diff --git a/security/cve-report_en.md b/security/cve-report_en.md index 375820aa31f6f79d6a457647a0b8d7a82f9f378e..4c62a97fb7fe630f4733c1f2ab5c9a7e33b9143d 100644 --- a/security/cve-report_en.md +++ b/security/cve-report_en.md @@ -99,19 +99,20 @@ For the security of MindSpore users, the MindSpore community will not discuss, c ## MindSpore Security Note (SN) -| CVE list | Third party version | Suggestion | -| ---- | ---- | ---- | -| [CVE-2019-18348](https://nvd.nist.gov/vuln/detail/CVE-2019-18348), [CVE-2020-8315](https://nvd.nist.gov/vuln/detail/CVE-2020-8315), [CVE-2020-8492](https://nvd.nist.gov/vuln/detail/CVE-2020-8492), [CVE-2020-27619](https://nvd.nist.gov/vuln/detail/CVE-2020-27619), [CVE-2021-3426](https://nvd.nist.gov/vuln/detail/CVE-2021-3426), [CVE-2021-23336](https://nvd.nist.gov/vuln/detail/CVE-2021-23336), [CVE-2019-20907](https://nvd.nist.gov/vuln/detail/CVE-2019-20907), [CVE-2021-3177](https://nvd.nist.gov/vuln/detail/CVE-2021-3177) | Python 3.7.5 | | -| [CVE-2019-19911](https://nvd.nist.gov/vuln/detail/CVE-2019-19911), [CVE-2020-5310](https://nvd.nist.gov/vuln/detail/CVE-2020-5310), [CVE-2020-5311](https://nvd.nist.gov/vuln/detail/CVE-2020-5311), [CVE-2020-5312](https://nvd.nist.gov/vuln/detail/CVE-2020-5312), [CVE-2020-5313](https://nvd.nist.gov/vuln/detail/CVE-2020-5313) | Pillow < 6.2.2 | Upgrade to latest Pillow (8.2.0) | -| [CVE-2020-10177](https://nvd.nist.gov/vuln/detail/CVE-2020-10177), [CVE-2020-10378](https://nvd.nist.gov/vuln/detail/CVE-2020-10378), [CVE-2020-10379](https://nvd.nist.gov/vuln/detail/CVE-2020-10379), [CVE-2020-10994](https://nvd.nist.gov/vuln/detail/CVE-2020-10994), [CVE-2020-11538](https://nvd.nist.gov/vuln/detail/CVE-2020-11538) | Pillow < 7.1.0 | Upgrade to latest Pillow (8.2.0) | -| [CVE-2020-15999](https://nvd.nist.gov/vuln/detail/CVE-2020-15999) | Pillow < 8.0.1 | Upgrade to latest Pillow (8.2.0) | -| [CVE-2020-35653](https://nvd.nist.gov/vuln/detail/CVE-2020-35653), [CVE-2020-35654](https://nvd.nist.gov/vuln/detail/CVE-2020-35654), [CVE-2020-35655](https://nvd.nist.gov/vuln/detail/CVE-2020-35655) | Pillow < 8.1.0 | Upgrade to latest Pillow (8.2.0) | -| [CVE-2021-25289](https://nvd.nist.gov/vuln/detail/CVE-2021-25289), [CVE-2021-25290](https://nvd.nist.gov/vuln/detail/CVE-2021-25290), [CVE-2021-25291](https://nvd.nist.gov/vuln/detail/CVE-2021-25291), [CVE-2021-25292](https://nvd.nist.gov/vuln/detail/CVE-2021-25292), [CVE-2021-25293](https://nvd.nist.gov/vuln/detail/CVE-2021-25293), [CVE-2021-27921](https://nvd.nist.gov/vuln/detail/CVE-2021-27921), [CVE-2021-27922](https://nvd.nist.gov/vuln/detail/CVE-2021-27922), [CVE-2021-27923](https://nvd.nist.gov/vuln/detail/CVE-2021-27923) | Pillow < 8.1.1 | Upgrade to latest Pillow (8.2.0) | -| [CVE-2021-25287](https://nvd.nist.gov/vuln/detail/CVE-2021-25287), [CVE-2021-25288](https://nvd.nist.gov/vuln/detail/CVE-2021-25288), [CVE-2021-28675](https://nvd.nist.gov/vuln/detail/CVE-2021-28675), [CVE-2021-28676](https://nvd.nist.gov/vuln/detail/CVE-2021-28676), [CVE-2021-28677](https://nvd.nist.gov/vuln/detail/CVE-2021-28677), [CVE-2021-28678](https://nvd.nist.gov/vuln/detail/CVE-2021-28678) | Pillow < 8.2.0 | Upgrade to latest Pillow (8.2.0) | -| [CVE-2021-34552](https://nvd.nist.gov/vuln/detail/CVE-2021-34552) | Pillow <= 8.2.0 | Upgrade to latest Pillow (8.4.0) | -| [CVE-2021-41496](https://nvd.nist.gov/vuln/detail/CVE-2021-41496) | NumPy < 1.19 | Upgrade NumPy version >= 1.22.0 | -| [CVE-2021-34141](https://nvd.nist.gov/vuln/detail/CVE-2021-34141) | NumPy < 1.22.0 | Upgrade NumPy version >= 1.22.0 | -| [CVE-2021-41495](https://nvd.nist.gov/vuln/detail/CVE-2021-41495) | NumPy <= 1.22.0 | Refer [issue](https://gitee.com/mindspore/mindspore/issues/I4NRZ9?from=project-issue) | +| CVE list | Third party version | Suggestion | +|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|---------------------------------------------------------------------------------------| +| [CVE-2019-18348](https://nvd.nist.gov/vuln/detail/CVE-2019-18348), [CVE-2020-8315](https://nvd.nist.gov/vuln/detail/CVE-2020-8315), [CVE-2020-8492](https://nvd.nist.gov/vuln/detail/CVE-2020-8492), [CVE-2020-27619](https://nvd.nist.gov/vuln/detail/CVE-2020-27619), [CVE-2021-3426](https://nvd.nist.gov/vuln/detail/CVE-2021-3426), [CVE-2021-23336](https://nvd.nist.gov/vuln/detail/CVE-2021-23336), [CVE-2019-20907](https://nvd.nist.gov/vuln/detail/CVE-2019-20907), [CVE-2021-3177](https://nvd.nist.gov/vuln/detail/CVE-2021-3177) | Python 3.7.5 | | +| [CVE-2024-3220](https://nvd.nist.gov/vuln/detail/CVE-2024-3220) | Python 3.11.4 | | +| [CVE-2019-19911](https://nvd.nist.gov/vuln/detail/CVE-2019-19911), [CVE-2020-5310](https://nvd.nist.gov/vuln/detail/CVE-2020-5310), [CVE-2020-5311](https://nvd.nist.gov/vuln/detail/CVE-2020-5311), [CVE-2020-5312](https://nvd.nist.gov/vuln/detail/CVE-2020-5312), [CVE-2020-5313](https://nvd.nist.gov/vuln/detail/CVE-2020-5313) | Pillow < 6.2.2 | Upgrade to latest Pillow (8.2.0) | +| [CVE-2020-10177](https://nvd.nist.gov/vuln/detail/CVE-2020-10177), [CVE-2020-10378](https://nvd.nist.gov/vuln/detail/CVE-2020-10378), [CVE-2020-10379](https://nvd.nist.gov/vuln/detail/CVE-2020-10379), [CVE-2020-10994](https://nvd.nist.gov/vuln/detail/CVE-2020-10994), [CVE-2020-11538](https://nvd.nist.gov/vuln/detail/CVE-2020-11538) | Pillow < 7.1.0 | Upgrade to latest Pillow (8.2.0) | +| [CVE-2020-15999](https://nvd.nist.gov/vuln/detail/CVE-2020-15999) | Pillow < 8.0.1 | Upgrade to latest Pillow (8.2.0) | +| [CVE-2020-35653](https://nvd.nist.gov/vuln/detail/CVE-2020-35653), [CVE-2020-35654](https://nvd.nist.gov/vuln/detail/CVE-2020-35654), [CVE-2020-35655](https://nvd.nist.gov/vuln/detail/CVE-2020-35655) | Pillow < 8.1.0 | Upgrade to latest Pillow (8.2.0) | +| [CVE-2021-25289](https://nvd.nist.gov/vuln/detail/CVE-2021-25289), [CVE-2021-25290](https://nvd.nist.gov/vuln/detail/CVE-2021-25290), [CVE-2021-25291](https://nvd.nist.gov/vuln/detail/CVE-2021-25291), [CVE-2021-25292](https://nvd.nist.gov/vuln/detail/CVE-2021-25292), [CVE-2021-25293](https://nvd.nist.gov/vuln/detail/CVE-2021-25293), [CVE-2021-27921](https://nvd.nist.gov/vuln/detail/CVE-2021-27921), [CVE-2021-27922](https://nvd.nist.gov/vuln/detail/CVE-2021-27922), [CVE-2021-27923](https://nvd.nist.gov/vuln/detail/CVE-2021-27923) | Pillow < 8.1.1 | Upgrade to latest Pillow (8.2.0) | +| [CVE-2021-25287](https://nvd.nist.gov/vuln/detail/CVE-2021-25287), [CVE-2021-25288](https://nvd.nist.gov/vuln/detail/CVE-2021-25288), [CVE-2021-28675](https://nvd.nist.gov/vuln/detail/CVE-2021-28675), [CVE-2021-28676](https://nvd.nist.gov/vuln/detail/CVE-2021-28676), [CVE-2021-28677](https://nvd.nist.gov/vuln/detail/CVE-2021-28677), [CVE-2021-28678](https://nvd.nist.gov/vuln/detail/CVE-2021-28678) | Pillow < 8.2.0 | Upgrade to latest Pillow (8.2.0) | +| [CVE-2021-34552](https://nvd.nist.gov/vuln/detail/CVE-2021-34552) | Pillow <= 8.2.0 | Upgrade to latest Pillow (8.4.0) | +| [CVE-2021-41496](https://nvd.nist.gov/vuln/detail/CVE-2021-41496) | NumPy < 1.19 | Upgrade NumPy version >= 1.22.0 | +| [CVE-2021-34141](https://nvd.nist.gov/vuln/detail/CVE-2021-34141) | NumPy < 1.22.0 | Upgrade NumPy version >= 1.22.0 | +| [CVE-2021-41495](https://nvd.nist.gov/vuln/detail/CVE-2021-41495) | NumPy <= 1.22.0 | Refer [issue](https://gitee.com/mindspore/mindspore/issues/I4NRZ9?from=project-issue) | ## CC Certificate diff --git a/security/cve-report_zh_cn.md b/security/cve-report_zh_cn.md index e244e86af2ec51625202bb9346d11e66411ef9eb..7d50da0239cfab6f052efe0636d5954a3ec20e1f 100644 --- a/security/cve-report_zh_cn.md +++ b/security/cve-report_zh_cn.md @@ -103,19 +103,20 @@ MindSpore 社区采用 CVSS v3 对漏洞进行评估,CVSS V3 通过对以下 第三方的开源组件部分漏洞需要用户自行修复: -| CVE 列表 | 第三方组件 | 建议 | -| ---- | ---- | ---- | -| [CVE-2019-18348](https://nvd.nist.gov/vuln/detail/CVE-2019-18348), [CVE-2020-8315](https://nvd.nist.gov/vuln/detail/CVE-2020-8315), [CVE-2020-8492](https://nvd.nist.gov/vuln/detail/CVE-2020-8492), [CVE-2020-27619](https://nvd.nist.gov/vuln/detail/CVE-2020-27619), [CVE-2021-3426](https://nvd.nist.gov/vuln/detail/CVE-2021-3426), [CVE-2021-23336](https://nvd.nist.gov/vuln/detail/CVE-2021-23336), [CVE-2019-20907](https://nvd.nist.gov/vuln/detail/CVE-2019-20907), [CVE-2021-3177](https://nvd.nist.gov/vuln/detail/CVE-2021-3177) | Python 3.7.5 | | -| [CVE-2019-19911](https://nvd.nist.gov/vuln/detail/CVE-2019-19911), [CVE-2020-5310](https://nvd.nist.gov/vuln/detail/CVE-2020-5310), [CVE-2020-5311](https://nvd.nist.gov/vuln/detail/CVE-2020-5311), [CVE-2020-5312](https://nvd.nist.gov/vuln/detail/CVE-2020-5312), [CVE-2020-5313](https://nvd.nist.gov/vuln/detail/CVE-2020-5313) | Pillow < 6.2.2 | 升级至最新的Pillow版本(8.2.0) | -| [CVE-2020-10177](https://nvd.nist.gov/vuln/detail/CVE-2020-10177), [CVE-2020-10378](https://nvd.nist.gov/vuln/detail/CVE-2020-10378), [CVE-2020-10379](https://nvd.nist.gov/vuln/detail/CVE-2020-10379), [CVE-2020-10994](https://nvd.nist.gov/vuln/detail/CVE-2020-10994), [CVE-2020-11538](https://nvd.nist.gov/vuln/detail/CVE-2020-11538) | Pillow < 7.1.0 | 升级至最新的Pillow版本(8.2.0) | -| [CVE-2020-15999](https://nvd.nist.gov/vuln/detail/CVE-2020-15999) | Pillow < 8.0.1 | 升级至最新的Pillow版本(8.2.0) | -| [CVE-2020-35653](https://nvd.nist.gov/vuln/detail/CVE-2020-35653), [CVE-2020-35654](https://nvd.nist.gov/vuln/detail/CVE-2020-35654), [CVE-2020-35655](https://nvd.nist.gov/vuln/detail/CVE-2020-35655) | Pillow < 8.1.0 | 升级至最新的Pillow版本(8.2.0) | -| [CVE-2021-25289](https://nvd.nist.gov/vuln/detail/CVE-2021-25289), [CVE-2021-25290](https://nvd.nist.gov/vuln/detail/CVE-2021-25290), [CVE-2021-25291](https://nvd.nist.gov/vuln/detail/CVE-2021-25291), [CVE-2021-25292](https://nvd.nist.gov/vuln/detail/CVE-2021-25292), [CVE-2021-25293](https://nvd.nist.gov/vuln/detail/CVE-2021-25293), [CVE-2021-27921](https://nvd.nist.gov/vuln/detail/CVE-2021-27921), [CVE-2021-27922](https://nvd.nist.gov/vuln/detail/CVE-2021-27922), [CVE-2021-27923](https://nvd.nist.gov/vuln/detail/CVE-2021-27923) | Pillow < 8.1.1 | 升级至最新的Pillow版本(8.2.0) | -| [CVE-2021-25287](https://nvd.nist.gov/vuln/detail/CVE-2021-25287), [CVE-2021-25288](https://nvd.nist.gov/vuln/detail/CVE-2021-25288), [CVE-2021-28675](https://nvd.nist.gov/vuln/detail/CVE-2021-28675), [CVE-2021-28676](https://nvd.nist.gov/vuln/detail/CVE-2021-28676), [CVE-2021-28677](https://nvd.nist.gov/vuln/detail/CVE-2021-28677), [CVE-2021-28678](https://nvd.nist.gov/vuln/detail/CVE-2021-28678) | Pillow < 8.2.0 | 升级至最新的Pillow版本(8.2.0) | -| [CVE-2021-34552](https://nvd.nist.gov/vuln/detail/CVE-2021-34552) | Pillow <= 8.2.0 | 升级至最新的Pillow版本(8.4.0) | -| [CVE-2021-41496](https://nvd.nist.gov/vuln/detail/CVE-2021-41496) | NumPy < 1.19 | 升级NumPy版本 >= 1.22.0 | -| [CVE-2021-34141](https://nvd.nist.gov/vuln/detail/CVE-2021-34141) | NumPy < 1.22.0 | 升级NumPy版本 >= 1.22.0 | -| [CVE-2021-41495](https://nvd.nist.gov/vuln/detail/CVE-2021-41495) | NumPy <= 1.22.0 | 可参考[issue](https://gitee.com/mindspore/mindspore/issues/I4NRZ9?from=project-issue) | +| CVE 列表 | 第三方组件 | 建议 | +|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------|------------------------------------------------------------------------------------| +| [CVE-2019-18348](https://nvd.nist.gov/vuln/detail/CVE-2019-18348), [CVE-2020-8315](https://nvd.nist.gov/vuln/detail/CVE-2020-8315), [CVE-2020-8492](https://nvd.nist.gov/vuln/detail/CVE-2020-8492), [CVE-2020-27619](https://nvd.nist.gov/vuln/detail/CVE-2020-27619), [CVE-2021-3426](https://nvd.nist.gov/vuln/detail/CVE-2021-3426), [CVE-2021-23336](https://nvd.nist.gov/vuln/detail/CVE-2021-23336), [CVE-2019-20907](https://nvd.nist.gov/vuln/detail/CVE-2019-20907), [CVE-2021-3177](https://nvd.nist.gov/vuln/detail/CVE-2021-3177) | Python 3.7.5 | | +| [CVE-2024-3220](https://nvd.nist.gov/vuln/detail/CVE-2024-3220) | Python 3.11.4 | | +| [CVE-2019-19911](https://nvd.nist.gov/vuln/detail/CVE-2019-19911), [CVE-2020-5310](https://nvd.nist.gov/vuln/detail/CVE-2020-5310), [CVE-2020-5311](https://nvd.nist.gov/vuln/detail/CVE-2020-5311), [CVE-2020-5312](https://nvd.nist.gov/vuln/detail/CVE-2020-5312), [CVE-2020-5313](https://nvd.nist.gov/vuln/detail/CVE-2020-5313) | Pillow < 6.2.2 | 升级至最新的Pillow版本(8.2.0) | +| [CVE-2020-10177](https://nvd.nist.gov/vuln/detail/CVE-2020-10177), [CVE-2020-10378](https://nvd.nist.gov/vuln/detail/CVE-2020-10378), [CVE-2020-10379](https://nvd.nist.gov/vuln/detail/CVE-2020-10379), [CVE-2020-10994](https://nvd.nist.gov/vuln/detail/CVE-2020-10994), [CVE-2020-11538](https://nvd.nist.gov/vuln/detail/CVE-2020-11538) | Pillow < 7.1.0 | 升级至最新的Pillow版本(8.2.0) | +| [CVE-2020-15999](https://nvd.nist.gov/vuln/detail/CVE-2020-15999) | Pillow < 8.0.1 | 升级至最新的Pillow版本(8.2.0) | +| [CVE-2020-35653](https://nvd.nist.gov/vuln/detail/CVE-2020-35653), [CVE-2020-35654](https://nvd.nist.gov/vuln/detail/CVE-2020-35654), [CVE-2020-35655](https://nvd.nist.gov/vuln/detail/CVE-2020-35655) | Pillow < 8.1.0 | 升级至最新的Pillow版本(8.2.0) | +| [CVE-2021-25289](https://nvd.nist.gov/vuln/detail/CVE-2021-25289), [CVE-2021-25290](https://nvd.nist.gov/vuln/detail/CVE-2021-25290), [CVE-2021-25291](https://nvd.nist.gov/vuln/detail/CVE-2021-25291), [CVE-2021-25292](https://nvd.nist.gov/vuln/detail/CVE-2021-25292), [CVE-2021-25293](https://nvd.nist.gov/vuln/detail/CVE-2021-25293), [CVE-2021-27921](https://nvd.nist.gov/vuln/detail/CVE-2021-27921), [CVE-2021-27922](https://nvd.nist.gov/vuln/detail/CVE-2021-27922), [CVE-2021-27923](https://nvd.nist.gov/vuln/detail/CVE-2021-27923) | Pillow < 8.1.1 | 升级至最新的Pillow版本(8.2.0) | +| [CVE-2021-25287](https://nvd.nist.gov/vuln/detail/CVE-2021-25287), [CVE-2021-25288](https://nvd.nist.gov/vuln/detail/CVE-2021-25288), [CVE-2021-28675](https://nvd.nist.gov/vuln/detail/CVE-2021-28675), [CVE-2021-28676](https://nvd.nist.gov/vuln/detail/CVE-2021-28676), [CVE-2021-28677](https://nvd.nist.gov/vuln/detail/CVE-2021-28677), [CVE-2021-28678](https://nvd.nist.gov/vuln/detail/CVE-2021-28678) | Pillow < 8.2.0 | 升级至最新的Pillow版本(8.2.0) | +| [CVE-2021-34552](https://nvd.nist.gov/vuln/detail/CVE-2021-34552) | Pillow <= 8.2.0 | 升级至最新的Pillow版本(8.4.0) | +| [CVE-2021-41496](https://nvd.nist.gov/vuln/detail/CVE-2021-41496) | NumPy < 1.19 | 升级NumPy版本 >= 1.22.0 | +| [CVE-2021-34141](https://nvd.nist.gov/vuln/detail/CVE-2021-34141) | NumPy < 1.22.0 | 升级NumPy版本 >= 1.22.0 | +| [CVE-2021-41495](https://nvd.nist.gov/vuln/detail/CVE-2021-41495) | NumPy <= 1.22.0 | 可参考[issue](https://gitee.com/mindspore/mindspore/issues/I4NRZ9?from=project-issue) | ## CC 认证