Resolved CVEs #206
Resolved CVEs #206
Conversation
|
Hello, could you remind why libssl1.1 is needed and why openssl/libssl3 can't be used? thanks, |
|
Thank you for your question. I removed libssl1.1 due to some critical CVEs it introduced. Unfortunately, I’m unsure why libssl1.1 was initially included, especially since libssl3 comes out of the box with Ubuntu 22.04. |
I simply copy-pasted it from TGI's Dockerfile. It's not necessary, no reason to keep it 👍 |
| opentelemetry-proto==1.15.0 ; python_version >= "3.9" and python_version < "3.13" | ||
| opentelemetry-sdk==1.15.0 ; python_version >= "3.9" and python_version < "3.13" | ||
| opentelemetry-semantic-conventions==0.36b0 ; python_version >= "3.9" and python_version < "3.13" | ||
| nvidia-cublas-cu12==12.1.3.1 ; platform_system == "Linux" and platform_machine == "x86_64" and python_version >= "3.9" and python_version < "3.13" |
There was a problem hiding this comment.
why do we need all these nvidia packages?
There was a problem hiding this comment.
Those changes were added after I ran make install && make update-lock && make export-requirements
There was a problem hiding this comment.
We usually manually modify the requirements generated by Poetry to remove these dependencies and a few others. Note that there is now a dependency for torch==2.4.0, which we absolutely don't want to keep as this would erase HPU's torch.
So I think you can just remove all the new dependencies in this file and just keep the ones that are updated.
| transformers==4.40.2 ; python_version >= "3.9" and python_version < "3.13" | ||
| transformers[sentencepiece]==4.40.2 ; python_version >= "3.9" and python_version < "3.13" | ||
| triton==3.0.0 ; platform_system == "Linux" and platform_machine == "x86_64" and python_version < "3.13" and python_version >= "3.9" |
There was a problem hiding this comment.
is triton pulled in from somewhere else? i dont recall we having triton support, is this also coming from nvidia?
There was a problem hiding this comment.
Yes it should be removed too
| WORKDIR /usr/src | ||
|
|
||
| RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ | ||
| linux-libc-dev \ | ||
| openssh-client \ |
Description:
This pull request addresses several critical and high-severity vulnerabilities identified in the tgi_gaudi container based on Ubuntu 22.04. The primary focus is on updating and patching key components to resolve these security issues and ensure a more secure environment.
Key Changes:
Resolved Critical CVE in PyTorch Lightning:
Package: lightning
Vulnerability: CVE-2024-5980 (Critical)
Action: Updated lightning from version 2.2.4 to 2.3.3.
Impact: Mitigates the arbitrary file write vulnerability via the /v1/runs API endpoint.
Resolved Multiple High CVEs in OpenSSL:
Package: libssl1.1
Vulnerabilities:
CVE-2021-3449: NULL pointer dereference in signature algorithms processing.
CVE-2021-3711: SM2 Decryption Buffer Overflow.
CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates.
CVE-2022-3602: X.509 Email Address Buffer Overflow.
CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow.
CVE-2023-0286: X.400 address type confusion in X.509 GeneralName.
Action: Updated OpenSSL library from 1.1.1f-1ubuntu2.23 to 3.0.2-0ubuntu1.8.
Impact: Addresses various vulnerabilities related to SSL/TLS communications, enhancing the security of encrypted connections.
General Security Enhancements:
Updated various other packages to their latest versions to mitigate other vulnerabilities and ensure the system remains secure and stable.
Remaining Vulnerabilities:
Despite these updates, two high-severity vulnerabilities remain:
linux-libc-dev:
CVE-2024-26800: Use-after-free vulnerability on failed backlog decryption.
CVE-2024-27397: Timestamp handling issue in netfilter leading to potential denial of service.
Action: Monitoring for the release of patched versions to address these issues.
Why This Is Important:
Addressing these vulnerabilities is crucial to maintaining the security and stability of the tgi_gaudi container.
The updates prevent potential exploitation, which could lead to data breaches, unauthorized access, or service disruptions.
Testing and Validation:
Unit Tests: Ran all relevant unit tests to ensure that the updates do not break existing functionality.
Integration Tests: Verified that the application functions correctly with the updated dependencies.
Manual Testing: Conducted manual testing to confirm the effectiveness of the security patches.
References:
CVE-2024-5980 Details
CVE-2021-3449 Details
CVE-2024-26800 Details
CVE-2024-27397 Details
Additional Notes:
The remaining vulnerabilities are being actively monitored, and further updates will be applied as soon as fixes are available.
No breaking changes have been introduced as part of this PR.