Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to Thumbor 7.6.0 #141

Merged

Conversation

kgeorgiou
Copy link
Contributor

@kgeorgiou kgeorgiou commented Oct 11, 2023

@kgeorgiou kgeorgiou force-pushed the chore/upgrade-thumbor-7.6.0 branch from 8ec297f to 0ed9d9d Compare October 11, 2023 17:58
@gingerlime
Copy link
Contributor

Thank you @kgeorgiou. It seems like the SIMD build still installs Pillow 9x :-/ not sure how to fix this? or perhaps there's no 10x version available for SIMD?

@gingerlime
Copy link
Contributor

@kkopachev @heynemann do you know how to resolve this issue with the SIMD images?

RUN PILLOW_VERSION=$(python -c 'import PIL; print(PIL.__version__)') ; \
if [ "$SIMD_LEVEL" ]; then \
pip uninstall -y pillow || true && \
CC="cc -m$SIMD_LEVEL" pip install --no-cache-dir -U --force-reinstall --no-binary=:all: "pillow-SIMD<=${PILLOW_VERSION}.post99" \
# --global-option="build_ext" --global-option="--debug" \
--global-option="build_ext" --global-option="--enable-lcms" \
--global-option="build_ext" --global-option="--enable-zlib" \
--global-option="build_ext" --global-option="--enable-jpeg" \
--global-option="build_ext" --global-option="--enable-tiff" ; \
fi ;

@gingerlime
Copy link
Contributor

I will merge this for now, so we can at least resolve the webp issue with the regular thumbor image, but it looks like the SIMD versions are still vulnerable potentially?

@gingerlime gingerlime merged commit 124dd27 into MinimalCompact:master Oct 11, 2023
1 check passed
@heynemann
Copy link
Contributor

I don't know how to fix it. Maybe @guilhermef knows how to fix it...

@kgeorgiou
Copy link
Contributor Author

kgeorgiou commented Oct 11, 2023

or perhaps there's no 10x version available for SIMD?

Ah yes, it looks like the latest Pillow-SIMD release is 9.5.0 from April 1, 2023: https://github.com/uploadcare/pillow-simd/tags

Edit: Might need to re-open #140 to mention that SIMD versions still use a non-patched Pillow version

@gingerlime
Copy link
Contributor

Thank you @kgeorgiou. I posted a note on uploadcare/pillow-simd#129

lachesis pushed a commit to zincio/docker-thumbor that referenced this pull request Feb 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Are we affected by CVE-2023-5129 ?
3 participants