[BEAM-13995] Apache beam is having vulnerable dependencies - Tensorflow, httplib2, pandas and numpy - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: P1
Resolution: Fixed
Affects Version/s: 2.23.0, 2.35.0, 2.36.0
Fix Version/s: 2.38.0
Component/s: dependencies, sdk-py-core
Labels:
None

Description

We are using apache-beam[gcp]==2.23.0 and apache-beam=2.36.0.

The following vulnerabilities are detected in white source with apache-beam.

CVE-2020-13091 - pandas-0.25.3-cp37-cp37m-manylinux1_x86_64.whl - Fix(Upgrade to version pandas - 0.3.0.beta,1.0.4;autovizwidget - 0.12.7;pandas - 1.0.4,1.1.0rc0)

CVE-2021-41496 - numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl - Fix(Upgrade to version autovizwidget - 0.12.7;numpy - 1.22.0rc1;numcodecs - 0.6.2;numpy-base - 1.11.3;numpy - 1.17.4)

CVE-2021-21240 -httplib2-0.17.4-py3-none-any.whl - Fix(Upgrade to version v0.19.0)

See attached xls - tensorflow-1.14.0-cp37-cp37m-manylinux1_x86_64.whl - Fix(attached xls)

please upgrade the packages to the mentioned versions with fix.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Tensorflow vulnerabilities.xlsx
24/Feb/22 09:07
40 kB
Prerana

Issue Links

links to

GitHub Pull Request #17011

Activity

People

Assignee:: Unassigned

Reporter:: Prerana

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 24/Feb/22 09:05

Updated:: 10/Mar/22 10:49

Resolved:: 05/Mar/22 00:39

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

40m