Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-24762 - update fastapi to 0.109.1 #3556

Merged
merged 2 commits into from
Mar 30, 2024
Merged

CVE-2024-24762 - update fastapi to 0.109.1 #3556

merged 2 commits into from
Mar 30, 2024

Conversation

spolti
Copy link
Contributor

@spolti spolti commented Mar 28, 2024
edited by yuzisun
Loading

chore: Fix CVE-2024-24762 - fastapi Regular Expression Denial of Service (ReDoS)
Plus, update Ray to 2.10 to allow updating fastapi. On previous versions of Ray
the fastapi version was pinned, which was preventing the fastapi version update.

fixes #3541

Release note:

NONE

@spolti
CVE-2024-24762 - update fastapi to 0.109.1
9026d8a 
chore:	Fix [CVE-2024-24762](https://www.cve.org/CVERecord?id=CVE-2024-24762) - fastapi Regular Expression Denial of Service (ReDoS)
	Plus, update Ray to 2.10 to allow updating fastapi. On previous versions of Ray
	the fastapi version was pinned, which was preventing the fastapi version update.

use the new handle api:

From Ray Serve docs:
Ray 2.7 introduces a new {mod}`DeploymentHandle <ray.serve.handle.DeploymentHandle>` API that will replace the existing `RayServeHandle` and `RayServeSyncHandle` APIs.

Signed-off-by: Spolti <fspolti@redhat.com>
@spolti
Copy link
Contributor Author

spolti commented Mar 28, 2024

Hi all, this update required a few more tweaks to remove the RayServeHandle in favor of the DeploymentHandle.
Did some local tests, but I don't know this part in depth.
@ddelange it seems that you made some ray upgrades as well, if you could take a closer look to make sure that I didn't miss anything, it will be really appreciated.

@spolti
add link to about the RayServeHandle deprecation
f5fd87a 
Signed-off-by: Spolti <fspolti@redhat.com>
@ddelange
Copy link
Contributor

@spolti thanks for the ping, the change looks good to me!

@sivanantha321
Copy link
Member

related issue #3541

@sivanantha321
Copy link
Member

/lgtm

@oss-prow-bot oss-prow-bot bot added the lgtm label Mar 29, 2024
@ddelange
Copy link
Contributor

cc @yuzisun @njhill @rachitchauhan43

@yuzisun
Copy link
Member

yuzisun commented Mar 30, 2024

/approve

@oss-prow-bot OSS-prow-bot
Copy link

oss-prow-bot bot commented Mar 30, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sivanantha321, spolti, yuzisun

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@oss-prow-bot oss-prow-bot bot merged commit fda7b41 into kserve:master Mar 30, 2024
58 checks passed
@sivanantha321 sivanantha321 mentioned this pull request Apr 1, 2024
Closed
@spolti spolti deleted the fastapi branch April 1, 2024 13:41
@spolti
Copy link
Contributor Author

spolti commented Apr 1, 2024

thanks all.

Jooho pushed a commit to Jooho/kserve that referenced this pull request Apr 4, 2024
@spolti @Jooho
CVE-2024-24762 - update fastapi to 0.109.1 (kserve#3556)
97d08d9 
* CVE-2024-24762 - update fastapi to 0.109.1

chore:	Fix [CVE-2024-24762](https://www.cve.org/CVERecord?id=CVE-2024-24762) - fastapi Regular Expression Denial of Service (ReDoS)
	Plus, update Ray to 2.10 to allow updating fastapi. On previous versions of Ray
	the fastapi version was pinned, which was preventing the fastapi version update.

use the new handle api:

From Ray Serve docs:
Ray 2.7 introduces a new {mod}`DeploymentHandle <ray.serve.handle.DeploymentHandle>` API that will replace the existing `RayServeHandle` and `RayServeSyncHandle` APIs.

Signed-off-by: Spolti <fspolti@redhat.com>

* add link to about the RayServeHandle deprecation

Signed-off-by: Spolti <fspolti@redhat.com>

---------

Signed-off-by: Spolti <fspolti@redhat.com>
tjandy98 pushed a commit to tjandy98/kserve that referenced this pull request Apr 10, 2024
@spolti @tjandy98
CVE-2024-24762 - update fastapi to 0.109.1 (kserve#3556)
72f3cb7 
* CVE-2024-24762 - update fastapi to 0.109.1

chore:	Fix [CVE-2024-24762](https://www.cve.org/CVERecord?id=CVE-2024-24762) - fastapi Regular Expression Denial of Service (ReDoS)
	Plus, update Ray to 2.10 to allow updating fastapi. On previous versions of Ray
	the fastapi version was pinned, which was preventing the fastapi version update.

use the new handle api:

From Ray Serve docs:
Ray 2.7 introduces a new {mod}`DeploymentHandle <ray.serve.handle.DeploymentHandle>` API that will replace the existing `RayServeHandle` and `RayServeSyncHandle` APIs.

Signed-off-by: Spolti <fspolti@redhat.com>

* add link to about the RayServeHandle deprecation

Signed-off-by: Spolti <fspolti@redhat.com>

---------

Signed-off-by: Spolti <fspolti@redhat.com>
Signed-off-by: tjandy98 <3953059+tjandy98@users.noreply.github.com>
@sivanantha321 sivanantha321 mentioned this pull request Apr 15, 2024
Closed
wmfgerrit pushed a commit to wikimedia/machinelearning-liftwing-inference-services that referenced this pull request Apr 23, 2024
@isaranto
revertrisk: upgrade to 0.12.1
1472e53 
Bump kserve to 0.12.1 that includes the following fixes we need:

* support for pydantic v2 (kserve/kserve#3374) which is used by knowledge_integrity v0.6
* fix for ray serve compatibility issue (kserve/kserve#3556).

Bug: T363127
Change-Id: I3fd7c5963c647ab1f407f21c4bd9e2b530fe8a47
wmfgerrit pushed a commit to wikimedia/machinelearning-liftwing-inference-services that referenced this pull request Apr 23, 2024
@isaranto
revertrisk-multilingual: upgrade to 0.12.1
1278c28 
Bump kserve to 0.12.1 that includes the following fixes we need:

* support for pydantic v2 (kserve/kserve#3374) which is used by knowledge_integrity v0.6
* fix for ray serve compatibility issue (kserve/kserve#3556).

Bug: T363129
Change-Id: I6a4babe2155b0638beb83a0a03af99ef396a666b
wmfgerrit pushed a commit to wikimedia/machinelearning-liftwing-inference-services that referenced this pull request Apr 23, 2024
@isaranto
revertrisk-wikidata: upgrade to 0.12.1
5eb0c38 
Bump kserve to 0.12.1 that includes the following fixes we need:

* support for pydantic v2 (kserve/kserve#3374) which is used by knowledge_integrity v0.6
* fix for ray serve compatibility issue (kserve/kserve#3556).

Bug: T363130
Change-Id: I9b13d5235b2c52cc71d92db19fe3adc7cdafea1a
@israel-hdez israel-hdez mentioned this pull request May 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrytangyuan terrytangyuan terrytangyuan left review comments

@sivanantha321 sivanantha321 sivanantha321 approved these changes

@alexagriffith alexagriffith Awaiting requested review from alexagriffith

@ckadner ckadner Awaiting requested review from ckadner

@yuzisun yuzisun Awaiting requested review from yuzisun

@ddelange ddelange Awaiting requested review from ddelange

Assignees

@sivanantha321 sivanantha321

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Solution] Ray Serve version compatibility issue: cannot import name 'RayServeHandle' from 'ray.serve.handle'
5 participants
@spolti @ddelange @sivanantha321 @yuzisun @terrytangyuan