[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update curl from 8.4.0 to 8.6.0 due to security vulnerabilities CVE-2023-46219 and CVE-2023-46218 #69799

Closed
jsasswis opened this issue Jun 14, 2024 · 4 comments · Fixed by #70117, google/tsl#2352 or openxla/xla#14010
Closed

Update curl from 8.4.0 to 8.6.0 due to security vulnerabilities CVE-2023-46219 and CVE-2023-46218 #69799

jsasswis opened this issue Jun 14, 2024 · 4 comments · Fixed by #70117, google/tsl#2352 or openxla/xla#14010
Assignees
@tilakrayal
Labels
subtype: ubuntu/linux Ubuntu/Linux Build/Installation Issues TF 2.16 type:build/install Build and install issues

Comments

@jsasswis
Copy link

Issue type

Build/Install

Have you reproduced the bug with TensorFlow Nightly?

Yes

Source

binary

TensorFlow version

2.15.1, 2.16.1

Custom code

No

OS platform and distribution

Ubuntu 22.04

Mobile device

No response

Python version

3.9, 3.10, 3.11

Bazel version

No response

GCC/compiler version

No response

CUDA/cuDNN version

No response

GPU model and memory

No response

Current behavior?

Currently, TensorFlow uses curl 8.4.0 which has been identified with security vulnerabilities CVE-2023-46219 and CVE-2023-46218. Not affected versions include curl >=8.5.0

https://github.com/tensorflow/tensorflow/blob/master/tensorflow/workspace2.bzl#L423

Info on CVEs identified in curl 8.4.0:
https://nvd.nist.gov/vuln/detail/CVE-2023-46219
https://nvd.nist.gov/vuln/detail/CVE-2023-46218

Curl fix documentation:
https://curl.se/docs/CVE-2023-46219.html
https://curl.se/docs/CVE-2023-46218.html

Is there any reason for TensorFlow not to update curl? If no, I'm willing to submit a PR to address this.

Standalone code to reproduce the issue

N/A as this is a request for a third party update during build based on security advisories.

Relevant log output

N/A
@google-ml-butler google-ml-butler bot added the type:build/install Build and install issues label Jun 14, 2024
@sushreebarsa sushreebarsa added subtype: ubuntu/linux Ubuntu/Linux Build/Installation Issues TF 2.16 labels Jun 16, 2024
@tilakrayal
Copy link
Contributor

@jsasswis,
Could you please confirm whether the latest tensorflow build is compatible with the above mentioned versions. If yes, please feel free to contribute with the PR. Thank you

@mihaimaruseac
Copy link
Collaborator

@rtg0795 as this should be done before final releases

copybara-service bot pushed a commit that referenced this issue Jun 20, 2024
@tensorflower-gardener
Update the curl dependency: 8.4.0 -> 8.60.
d6152b7 
Due CVE-2023-46219 and CVE-2023-46218.

#69799

PiperOrigin-RevId: 645051365
@copybara-service copybara-service bot mentioned this issue Jun 20, 2024
Merged
copybara-service bot pushed a commit that referenced this issue Jun 20, 2024
@tensorflower-gardener
Update the curl dependency: 8.4.0 -> 8.8.0.
fac95c2 
Due CVE-2023-46219 and CVE-2023-46218.

#69799

PiperOrigin-RevId: 645051365
@mihaimaruseac
Copy link
Collaborator

Would get fixed by #70117

copybara-service bot pushed a commit to google/tsl that referenced this issue Jun 20, 2024
@tensorflower-gardener
Update the curl dependency: 8.4.0 -> 8.6.0.
05b28f6 
Due CVE-2023-46219 and CVE-2023-46218.

Fixes tensorflow/tensorflow#69799

PiperOrigin-RevId: 645051365
@copybara-service copybara-service bot mentioned this issue Jun 20, 2024
Merged
copybara-service bot pushed a commit to openxla/xla that referenced this issue Jun 20, 2024
@tensorflower-gardener
Update the curl dependency: 8.4.0 -> 8.6.0.
52e4fb2 
Due CVE-2023-46219 and CVE-2023-46218.

tensorflow/tensorflow#69799

PiperOrigin-RevId: 645051365
@copybara-service copybara-service bot mentioned this issue Jun 20, 2024
Merged
copybara-service bot pushed a commit to openxla/xla that referenced this issue Jun 20, 2024
@tensorflower-gardener
Update the curl dependency: 8.4.0 -> 8.6.0.
5f49dd2 
Due CVE-2023-46219 and CVE-2023-46218.

Fixes tensorflow/tensorflow#69799

PiperOrigin-RevId: 645051365
copybara-service bot pushed a commit that referenced this issue Jun 20, 2024
@tensorflower-gardener
Update the curl dependency: 8.4.0 -> 8.6.0.
20f9b70 
Due CVE-2023-46219 and CVE-2023-46218.

Fixes #69799

PiperOrigin-RevId: 645051365
copybara-service bot pushed a commit to google/tsl that referenced this issue Jun 20, 2024
@tensorflower-gardener
Update the curl dependency: 8.4.0 -> 8.6.0.
965afc3 
Due CVE-2023-46219 and CVE-2023-46218.

Fixes tensorflow/tensorflow#69799

PiperOrigin-RevId: 645051365
copybara-service bot pushed a commit to openxla/xla that referenced this issue Jun 20, 2024
@tensorflower-gardener
Update the curl dependency: 8.4.0 -> 8.6.0.
ec6da94 
Due CVE-2023-46219 and CVE-2023-46218.

Fixes tensorflow/tensorflow#69799

PiperOrigin-RevId: 645051365
copybara-service bot pushed a commit to openxla/xla that referenced this issue Jun 20, 2024
@tensorflower-gardener
Update the curl dependency: 8.4.0 -> 8.6.0.
a28748f 
Due CVE-2023-46219 and CVE-2023-46218.

Fixes tensorflow/tensorflow#69799

PiperOrigin-RevId: 645051365
copybara-service bot pushed a commit that referenced this issue Jun 20, 2024
@tensorflower-gardener
Update the curl dependency: 8.4.0 -> 8.6.0.
7a21045 
Due CVE-2023-46219 and CVE-2023-46218.

Fixes #69799

PiperOrigin-RevId: 645051365
copybara-service bot pushed a commit to openxla/xla that referenced this issue Jun 20, 2024
@tensorflower-gardener
Update the curl dependency: 8.4.0 -> 8.6.0.
8bad312 
Due to security vulnerabilities CVE-2023-46219 and CVE-2023-46218.

Fixes tensorflow/tensorflow#69799

PiperOrigin-RevId: 645051365
copybara-service bot pushed a commit to google/tsl that referenced this issue Jun 20, 2024
@tensorflower-gardener
Update the curl dependency: 8.4.0 -> 8.6.0.
17a7a98 
Due to security vulnerabilities CVE-2023-46219 and CVE-2023-46218.

Fixes tensorflow/tensorflow#69799

PiperOrigin-RevId: 645142519
copybara-service bot pushed a commit to openxla/xla that referenced this issue Jun 20, 2024
@tensorflower-gardener
Update the curl dependency: 8.4.0 -> 8.6.0.
6b1c91b 
Due to security vulnerabilities CVE-2023-46219 and CVE-2023-46218.

Fixes tensorflow/tensorflow#69799

PiperOrigin-RevId: 645142519
@google-ml-butler Google-ML-Butler
Copy link

Are you satisfied with the resolution of your issue?
Yes
No

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tilakrayal tilakrayal

Labels
subtype: ubuntu/linux Ubuntu/Linux Build/Installation Issues TF 2.16 type:build/install Build and install issues
Projects
None yet
Milestone
No milestone
4 participants
@mihaimaruseac @jsasswis @tilakrayal @sushreebarsa