo417/Tw== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47259-done@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1648039273; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=37ZGnNKgive8iwBvgWUB57t3cFb3jhSEVoALYjYcpyE=; b=GQF6IcRz9zl75IR9EX/iVlNJ/A/MY632Z9N1iIj1mnv7zQOVnsTUFRPIG6MoPmQWAR3AM4 rnmZ20ykOgWK9crSxnj17h3W1JUwFp3D/ltjw0AQ3GaPdmFgV3G838VLa4GTdgJgnZe/T8 WSET7TLg14TOL3cczvIcWooCPPfLGIrvR0lnxP+fwP3oOlRMv3YLNCcUKYyiTTnfXxXi2q GYw0qaolumlrt+kKdZkFWKFWcHJMdef71rteLrywpKa+mXdAT5V7nsroxnprsN/qT4B818 nBaxN0d+CDdKGhqKQJgX5qcApnGMD79Fd1iRFjHqKLuyyELuWwhC67LEhAsNsg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1648039273; a=rsa-sha256; cv=none; b=m2O1IBtA+LXJxkDqMoLL4gs37c1X52Kl3fA3527X08IWNqVH9q2w1bJBegXPz5sQGqLomj QgbN1k223BE5/etKKY73bS+hb5mjVciFZYlqhxIdWcVOqO+AaucMcrlroXCdkeeGzUXXqz 0pjMzH3P9psOZio1sMxuQMaCeSQdXuiUgbA/+CA0lH0OgoHZ8tBfeBeVneTgmpjCSuNKbk izPaNIIFe6t3pNKrbtZcdtBNMRjdDPaqMBJNXU031n57h0AQBRNWKA1NjV2cZHsNmAB2/w eiBIuE+rej/wgpAlytlWjGuL7ml/5gl5pKGjxFgPVnDlbVznYp87GMrANE2Zpw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r22 header.b=f40xwS9q; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 3.30 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r22 header.b=f40xwS9q; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 32A0AF6D7 X-Spam-Score: 3.30 X-Migadu-Scanner: scn0.migadu.com X-TUID: xetcs26atEH9 --=-A5pgcYY+txTQiPrtxBq7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Maxim Cournoyer schreef op di 22-03-2022 om 22:57 [-0400]: > L=C3=A9o Le Bouter writes: >=20 > > Hello! > >=20 > > pillow-simd is a fork of pillow ( > > https://github.com/uploadcare/pillow-simd), it's currently still at > > version 7.x and it does not seem like it backports security patches > > from pillow. >=20 > Thanks for the heads-up; our package is currently at 9.0.0, and I've > just updated it to 9.0.0.post1. Something went wrong : the version in the version field contains a "v" prefix which is dropped in Guix. Additionally, the package name is missing from the commit message, though that cannot be corrected retroactively. WDYT of removing the "v", and changing the "commit" field to (commit (string-append "v" version)) ? Greetings, Maxime. --=-A5pgcYY+txTQiPrtxBq7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYjsU/RccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7hLtAP9knKrXn3BJNf42ieAEYwPICxon nYbCbr12XhYfMfYU2wD7B0Q79YKMFWChESErmFJmteKARa0gXiD7h+OhQswoKQM= =RZwh -----END PGP SIGNATURE----- --=-A5pgcYY+txTQiPrtxBq7--