Summary: | <sci-libs/scikit-learn-1.1.1: local DoS (CVE-2020-28975) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | andrewammerlaan, gentoo, mgorny, sci |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/scikit-learn/scikit-learn/issues/18891 | ||
Whiteboard: | B3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 788592, 879985 | ||
Bug Blocks: |
Description
John Helmert III
2020-12-03 18:45:44 UTC
upstream discussion https://github.com/scikit-learn/scikit-learn/issues/18891 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7df0dba820d628b4b7224692a5cb188799097c40 commit 7df0dba820d628b4b7224692a5cb188799097c40 Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2021-05-29 17:41:14 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2021-05-29 17:41:48 +0000 sci-libs/scikit-learn: drop 0.23.2 Closes: https://bugs.gentoo.org/754333 Bug: https://bugs.gentoo.org/758323 Bug: https://bugs.gentoo.org/788592 Package-Manager: Portage-3.0.19, Repoman-3.0.3 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> sci-libs/scikit-learn/Manifest | 1 - sci-libs/scikit-learn/scikit-learn-0.23.2.ebuild | 66 ------------------------ 2 files changed, 67 deletions(-) Andrew, is this vulnerability fixed by the versions now in tree? (In reply to John Helmert III from comment #3) > Andrew, is this vulnerability fixed by the versions now in tree? It does according to repology: https://repology.org/project/python:scikit-learn/cves Repology uses CVE data to handle that, and the CVE data isn't necessarily always trustable. Upstream didn't seem to have any interest in patching it, so let's assume the vulnerability is still present unless there's patches upstream. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. A patch was merged upstream: https://github.com/scikit-learn/scikit-learn/commit/1bf13d567d3cd74854aa8343fd25b61dd768bb85 Patch made it into 1.1.0, and fix Gentoo version with the fix is 1.1.1. Needs stabilization Please cleanup Cleanup done. Thanks! GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=76634ca5c9e2fcfb011091d419529327c0e9c948 commit 76634ca5c9e2fcfb011091d419529327c0e9c948 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-01-11 05:16:33 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-01-11 05:22:04 +0000 [ GLSA 202301-03 ] scikit-learn: Denial of Service Bug: https://bugs.gentoo.org/758323 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202301-03.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) GLSA released, all done! |