[Snyk: Med Severity] Multiple Pillow vulnerabilities (Due: 09/07/2020)

[lbeaufort]

Summary

  Pin Pillow@6.2.2 to Pillow@7.0.1 or upgrade Wagtail to fix
  ✗ Out-of-Bounds (new) [Medium Severity][https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574573] in Pillow@6.2.2
    introduced by wagtail@2.7.2 > Pillow@6.2.2
  ✗ Out-of-bounds Read (new) [Medium Severity][https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574574] in Pillow@6.2.2
    introduced by wagtail@2.7.2 > Pillow@6.2.2
  ✗ Out-of-bounds Read (new) [Medium Severity][https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574575] in Pillow@6.2.2
    introduced by wagtail@2.7.2 > Pillow@6.2.2
  ✗ Out-of-bounds Read (new) [Medium Severity][https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574576] in Pillow@6.2.2
    introduced by wagtail@2.7.2 > Pillow@6.2.2
  ✗ Buffer Overflow (new) [Medium Severity][https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574577] in Pillow@6.2.2
    introduced by wagtail@2.7.2 > Pillow@6.2.2

WIP PR but tests fail: https://github.com/fecgov/fec-cms/pull/new/feature/3886-update-wagtail

Technical considerations

• the dev working this issue may want to upgrade to wagtail first as well (see issue [Snyk: Med] cross-site scripting (Due: 09/21/2020) #3942 )--upgrade will not resolve the problem (as of this note--7/29/2020) but the vulnerability path has wagtail in common.