You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@beam.apache.org by "Valentyn Tymofieiev (Jira)" <ji...@apache.org> on 2022/03/05 00:40:00 UTC

[jira] [Updated] (BEAM-13995) Apache beam is having vulnerable dependencies - Tensorflow, httplib2, pandas and numpy

     [ https://issues.apache.org/jira/browse/BEAM-13995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Valentyn Tymofieiev updated BEAM-13995:
---------------------------------------
    Fix Version/s: 2.38.0
       Resolution: Fixed
           Status: Resolved  (was: Open)

> Apache beam is having vulnerable dependencies - Tensorflow, httplib2, pandas and numpy
> --------------------------------------------------------------------------------------
>
>                 Key: BEAM-13995
>                 URL: https://issues.apache.org/jira/browse/BEAM-13995
>             Project: Beam
>          Issue Type: Bug
>          Components: dependencies, sdk-py-core
>    Affects Versions: 2.23.0, 2.35.0, 2.36.0
>            Reporter: Prerana 
>            Priority: P1
>             Fix For: 2.38.0
>
>         Attachments: Tensorflow  vulnerabilities.xlsx
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> We are using apache-beam[gcp]==2.23.0 and apache-beam=2.36.0.
> The following vulnerabilities are detected in white source with apache-beam.
> [CVE-2020-13091|https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2020-13091;orgToken=4b33dfdb-afc6-46a5-ae17-ea4bf6ebb98c] - pandas-0.25.3-cp37-cp37m-manylinux1_x86_64.whl - {*}Fix{*}({color:#4c9aff}Upgrade to version pandas - 0.3.0.beta,1.0.4;autovizwidget - 0.12.7;pandas - 1.0.4,1.1.0rc0{color})
> [CVE-2021-41496 - |https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2021-41496;orgToken=4b33dfdb-afc6-46a5-ae17-ea4bf6ebb98c]numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl - {*}Fix{*}({color:#4c9aff}Upgrade to version autovizwidget - 0.12.7;numpy - 1.22.0rc1;numcodecs - 0.6.2;numpy-base - 1.11.3;numpy - 1.17.4{color})
> [CVE-2021-21240|https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2021-21240;orgToken=4b33dfdb-afc6-46a5-ae17-ea4bf6ebb98c] -httplib2-0.17.4-py3-none-any.whl - {*}Fix{*}({color:#4c9aff}Upgrade to version v0.19.0{color})
> {color:#0747a6}See attached xls{color} - tensorflow-1.14.0-cp37-cp37m-manylinux1_x86_64.whl - {*}Fix({*}{color:#4c9aff}attached xls{color}{*}){*}
> please upgrade the packages to the mentioned versions with fix.
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)