Bugzilla – Bug 1199814
VUL-0: tensorflow2: update to version 2.9.0, multiple CVEs
Last modified: 2022-06-03 16:04:52 UTC
Security fixes in 2.9.0: - Fixes a code injection in saved_model_cli (CVE-2022-29216) - Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193) - Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192) - Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194) - Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191) - Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195) - Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197) - Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199) - Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198) - Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200) - Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196) - Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197) - Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207) - Fixes a segfault due to missing support for quantized types (CVE-2022-29205) - Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206) - Fixes a missing validation which results in undefined behavior in QuantizedConv2D (CVE-2022-29201) - Fixes an integer overflow in SpaceToBatchND (CVE-2022-29203) - Fixes a segfault and OOB write due to incomplete validation in EditDistance (CVE-2022-29208) - Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29204) - Fixes a denial of service in tf.ragged.constant due to lack of validation (CVE-2022-29202) - Fixes a segfault when tf.histogram_fixed_width is called with NaN values (CVE-2022-29211) - Fixes a core dump when loading TFLite models with quantization (CVE-2022-29212) - Fixes crashes stemming from incomplete validation in signal ops (CVE-2022-29213) - Fixes a type confusion leading to CHECK-failure based denial of service (CVE-2022-29209) - Fixes a heap buffer overflow due to incorrect hash function (CVE-2022-29210)
The new version also: - Updates curl to 7.83.1 (CVE-2022-22576, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776, CVE-2022-27778, CVE-2022-27779, CVE-2022-27780, CVE-2022-27781, CVE-2022-27782 and CVE-2022-30115) - Updates zlib to 1.2.12 after 1.2.11 was pulled due to security issue The fixes are also backported to 2.8.1, 2.7.2 and 2.6.4. We ship: - openSUSE:Backports:SLE-15-SP3 2.1.2 - openSUSE:Backports:SLE-15-SP4 2.6.2 - openSUSE:Factory 2.7.1
The only way to resolve this may be the removal of tensorflow2 from Tumbleweed.
Delete request for Tensorflow2 in Factory: SR#978958 Tensorflow2 cannot be updated to anything higher than 2.6 as python 2.7 requires a newer version of python3 (and libraries) than what we provide on Leap or SLE 15. 9 months ago, I've attempted an update to 2.6.2 over nine month ago: https://build.opensuse.org/request/show/915715 to fix bsc#1189423 for SP3, this however still hasn't been released and it can likely be expected that further attempts to update to 2.6.4 for instance will be in vain as well. Our best option will be to request tensorflow2 to be dropped from PH and Leap going forward.