8000 chore(deps): update dependency tensorflow to v2.7.2 [security] by renovate-bot · Pull Request #8329 · GoogleCloudPlatform/python-docs-samples · GitHub
[go: up one dir, main page]
Skip to content
8000

chore(deps): update dependency tensorflow to v2.7.2 [security] #8329

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 19, 2022
Merged

chore(deps): update dependency tensorflow to v2.7.2 [security] #8329

merged 1 commit into from
Sep 19, 2022

Conversation

renovate-bot
Copy link
Contributor

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
tensorflow ==2.6.4 -> ==2.7.2 age adoption passing confidence

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-35999

Impact

When Conv2DBackpropInput receives empty out_backprop inputs (e.g. [3, 1, 0, 1]), the current CPU/GPU kernels CHECK fail (one with dnnl, the other with cudnn). This can be used to trigger a denial of service attack.

import tensorflow as tf
import numpy as np
input_sizes = [3, 1, 1, 2]
filter = np.ones([1, 3, 2, 3])
out_backprop = np.ones([3, 1, 0, 3])
strides = [1, 1, 2, 1]
padding = 'VALID'

tf.raw_ops.Conv2DBackpropInput(
   input_sizes = input_sizes,
   filter = filter,
   out_backprop = out_backprop,
   strides = strides,
   padding = padding
)

Patches

We have patched the issue in GitHub commit 27a65a43cf763897fecfa5cdb5cc653fc5dd0346.

The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Jingyi Shi.

CVE-2022-35997

Impact

If tf.sparse.cross receives an input separator that is not a scalar, it gives a CHECK fail that can be used to trigger a denial of service attack.

import tensorflow as tf

tf.sparse.cross(inputs=[],name='a',separator=tf.constant(['a', 'b'],dtype=tf.string))

Patches

We have patched the issue in GitHub commit 83dcb4dbfa094e33db084e97c4d0531a559e0ebf.

The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Kang Hong Jin.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

@renovate-bot renovate-bot requested review from ivanmkc and a team as code owners September 16, 2022 23:30
@trusted-contributions-gcf trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Sep 16, 2022
@product-auto-label product-auto-label bot added the samples Issues that are directly related to samples. label Sep 16, 2022
@kokoro-team kokoro-team removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Sep 16, 2022
@leahecole leahecole merged commit 2671b97 into GoogleCloudPlatform:main Sep 19, 2022
@renovate-bot renovate-bot deleted the renovate/pypi-tensorflow-vulnerability branch September 19, 2022 16:09
leahecole pushed a commit that referenced this pull request Sep 20, 2022
@renovate-bot @leahecole
chore(deps): update dependency tensorflow to v2.7.2 [security] (#8329)
7a8b0c0
leahecole added a commit that referenced this pull request Sep 28, 2022
@leahecole @kaiyang-code
@engelke @m-strzelczyk @dandhlee @davidcavazos @renovate-bot @parthea @averikitsch @mhenc @bradmiro
data analytics tutorial expansion project (#8290)
5310f9e 
* Kaiyang expansion project 2022 (#8224)

* chenged the dag to load ghcn dataset

* data preprocessing done

* modified preprocessing

* dataproc file added

* code runs great

* modifyed code based on Brad, still buggy

* finished modifying, haven't sync wit hDAG

* finished modifying DAG codes

* ready for draft PR

* pass lint

* addressed Brad and Leah's comments

* pass nox lint

* pass nox lint

* Fix: Retry CLI launch if needed (#8221)

* Fix: add region tags

* Fix: region tag typos

* Fix: urlpatterns moved to end

* Fix: typo

* Fix: cli retries to fix flakiness

* Fix: remove duplicate tags

* Fix: use backoff for retries

* Fix: lint import order error

* address Leah's comments about typo and comments

Co-authored-by: Charles Engelke <engelke@google.com>

* run blacken on dag and dataproc code

* WIP: not working test for process job

* working test for expansion dataproc script

* move dataproc expansion files to separate directory

* add readme

* update readme

* run black

* ignore data file

* fix import order

* ignore one line of lint because it's being silly

* add check for Notfound for test

* add requirements files

* add noxfile config

* update try/except

* experiment - fully qualify path

* update filepath

* update path

* try different path

* remove the directory that was causing test problems

* fix typo in header checker

* tell folks to skip cleanup of prereq

* clean up hyperlinks for distance weighting and arithmetic mean

* fix math links again

* remove debug statements

* remove commented out variables

* Update composer/2022_airflow_summit/data_analytics_dag_expansion_test.py

Co-authored-by: Dan Lee <71398022+dandhlee@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Dan Lee <71398022+dandhlee@users.noreply.github.com>

* Apply suggestions from code review

* update apache-beam version (#8302)

Bumping the `apache-beam[gcp]` version to (indirectly) bump the `google-cloud-pubsub` version to accept the keyword argument `request` on `create_topic()`

* dataflow: replace job name underscores with hyphens (#8303)

* dataflow: replace job name underscores with hyphens

It looks like Dataflow no longer accepts underscores in the job names. Replacing them with hyphens should work.

* fix test checks

* improve error reporting

* fix test name for exception handling

* chore(deps): update dependency datalab to v1.2.1 (#8309)

* fix: unsanitized output (#8316)

* fix: unsanitized output

* fix: add license to template

* chore(deps): update dependency cryptography to v38 (#8317)

* chore(deps): update dependency cryptography to v38

* lint

Co-authored-by: Anthonios Partheniou <partheniou@google.com>

* Remove region tags to be consistent with other languages (#8322)

* fix lint in conftest (#8324)

* Pin perl version to 5.34.0 as latest doesn't work with the example. (#8319)

Co-authored-by: Leah E. Cole <6719667+leahecole@users.noreply.github.com>

* refactor fixtures

* revert last change

* revert last change

* chore(deps): update dependency tensorflow to v2.7.2 [security] (#8329)

* remove backoff, add manual retry (#8328)

* remove backoff, add manual retry

* fix lint

* remove unused import

Co-authored-by: Anthonios Partheniou <partheniou@google.com>

* refactor test to match #8328

* update most write methods, fix test issue with comparing to exception

* Bmiro kaiyang edit (#8350)

* modified code to more closely adhere to Spark best practices

* remove unnecessary import

* improved explanation of Inverse Distance Weighting

* Apply suggestions from code review

Co-authored-by: Leah E. Cole <6719667+leahecole@users.noreply.github.com>

Co-authored-by: Leah E. Cole <6719667+leahecole@users.noreply.github.com>

* run black on process files

* fix relative import issue

* fixed jvm error (#8360)

* Add UDF type hinting (#8361)

* fixed jvm error

* add type hinting to UDF

* Update composer/2022_airflow_summit/data_analytics_process_expansion.py

* fix comment alignment

* change dataproc region to northamerica-northeast1

* refactor import

* switch other test to also use northamerica-northeast1

Co-authored-by: kaiyang-code <57576013+kaiyang-code@users.noreply.github.com>
Co-authored-by: Charles Engelke <engelke@google.com>
Co-authored-by: Maciej Strzelczyk <strzelczyk@google.com>
Co-authored-by: Dan Lee <71398022+dandhlee@users.noreply.github.com>
Co-authored-by: David Cavazos <dcavazos@google.com>
Co-authored-by: WhiteSource Renovate <bot@renovateapp.com>
Co-authored-by: Anthonios Partheniou <partheniou@google.com>
Co-authored-by: Averi Kitsch <akitsch@google.com>
Co-authored-by: mhenc <mhenc@google.com>
Co-authored-by: Brad Miro <bmiro@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leahecole leahecole leahecole approved these changes

@ivanmkc ivanmkc Awaiting requested review from ivanmkc

Assignees

@kurtisvg kurtisvg

Labels
samples Issues that are directly related to samples.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@renovate-bot @leahecole @kokoro-team @kurtisvg
0