diff --git a/security/cve-report_en.md b/security/cve-report_en.md index 60cc25c5b5ceb1fb03a0b132ccdd89bcab019ef0..bb32ac58b4f92b70e5663e0a41ea145aff89a9c2 100644 --- a/security/cve-report_en.md +++ b/security/cve-report_en.md @@ -17,6 +17,9 @@ Each security vulnerability is tracked and handled by a designated person who i ![cve-report_en.jpg](https://gitee.com/mindspore/community/raw/master/security/resource/cve-report_en.jpg) +2. Open-Source Third-Party Component Vulnerabilities +The Majun platform conducts vulnerability scanning for open-source third-party components involved in various MindSpore sub-repositories. Identified component vulnerabilities are submitted as issues to the Gitee community based on their CVSS scores. + ## Vulnerability Reporting To ensure security, please use the [PGP public key](https://gitee.com/mindspore/community/blob/master/security/public_key_securities.asc) to encrypt your email before sending it. @@ -90,12 +93,15 @@ This maintenance release contains no known security vulnerabilities. ## MindSpore Security Note (SN) +[Complete vulnerability announcement link](https://majun.osinfra.cn/cloud/cve) +Third-party open-source component vulnerability disclosures: + | CVE list | Third party version | Status | Note | | ---- | ---- | ---- | ---- | | [CVE-2025-27587](https://nvd.nist.gov/vuln/detail/CVE-2025-27587) | openssl = 3.3.2 | Unfixed | Recommended temporary downgrade to 3.3.0 | | [CVE-2024-3220](https://nvd.nist.gov/vuln/detail/CVE-2024-3220) | python3.11.4 | Not Affected | No impact on MindSpore Transformers (not in use) | | [CVE-2025-47273](https://nvd.nist.gov/vuln/detail/CVE-2025-47273) | setuptools = 40.8.0 | fixed | The setuptools PackageIndex component remains unused in MindArmour's execution framework. | -| [Complete vulnerability announcement link](https://majun.osinfra.cn/cloud/cve) | - | - | - | +| - | - | - | - | ## CC Certificate diff --git a/security/cve-report_zh_cn.md b/security/cve-report_zh_cn.md index af4272ffb8de6d421549b4d8edddd2c7f5c26985..72d89bcc50d369795670454d1c1f2687b48bbe90 100644 --- a/security/cve-report_zh_cn.md +++ b/security/cve-report_zh_cn.md @@ -13,11 +13,12 @@ MindSpore作为一个同时支持端/边缘/云场景的训练推理框架,在 ## 漏洞处理流程 -每一个安全漏洞都会有一个指定的人员进行跟踪和处理,他将负责跟踪和推动漏洞的修复和披露。漏洞端到端的处理流程如下图。 +1. 自身安全漏洞:每一个安全漏洞都会有一个指定的人员进行跟踪和处理,他将负责跟踪和推动漏洞的修复和披露。漏洞端到端的处理流程如下图。 -![cve-report_zh_cn.jpg](https://gitee.com/mindspore/community/raw/master/security/resource/cve-report_zh_cn_0716.jpg) +![cve-report_zh_cn.jpg](https://gitee.com/mindspore/community/raw/master/security/resource/cve-report_zh_cn.jpg) -在这里我们主要介绍流程中漏洞上报、漏洞评估和漏洞披露这三部分内容。 +2. 涉及开源三方件漏洞 +Majun平台将Mindspore各子仓涉及的开源三方件进行扫描,识别出来的三方件漏洞根据CVSS评分,提交上报gitee社区issue。 ## 漏洞上报方式 @@ -92,6 +93,7 @@ MindSpore 社区采用 CVSS v3 对漏洞进行评估,CVSS V3 通过对以下 ## MindSpore安全说明(SN) +[完整公告链接](https://majun.osinfra.cn/cloud/cve) 第三方的开源组件部分漏洞说明: | CVE 列表 | 第三方组件 | 状态 | 说明 | @@ -99,7 +101,7 @@ MindSpore 社区采用 CVSS v3 对漏洞进行评估,CVSS V3 通过对以下 | [CVE-2025-27587](https://nvd.nist.gov/vuln/detail/CVE-2025-27587) | openssl = 3.3.2 | 待修复 | 建议临时降级 < 3.3.0 | | [CVE-2024-3220](https://nvd.nist.gov/vuln/detail/CVE-2024-3220) | python3.11.4 | 不涉及 | MindArmour在实现过程中未调用setuptools的PackageIndex模块 | | [CVE-2025-47273](https://nvd.nist.gov/vuln/detail/CVE-2025-47273) | setuptools = 40.8.0 | 不涉及 | MindArmour在使用setuptools时不使用PackageIndex组件 | -| [完整公告链接](https://majun.osinfra.cn/cloud/cve) | - | - | - | +| - | - | - | - | ## CC 认证