[VUL-14360][VUL-9146][VUL-11518][VUL-11519] Fixing CVE-2025-48379, CVE-2024-47081, CVE-2025-50181 and CVE-2025-50182 #1555
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…][RAPTOR-14099][RAPTOR-14100][RAPTOR-14101][RAPTOR-14102] Bumped up a version of Pillow for CVE
peterzdeb
changed the title
|
The Needs Review labels were added based on the following file changes. Team @datarobot/buzok (#buzok) was assigned because of changes in files:public_dropin_environments/python311_genai_agents/requirements.txt Team @datarobot/core-modeling (#predictive-ai) was assigned because of changes in files:public_dropin_environments/python3_keras/env_info.json public_dropin_environments/python3_keras/requirements.txt public_dropin_environments/python3_pmml/env_info.json public_dropin_environments/python3_pmml/requirements.txt public_dropin_environments/python3_pytorch/env_info.json public_dropin_environments/python3_pytorch/requirements.txt public_dropin_environments/python3_sklearn/env_info.json public_dropin_environments/python3_sklearn/requirements.txt public_dropin_environments/python3_xgboost/env_info.json public_dropin_environments/python3_xgboost/requirements.txt public_dropin_environments/r_lang/env_info.json public_dropin_environments/r_lang/requirements.txt Team @datarobot/genai-systems (#genai-systems) was assigned because of changes in files:public_dropin_environments/java_codegen/env_info.json public_dropin_environments/java_codegen/requirements.txt public_dropin_environments/python311/env_info.json public_dropin_environments/python311/requirements.txt public_dropin_environments/python3_keras/env_info.json public_dropin_environments/python3_keras/requirements.txt public_dropin_environments/python3_onnx/env_info.json public_dropin_environments/python3_onnx/requirements.txt public_dropin_environments/python3_pmml/env_info.json public_dropin_environments/python3_pmml/requirements.txt public_dropin_environments/python3_pytorch/env_info.json public_dropin_environments/python3_pytorch/requirements.txt public_dropin_environments/python3_sklearn/env_info.json public_dropin_environments/python3_sklearn/requirements.txt public_dropin_environments/python3_xgboost/env_info.json public_dropin_environments/python3_xgboost/requirements.txt public_dropin_environments/r_lang/env_info.json public_dropin_environments/r_lang/requirements.txt If you think that there are some issues with ownership, please discuss with C&A domain at #sdtk slack channel and create PR to update DRCODEOWNERS\CODEOWNERS file. |
klichukb
approved these changes
Jul 3, 2025
eric-s-s
approved these changes
Jul 3, 2025
|
Label Needs Review: Core Modeling was removed because @eric-s-s is part of Predictive AI domain. |
|
jarvis please cherry-pick this release/11.1 |
peterzdeb
added a commit
that referenced
this pull request
Jul 3, 2025
…E-2024-47081, CVE-2025-50181 and CVE-2025-50182 (#1555) * [RAPTOR-14094][RAPTOR-14095][RAPTOR-14096][RAPTOR-14097][RAPTOR-14098][RAPTOR-14099][RAPTOR-14100][RAPTOR-14101][RAPTOR-14102] Bumped up a version of Pillow for CVE * Reconcile dependencies, updated IDs, tags * [RAPTOR-13877] Bumped up a version of urllib3 for CVE * [RAPTOR-13875] Bumped up a version of urllib3 for CVE * [RAPTOR-13873] Bumped up a version of urllib3 for CVE * [RAPTOR-13871] Bumped up a version of urllib3 for CVE * [RAPTOR-13868] Bumped up a version of urllib3 for CVE * [RAPTOR-13866] Bumped up a version of urllib3 for CVE * [RAPTOR-13864] Bumped up a version of urllib3 for CVE * [RAPTOR-13862] Bumped up a version of urllib3 for CVE * [RAPTOR-13879] Bumped up a version of urllib3 for CVE * [BUZZOK-26501] Bumped up a version of urllib3 for CVE * [RAPTOR-12952] Bumped up a version of requests for CVE * [RAPTOR-12949] Bumped up a version of requests for CVE * [RAPTOR-12947] Bumped up a version of requests for CVE * [RAPTOR-12945] Bumped up a version of requests for CVE * [RAPTOR-12942] Bumped up a version of requests for CVE * [RAPTOR-12940] Bumped up a version of requests for CVE * [RAPTOR-12938] Bumped up a version of requests for CVE * [RAPTOR-12936] Bumped up a version of requests for CVE * [RAPTOR-12933] Bumped up a version of requests for CVE * Reconcile dependencies, updated IDs, tags --------- Co-authored-by: svc-harness-git2 <svc-harness-git2@datarobot.com>
peterzdeb
added a commit
that referenced
this pull request
Jul 3, 2025
…E-2024-47081, CVE-2025-50181 and CVE-2025-50182 (#1555) * [RAPTOR-14094][RAPTOR-14095][RAPTOR-14096][RAPTOR-14097][RAPTOR-14098][RAPTOR-14099][RAPTOR-14100][RAPTOR-14101][RAPTOR-14102] Bumped up a version of Pillow for CVE * Reconcile dependencies, updated IDs, tags * [RAPTOR-13877] Bumped up a version of urllib3 for CVE * [RAPTOR-13875] Bumped up a version of urllib3 for CVE * [RAPTOR-13873] Bumped up a version of urllib3 for CVE * [RAPTOR-13871] Bumped up a version of urllib3 for CVE * [RAPTOR-13868] Bumped up a version of urllib3 for CVE * [RAPTOR-13866] Bumped up a version of urllib3 for CVE * [RAPTOR-13864] Bumped up a version of urllib3 for CVE * [RAPTOR-13862] Bumped up a version of urllib3 for CVE * [RAPTOR-13879] Bumped up a version of urllib3 for CVE * [BUZZOK-26501] Bumped up a version of urllib3 for CVE * [RAPTOR-12952] Bumped up a version of requests for CVE * [RAPTOR-12949] Bumped up a version of requests for CVE * [RAPTOR-12947] Bumped up a version of requests for CVE * [RAPTOR-12945] Bumped up a version of requests for CVE * [RAPTOR-12942] Bumped up a version of requests for CVE * [RAPTOR-12940] Bumped up a version of requests for CVE * [RAPTOR-12938] Bumped up a version of requests for CVE * [RAPTOR-12936] Bumped up a version of requests for CVE * [RAPTOR-12933] Bumped up a version of requests for CVE * Reconcile dependencies, updated IDs, tags --------- Co-authored-by: svc-harness-git2 <svc-harness-git2@datarobot.com>
annaaliieva
pushed a commit
that referenced
this pull request
Jul 3, 2025
…19] Fixing CVE-2025-48379, CVE-2024-47081, CVE-2025-50181 and CVE-2025-50182 (#1555) (#1556) * [VUL-14360][VUL-9146][VUL-11518][VUL-11519] Fixing CVE-2025-48379, CVE-2024-47081, CVE-2025-50181 and CVE-2025-50182 (#1555) * [RAPTOR-14094][RAPTOR-14095][RAPTOR-14096][RAPTOR-14097][RAPTOR-14098][RAPTOR-14099][RAPTOR-14100][RAPTOR-14101][RAPTOR-14102] Bumped up a version of Pillow for CVE * Reconcile dependencies, updated IDs, tags * [RAPTOR-13877] Bumped up a version of urllib3 for CVE * [RAPTOR-13875] Bumped up a version of urllib3 for CVE * [RAPTOR-13873] Bumped up a version of urllib3 for CVE * [RAPTOR-13871] Bumped up a version of urllib3 for CVE * [RAPTOR-13868] Bumped up a version of urllib3 for CVE * [RAPTOR-13866] Bumped up a version of urllib3 for CVE * [RAPTOR-13864] Bumped up a version of urllib3 for CVE * [RAPTOR-13862] Bumped up a version of urllib3 for CVE * [RAPTOR-13879] Bumped up a version of urllib3 for CVE * [BUZZOK-26501] Bumped up a version of urllib3 for CVE * [RAPTOR-12952] Bumped up a version of requests for CVE * [RAPTOR-12949] Bumped up a version of requests for CVE * [RAPTOR-12947] Bumped up a version of requests for CVE * [RAPTOR-12945] Bumped up a version of requests for CVE * [RAPTOR-12942] Bumped up a version of requests for CVE * [RAPTOR-12940] Bumped up a version of requests for CVE * [RAPTOR-12938] Bumped up a version of requests for CVE * [RAPTOR-12936] Bumped up a version of requests for CVE * [RAPTOR-12933] Bumped up a version of requests for CVE * Reconcile dependencies, updated IDs, tags --------- Co-authored-by: svc-harness-git2 <svc-harness-git2@datarobot.com> * Reconcile dependencies, updated IDs, tags --------- Co-authored-by: svc-harness-git2 <svc-harness-git2@datarobot.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This repository is public. Do not put here any private DataRobot or customer's data: code, datasets, model artifacts, .etc.
Summary
Pillow dependency for DRUM is unpinned but we have the pin in execution environments.
For CVE-2025-48379 we have to use Pillow version 11.3.0
Also I bumped version of
requeststo solve CVE-2024-47081 and urllib3 for CVE-2025-50181 and CVE-2025-50182 .Rationale
All that CVEs are affecting release 11.1