BB2-838-Bump-pillow-from-8.3.1-to-8.3.2 #968
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
JIRA Ticket:
BB2-838
User Story or Bug Summary:
Per GH dependbot, there is a HIGH vuln as below:
CVE-2021-23437
high severity
Vulnerable versions: < 8.3.2
Patched version: 8.3.2
The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
Remediation
Upgrade pillow to version 8.3.2 or later. For example:
pillow>=8.3.2
A/C:
Pillow version updated to 8.3.2
External reference: this PR replaces GH auto created PR: #965
What Does This PR Do?
Bump Pillow 8.3.1 to 8.3.2
What Should Reviewers Watch For?
If you're reviewing this PR, please check these things, in particular:
What Security Implications Does This PR Have?
Submitters should complete the following questionnaire:
What Needs to Be Merged and Deployed Before this PR?
This PR cannot be either merged or deployed until the following pre-requisite changes have been fully deployed:
Any Migrations?
Submitter Checklist
I have gone through and verified that...:
README
updates and changelog / release notes entries.TODO
and/orFIXME
comments, which include a JIRA ticket ID for any items that require urgent attention.