python-pillow · radarhere · Feb 2, 2022 · Feb 2, 2022
diff --git a/docs/releasenotes/9.0.1.rst b/docs/releasenotes/9.0.1.rst
@@ -0,0 +1,23 @@
+9.0.1
+-----
+
+Security
+========
+
+This release addresses several security problems.
+
+:cve:`CVE-2022-24303`: If the path to the temporary directory on Linux or macOS
+contained a space, this would break removal of the temporary image file after
+``im.show()`` (and related actions), and potentially remove an unrelated file. This
+been present since PIL.
+
+:cve:`CVE-2022-22817`: While Pillow 9.0 restricted top-level builtins available to
+:py:meth:`PIL.ImageMath.eval`, it did not prevent builtins available to lambda
+expressions. These are now also restricted.
+
+Other Changes
+=============
+
+Pillow 9.0 added support for ``xdg-open`` as an image viewer, but there have been
+reports that the temporary image file was removed too quickly to be loaded into the
+final application. A delay has been added.
diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst
@@ -14,6 +14,7 @@ expected to be backported to earlier versions.
 .. toctree::
   :maxdepth: 2
 
+  9.0.1
   9.0.0
   8.4.0
   8.3.2