Leo Famulari writes: >> I'm trying to figure out where the patches for this are, but I can't >> find them. I expected them to maybe be here, but I don't see them here: > > I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues. > > When I did that, CVE-2016-2533 wasn't named yet, but my understanding is > that the update does address it: > https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be > > Python2-pil *is* vulnerable. However, it seems to have no users in our > source tree. Should we remove it? I think so. Here's a patch to remove it. Look good? (Not sure if this needs a review or not :)) - Chris