From ed4cf7813777ad8478cac46f448bc45416a2a99e Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sun, 2 Jan 2022 18:09:45 +1100
Subject: [PATCH] CVEs TBD

---
 CHANGES.rst                 | 5 ++++-
 docs/releasenotes/9.0.0.rst | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index 45a087322fd..b4cdeced604 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -5,10 +5,13 @@ Changelog (Pillow)
 9.0.0 (unreleased)
 ------------------
 
+- Restrict builtins for ImageMath.eval(). CVE TBD #5923
+  [radarhere]
+
 - Ensure JpegImagePlugin stops at the end of a truncated file #5921
   [radarhere]
 
-- Fixed ImagePath.Path array handling #5920
+- Fixed ImagePath.Path array handling. CVEs TBD #5920
   [radarhere]
 
 - Remove consecutive duplicate tiles that only differ by their offset #5919
diff --git a/docs/releasenotes/9.0.0.rst b/docs/releasenotes/9.0.0.rst
index fb542636e93..f2be128bb90 100644
--- a/docs/releasenotes/9.0.0.rst
+++ b/docs/releasenotes/9.0.0.rst
@@ -122,12 +122,12 @@ Restrict builtins available to ImageMath.eval
 To limit :py:class:`PIL.ImageMath` to working with images, Pillow will now restrict the
 builtins available to :py:meth:`PIL.ImageMath.eval`. This will help prevent problems
 arising if users evaluate arbitrary expressions, such as
-``ImageMath.eval("exec(exit())")``.
+``ImageMath.eval("exec(exit())")``. CVE TBD
 
 Fixed ImagePath.Path array handling
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-CWE-126 and CWE-665 were found when initializing ``ImagePath.Path``.
+CWE-126 and CWE-665 were found when initializing ``ImagePath.Path``. CVEs TBD
 
 .. _OSS-Fuzz: https://github.com/google/oss-fuzz