Skip to content

Commit

Permalink
[AutoGluon] Patch AutoGluon v1.1 - TS (#3955)
Browse files Browse the repository at this point in the history
* patch ag-inference

* fix vulnerabilities

* fix vulnerabilities

* revert toml

* run test

* revert toml

---------

Co-authored-by: Ubuntu <[email protected]>
  • Loading branch information
prateekdesai04 and Ubuntu authored May 23, 2024
1 parent b6b3656 commit 9a9928f
Show file tree
Hide file tree
Showing 8 changed files with 122 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,35 @@
"status": "ACTIVE",
"title": "CVE-2023-48022 - ray",
"reason_to_ignore": "fix not available yet"
},
{
"description": "Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment",
"vulnerability_id": "CVE-2023-48022",
"name": "CVE-2023-48022",
"package_name": "ray",
"package_details": {
"file_path": "opt/conda/lib/python3.10/site-packages/ray-2.23.0.dist-info/METADATA",
"name": "ray",
"package_manager": "PYTHONPKG",
"version": "2.23.0",
"release": null
},
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"cvss_v3_score": 9.8,
"cvss_v30_score": 0,
"cvss_v31_score": 9.8,
"cvss_v2_score": 0,
"cvss_v3_severity": "CRITICAL",
"source_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48022",
"source": "NVD",
"severity": "CRITICAL",
"status": "ACTIVE",
"title": "CVE-2023-48022 - ray",
"reason_to_ignore": "fix not available yet"
}
]
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,5 @@
"51358": "Safety 2.2.0 updates its dependency 'dparse' to include a security fix. - not packaged with container, result of security scanning process",
"65213": "PyOpenSSL doesn't have this fix yet - the issue only applicable to PowerPC architecture and not applicable to this container",
"67599": "pip - No fix for this yet",
"65345": "torchserve - we do not use torchserve, this vulnerability leaks from an upstream base image"
"70612": "jinja2 3.1.4 - The maintainer and multiple third parties believe that this vulnerability isn't valid."
}
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,35 @@
"status": "ACTIVE",
"title": "CVE-2023-48022 - ray",
"reason_to_ignore": "fix not available yet"
},
{
"description": "Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment",
"vulnerability_id": "CVE-2023-48022",
"name": "CVE-2023-48022",
"package_name": "ray",
"package_details": {
"file_path": "opt/conda/lib/python3.10/site-packages/ray-2.23.0.dist-info/METADATA",
"name": "ray",
"package_manager": "PYTHONPKG",
"version": "2.23.0",
"release": null
},
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"cvss_v3_score": 9.8,
"cvss_v30_score": 0,
"cvss_v31_score": 9.8,
"cvss_v2_score": 0,
"cvss_v3_severity": "CRITICAL",
"source_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48022",
"source": "NVD",
"severity": "CRITICAL",
"status": "ACTIVE",
"title": "CVE-2023-48022 - ray",
"reason_to_ignore": "fix not available yet"
}
]
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,5 @@
"51358": "Safety 2.2.0 updates its dependency 'dparse' to include a security fix. - not packaged with container, result of security scanning process",
"65213": "PyOpenSSL doesn't have this fix yet - the issue only applicable to PowerPC architecture and not applicable to this container",
"67599": "pip - No fix for this yet",
"65345": "torchserve - we do not use torchserve, this vulnerability leaks from an upstream base image"
"70612": "jinja2 3.1.4 - The maintainer and multiple third parties believe that this vulnerability isn't valid."
}
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,35 @@
"status": "ACTIVE",
"title": "CVE-2023-48022 - ray",
"reason_to_ignore": "fix not available yet"
},
{
"description": "Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment",
"vulnerability_id": "CVE-2023-48022",
"name": "CVE-2023-48022",
"package_name": "ray",
"package_details": {
"file_path": "opt/conda/lib/python3.10/site-packages/ray-2.23.0.dist-info/METADATA",
"name": "ray",
"package_manager": "PYTHONPKG",
"version": "2.23.0",
"release": null
},
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"cvss_v3_score": 9.8,
"cvss_v30_score": 0,
"cvss_v31_score": 9.8,
"cvss_v2_score": 0,
"cvss_v3_severity": "CRITICAL",
"source_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48022",
"source": "NVD",
"severity": "CRITICAL",
"status": "ACTIVE",
"title": "CVE-2023-48022 - ray",
"reason_to_ignore": "fix not available yet"
}
]
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,6 @@
"50916": "Pydantic 1.10.2 prevents long strings as int inputs to fix CVE-2020-10735 - upstream dependencies are still not patched",
"51358": "Safety 2.2.0 updates its dependency 'dparse' to include a security fix. - not packaged with container, result of security scanning process",
"65213": "PyOpenSSL doesn't have this fix yet - the issue only applicable to PowerPC architecture and not applicable to this container",
"67599": "pip - No fix for this yet"
"67599": "pip - No fix for this yet",
"70612": "jinja2 3.1.4 - The maintainer and multiple third parties believe that this vulnerability isn't valid."
}
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,35 @@
"status": "ACTIVE",
"title": "CVE-2023-48022 - ray",
"reason_to_ignore": "fix not available yet"
},
{
"description": "Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment",
"vulnerability_id": "CVE-2023-48022",
"name": "CVE-2023-48022",
"package_name": "ray",
"package_details": {
"file_path": "opt/conda/lib/python3.10/site-packages/ray-2.23.0.dist-info/METADATA",
"name": "ray",
"package_manager": "PYTHONPKG",
"version": "2.23.0",
"release": null
},
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"cvss_v3_score": 9.8,
"cvss_v30_score": 0,
"cvss_v31_score": 9.8,
"cvss_v2_score": 0,
"cvss_v3_severity": "CRITICAL",
"source_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48022",
"source": "NVD",
"severity": "CRITICAL",
"status": "ACTIVE",
"title": "CVE-2023-48022 - ray",
"reason_to_ignore": "fix not available yet"
}
]
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,6 @@
"50916": "Pydantic 1.10.2 prevents long strings as int inputs to fix CVE-2020-10735 - upstream dependencies are still not patched",
"51358": "Safety 2.2.0 updates its dependency 'dparse' to include a security fix. - not packaged with container, result of security scanning process",
"65213": "PyOpenSSL doesn't have this fix yet - the issue only applicable to PowerPC architecture and not applicable to this container",
"67599": "pip - No fix for this yet"
"67599": "pip - No fix for this yet",
"70612": "jinja2 3.1.4 - The maintainer and multiple third parties believe that this vulnerability isn't valid."
}

0 comments on commit 9a9928f

Please sign in to comment.