OpenCE 1.11.x CVE list #1324

mwatk · 2025-03-03T16:09:03Z

Summary of candidates to be assessed for the next opence release 1.11.x:

CVE-2024-43598][high] lightgbm, see https://github.ibm.com/ax/planning/issues/15468
CVE-2024-55459][medium] keras, see https://github.ibm.com/ax/planning/issues/15333 -> skipping this as it is not yet fixed in upstream repo - BlackDuck reports arbitrary file write vulnerability in "get_file" function keras-team/keras#20980
CVE-2024-5206][medium] scikit-learn, see https://github.ibm.com/ax/planning/issues/14648
(CVE-2024-8019[critical] pytorch-lightning, see https://github.ibm.com/ax/planning/issues/15601) ->can be removed from list as Windows only
CVE-2024-7776[high] onnx, see https://github.ibm.com/ax/planning/issues/15602
(CVE withdrawn CVE-2024-7804[critical] torch, see https://github.ibm.com/ax/planning/issues/15604) ->put on hold as CVE withdrawn
CVE-2024-12720[medium] transformers, see https://github.ibm.com/ax/planning/issues/15644
CVE-2024-10940[medium] langchain-core, see https://github.ibm.com/ax/planning/issues/15628
...

mwatk · 2025-03-10T07:21:58Z

@cdeepali could you pls assess the 3 items listed. In term of priority:
LightGBM is a high sev findings that we need to fix as soon as possible.
Scikit-learn a due date of April 30.
Keras has due date on Cloud of May 7.

cdeepali · 2025-03-17T06:31:25Z

Package	Version in 1.11.5	CVE	Version Fixed	Upgade/Backport
LightGBM	4.2.0	CVE-2024-43598, https://github.ibm.com/ax/planning/issues/15468	4.6.0	Backport
scikit-learn	1.3.0	CVE-2024-5206, https://github.ibm.com/ax/planning/issues/14648	1.5.0	Backport
keras	2.14.0	CVE-2024-55459, https://github.ibm.com/ax/planning/issues/15333	open	Fix not available
pytorch-lightning	2.3.3	CVE-2024-8019, https://github.ibm.com/ax/planning/issues/15601	2.4.0	Skipping as it is Windows Specific
onnx	1.16.0	CVE-2024-7776, https://github.ibm.com/ax/planning/issues/15602	1.17.0	Backport
torch	2.1.2	CVE-2024-7804, https://github.ibm.com/ax/planning/issues/15604	open	CVE Withdrawn
transformers	4.37.2	CVE-2024-12720 https://github.ibm.com/ax/planning/issues/15644	4.48.0	Backport as it is pinned in WNLP
langchain-core	0.2.39	CVE-2024-10940 https://github.ibm.com/ax/planning/issues/15628	Fixed in v0.3.15 but latest is 0.3.51	Skipping this because updating to latest requires update in numpy too

cdeepali · 2025-04-09T08:34:54Z

@rolweber pls suggest if we can update onnx to v1.17.0 in OpenCE v1.11.6 for CVE - GHSA-h36j-8vv3-cj52.

cdeepali · 2025-04-16T08:23:47Z

While updating langchain-core to v0.3.51 we need to update langchain-community to v0.3.21 and while doing so we have observed that this would require updating numpy to v1.16.2 due to the following error:
langchain-community 0.3.21 has requirement numpy<3,>=1.26.2, but you have numpy 1.26.0.
But numpy version 1.26 is latest on PPC from anaconda, so to support langchain-community v0.3.21 we would need to build numpy v1.26.2 in OpenCE for PPC.
numpy is a widely used dependency so may affect other package families too.

Thus it is concluded to not to update langchain-core in 1.11.6. https://ibm-systems-power.slack.com/archives/C571VTK0T/p1744698311553279?thread_ts=1744120875.281359&cid=C571VTK0T

mwatk · 2025-04-29T06:34:19Z

@cdeepali guess Roland brought this up already, there is another critical one that we should consider if possible https://github.ibm.com/ax/planning/issues/15708

cdeepali · 2025-05-06T08:08:59Z

Regarding onnx CVE - the fix for GHSA-h36j-8vv3-cj52 is in onnx/onnx@1b70f9b which was included in 1.11.5 as part of fix of another CVE - GHSA-6rq9-53c3-f7vj

mwatk added the enhancement New feature or request label Mar 3, 2025

cdeepali modified the milestones: OpenCE 1.11.6, OpenCE v1.11.6 Mar 18, 2025

cdeepali mentioned this issue Apr 16, 2025

[REQUEST] Upgrade langchain-core to fix CVE-2024-1094 #1342

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OpenCE 1.11.x CVE list #1324

OpenCE 1.11.x CVE list #1324

OpenCE 1.11.x CVE list #1324

OpenCE 1.11.x CVE list #1324

Comments