-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Security Vulnerability #7884
Comments
Thank you for the investigation and report @DanMcInerney . We'll be patching this! |
@BenWilson2 @dbczumar @harupy @WeichenXu123 Please assign a maintainer and start triaging this issue. |
Thanks @DanMcInerney for finding these vulnerabilities along with contributors at @protectai for testing/verification. Appreciate the MLflow maintainers for a very prompt response. |
CVEs have been published:
Dan has published blog post detailing the issue at: MLflow v2.2.2 has patched these vulnerabilities. |
Will the fixes get back ported to the 1.3 series? |
Could someone please update the release notes to include mention of the CVEs? I don't know if / where announcements are sent out for this project, but a 10 is typically justification for broad disclosure and an urge to upgrade immediately. |
MLflow has issued GitHub Security Advisories:
Disclaimer: I'm not an MLflow maintainer. |
Hi folks, the 2.2.1 release notes have been updated to reference the GitHub Security Advisories, which refer to the CVEs and provide additional context. The MLflow 1.30.1 was released yesterday, which patches these security vulnerabilities for the 1.30 series: https://pypi.org/project/mlflow/1.30.1/. Thank you for using MLflow! |
Sent email to mlflow-oss-maintainers@databricks.com
The text was updated successfully, but these errors were encountered: