-
Notifications
You must be signed in to change notification settings - Fork 74k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update curl from 8.4.0 to 8.6.0 due to security vulnerabilities CVE-2023-46219 and CVE-2023-46218 #69799
Closed
jsasswis opened this issue
Jun 14, 2024
· 4 comments
· Fixed by #70117, google/tsl#2352 or openxla/xla#14010
Closed
Update curl from 8.4.0 to 8.6.0 due to security vulnerabilities CVE-2023-46219 and CVE-2023-46218 #69799
jsasswis opened this issue
Jun 14, 2024
· 4 comments
· Fixed by #70117, google/tsl#2352 or openxla/xla#14010
Labels
subtype: ubuntu/linux
Ubuntu/Linux Build/Installation Issues
TF 2.16
type:build/install
Build and install issues
Comments
@jsasswis, |
@rtg0795 as this should be done before final releases |
copybara-service bot
pushed a commit
that referenced
this issue
Jun 20, 2024
Due CVE-2023-46219 and CVE-2023-46218. #69799 PiperOrigin-RevId: 645051365
copybara-service bot
pushed a commit
that referenced
this issue
Jun 20, 2024
Due CVE-2023-46219 and CVE-2023-46218. #69799 PiperOrigin-RevId: 645051365
Would get fixed by #70117 |
copybara-service bot
pushed a commit
to google/tsl
that referenced
this issue
Jun 20, 2024
Due CVE-2023-46219 and CVE-2023-46218. Fixes tensorflow/tensorflow#69799 PiperOrigin-RevId: 645051365
copybara-service bot
pushed a commit
to openxla/xla
that referenced
this issue
Jun 20, 2024
Due CVE-2023-46219 and CVE-2023-46218. tensorflow/tensorflow#69799 PiperOrigin-RevId: 645051365
copybara-service bot
pushed a commit
to openxla/xla
that referenced
this issue
Jun 20, 2024
Due CVE-2023-46219 and CVE-2023-46218. Fixes tensorflow/tensorflow#69799 PiperOrigin-RevId: 645051365
copybara-service bot
pushed a commit
that referenced
this issue
Jun 20, 2024
Due CVE-2023-46219 and CVE-2023-46218. Fixes #69799 PiperOrigin-RevId: 645051365
copybara-service bot
pushed a commit
to google/tsl
that referenced
this issue
Jun 20, 2024
Due CVE-2023-46219 and CVE-2023-46218. Fixes tensorflow/tensorflow#69799 PiperOrigin-RevId: 645051365
copybara-service bot
pushed a commit
to openxla/xla
that referenced
this issue
Jun 20, 2024
Due CVE-2023-46219 and CVE-2023-46218. Fixes tensorflow/tensorflow#69799 PiperOrigin-RevId: 645051365
copybara-service bot
pushed a commit
to openxla/xla
that referenced
this issue
Jun 20, 2024
Due CVE-2023-46219 and CVE-2023-46218. Fixes tensorflow/tensorflow#69799 PiperOrigin-RevId: 645051365
copybara-service bot
pushed a commit
that referenced
this issue
Jun 20, 2024
Due CVE-2023-46219 and CVE-2023-46218. Fixes #69799 PiperOrigin-RevId: 645051365
copybara-service bot
pushed a commit
to openxla/xla
that referenced
this issue
Jun 20, 2024
Due to security vulnerabilities CVE-2023-46219 and CVE-2023-46218. Fixes tensorflow/tensorflow#69799 PiperOrigin-RevId: 645051365
copybara-service bot
pushed a commit
to google/tsl
that referenced
this issue
Jun 20, 2024
Due to security vulnerabilities CVE-2023-46219 and CVE-2023-46218. Fixes tensorflow/tensorflow#69799 PiperOrigin-RevId: 645142519
copybara-service bot
pushed a commit
to openxla/xla
that referenced
this issue
Jun 20, 2024
Due to security vulnerabilities CVE-2023-46219 and CVE-2023-46218. Fixes tensorflow/tensorflow#69799 PiperOrigin-RevId: 645142519
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
subtype: ubuntu/linux
Ubuntu/Linux Build/Installation Issues
TF 2.16
type:build/install
Build and install issues
Issue type
Build/Install
Have you reproduced the bug with TensorFlow Nightly?
Yes
Source
binary
TensorFlow version
2.15.1, 2.16.1
Custom code
No
OS platform and distribution
Ubuntu 22.04
Mobile device
No response
Python version
3.9, 3.10, 3.11
Bazel version
No response
GCC/compiler version
No response
CUDA/cuDNN version
No response
GPU model and memory
No response
Current behavior?
Currently, TensorFlow uses curl 8.4.0 which has been identified with security vulnerabilities CVE-2023-46219 and CVE-2023-46218. Not affected versions include curl >=8.5.0
https://github.com/tensorflow/tensorflow/blob/master/tensorflow/workspace2.bzl#L423
Info on CVEs identified in curl 8.4.0:
https://nvd.nist.gov/vuln/detail/CVE-2023-46219
https://nvd.nist.gov/vuln/detail/CVE-2023-46218
Curl fix documentation:
https://curl.se/docs/CVE-2023-46219.html
https://curl.se/docs/CVE-2023-46218.html
Is there any reason for TensorFlow not to update curl? If no, I'm willing to submit a PR to address this.
Standalone code to reproduce the issue
N/A as this is a request for a third party update during build based on security advisories.
Relevant log output
The text was updated successfully, but these errors were encountered: