py3-pillow 9.0.0 (or 8.4.x) needs backporting for critical-sev CVEs
CVE-2022-22815, CVE-2022-22816, CVE-2022-22817 (all critical sev) were reported 10-Jan-2022:
path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
IL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.
Edge repo has 9.0.0 at this time. 3.14 / 3.15 repos have 8.2.0-r0 / 8.4.0-r1 respectively. Because the wheels for edge are built for python 3.10, the fixed version cannot be installed under any stable alpine release (which have python <= 3.9) and it's CPU-intensive to rebuild this wheel. Please make the update available in 3.15.
Prior update described in #13051 (closed).