This is again a security update targeted at mitigating CVE-2023-4863.
It turns out that libwebp is bundled statically in Pillow wheels so we need to update this dependency instead of
libwebp package at the OS level.
Unlike what was advertised in 1.92.2 changelog this release also impacts PyPI wheels and Debian packages from matrix.org.
We encourage admins to upgrade as soon as possible.
Internal Changes
Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels. (#16347)
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [matrixdotorg/synapse](https://github.com/matrix-org/synapse) | patch | `v1.92.2` -> `v1.92.3` |
---
### Release Notes
<details>
<summary>matrix-org/synapse (matrixdotorg/synapse)</summary>
### [`v1.92.3`](https://github.com/matrix-org/synapse/releases/tag/v1.92.3)
[Compare Source](https://github.com/matrix-org/synapse/compare/v1.92.2...v1.92.3)
##### Synapse 1.92.3 (2023-09-18)
This is again a security update targeted at mitigating [CVE-2023-4863](https://cve.org/CVERecord?id=CVE-2023-4863).
It turns out that libwebp is bundled statically in Pillow wheels so we need to update this dependency instead of
libwebp package at the OS level.
Unlike what was advertised in 1.92.2 changelog this release also impacts PyPI wheels and Debian packages from matrix.org.
We encourage admins to upgrade as soon as possible.
##### Internal Changes
- Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels. ([#​16347](https://github.com/matrix-org/synapse/issues/16347))
##### Updates to locked dependencies
- Bump pillow from 10.0.0 to 10.0.1. ([#​16344](https://github.com/matrix-org/synapse/issues/16344))
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi45Ni41IiwidXBkYXRlZEluVmVyIjoiMzYuOTYuNSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciJ9-->
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
This PR contains the following updates:
v1.92.2->v1.92.3Release Notes
matrix-org/synapse (matrixdotorg/synapse)
v1.92.3Compare Source
Synapse 1.92.3 (2023-09-18)
This is again a security update targeted at mitigating CVE-2023-4863.
It turns out that libwebp is bundled statically in Pillow wheels so we need to update this dependency instead of
libwebp package at the OS level.
Unlike what was advertised in 1.92.2 changelog this release also impacts PyPI wheels and Debian packages from matrix.org.
We encourage admins to upgrade as soon as possible.
Internal Changes
Updates to locked dependencies
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.