From 8f196206f074ea112cb3bef01b606895f68ef6e0 Mon Sep 17 00:00:00 2001 From: AWS Deep Learning Infrastructure <57232265+aws-dlinfra-bot@users.noreply.github.com> Date: Tue, 10 Sep 2024 10:30:03 -0700 Subject: [PATCH 1/6] update --- .../Dockerfile.ec2.cpu.os_scan_allowlist.json | 498 +++++++++++++++++- 1 file changed, 497 insertions(+), 1 deletion(-) diff --git a/pytorch/inference/docker/2.2/py3/Dockerfile.ec2.cpu.os_scan_allowlist.json b/pytorch/inference/docker/2.2/py3/Dockerfile.ec2.cpu.os_scan_allowlist.json index 9e26dfeeb6e6..e96ba8c8404e 100644 --- a/pytorch/inference/docker/2.2/py3/Dockerfile.ec2.cpu.os_scan_allowlist.json +++ b/pytorch/inference/docker/2.2/py3/Dockerfile.ec2.cpu.os_scan_allowlist.json @@ -1 +1,497 @@ -{} \ No newline at end of file +{ + "linux": [ + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net/iucv: Avoid explicit cpumask var allocation on stack For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask variable on stack is not recommended since it can cause potential stack overflow. Instead, kernel code should always use *cpumask_var API(s) to allocate cpumask var in config-neutral way, leaving allocation strategy to CONFIG_CPUMASK_OFFSTACK. Use *cpumask_var API(s) to address it.", + "vulnerability_id": "CVE-2024-42094", + "name": "CVE-2024-42094", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42094.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42094 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: greybus: Fix use-after-free bug in gb_interface_release due to race condition. In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object \"intf\". However, if gb_interface_mode_switch_work is scheduled to run after kfree, it may cause use-after-free error as gb_interface_mode_switch_work will use the object \"intf\". The possible execution flow that may lead to the issue is as follows: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (free) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (use) Fix it by canceling the work before kfree.", + "vulnerability_id": "CVE-2024-39495", + "name": "CVE-2024-39495", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-39495.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-39495 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", + "vulnerability_id": "CVE-2024-42228", + "name": "CVE-2024-42228", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.0, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.0, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42228.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42228 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "A out-of-bound vulnerability is found in the jfs subsystem. When an xattr size is not what is expected, it is printed out to the kernel log in hex format as a form of debugging. But when that xattr size is bigger than the expected size, printing it out can cause an access off the end of the buffer. This may lead to system crash.", + "vulnerability_id": "CVE-2024-40902", + "name": "CVE-2024-40902", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-40902.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-40902 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: filelock: fix potential use-after-free in posix_lock_inode Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode(). The request pointer had been changed earlier to point to a lock entry that was added to the inode's list. However, before the tracepoint could fire, another task raced in and freed that lock. Fix this by moving the tracepoint inside the spinlock, which should ensure that this doesn't happen.", + "vulnerability_id": "CVE-2024-41049", + "name": "CVE-2024-41049", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-41049.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-41049 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix double free on error If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump to the err_out label, which will call devres_release_group(). devres_release_group() will trigger a call to ata_host_release(). ata_host_release() calls kfree(host), so executing the kfree(host) in ata_host_alloc() will lead to a double free: kernel BUG at mm/slub.c:553! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:kfree+0x2cf/0x2f0 Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246 RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320 RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0 RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000 R10: ffffc9000", + "vulnerability_id": "CVE-2024-41087", + "name": "CVE-2024-41087", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-41087.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-41087 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", + "vulnerability_id": "CVE-2022-48791", + "name": "CVE-2022-48791", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-48791.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2022-48791 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: add missing check for inode numbers on directory entries Syzbot reported that mounting and unmounting a specific pattern of corrupted nilfs2 filesystem images causes a use-after-free of metadata file inodes, which triggers a kernel bug in lru_add_fn(). As Jan Kara pointed out, this is because the link count of a metadata file gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(), tries to delete that inode (ifile inode in this case). The inconsistency occurs because directories containing the inode numbers of these metadata files that should not be visible in the namespace are read without checking. Fix this issue by treating the inode numbers of these internal files as errors in the sanity check helper when reading directory folios/pages. Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer analysis.", + "vulnerability_id": "CVE-2024-42104", + "name": "CVE-2024-42104", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42104.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42104 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: sch_multiq: fix possible OOB write in multiq_tune() q->bands will be assigned to qopt->bands to execute subsequent code logic after kmalloc. So the old q->bands should not be used in kmalloc. Otherwise, an out-of-bounds write will occur.", + "vulnerability_id": "CVE-2024-36978", + "name": "CVE-2024-36978", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-36978.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-36978 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", + "vulnerability_id": "CVE-2024-42160", + "name": "CVE-2024-42160", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42160.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42160 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() In function bond_option_arp_ip_targets_set(), if newval->string is an empty string, newval->string+1 will point to the byte after the string, causing an out-of-bound read. BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc1/0x5e0 mm/kasan/report.c:475 kasan_report+0xbe/0xf0 mm/kasan/report.c:588 strlen+0x7d/0xa0 lib/string.c:418 __fortify_strlen include/linux/fortify-string.h:210 [inline] in4_pton+0xa3/0x3f0 net/core/utils.c:130 bond_option_arp_ip_targets_set+0xc2/0x910 d", + "vulnerability_id": "CVE-2024-39487", + "name": "CVE-2024-39487", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.1, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.1, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-39487.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-39487 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).", + "vulnerability_id": "CVE-2024-42154", + "name": "CVE-2024-42154", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 9.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 9.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "CRITICAL", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42154.html", + "source": "UBUNTU_CVE", + "severity": "CRITICAL", + "status": "ACTIVE", + "title": "CVE-2024-42154 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiq_etop: fix double free in detach The number of the currently released descriptor is never incremented which results in the same skb being released multiple times.", + "vulnerability_id": "CVE-2024-41046", + "name": "CVE-2024-41046", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-41046.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-41046 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net/dpaa2: Avoid explicit cpumask var allocation on stack For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask variable on stack is not recommended since it can cause potential stack overflow. Instead, kernel code should always use *cpumask_var API(s) to allocate cpumask var in config-neutral way, leaving allocation strategy to CONFIG_CPUMASK_OFFSTACK. Use *cpumask_var API(s) to address it.", + "vulnerability_id": "CVE-2024-42093", + "name": "CVE-2024-42093", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42093.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42093 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", + "vulnerability_id": "CVE-2024-38570", + "name": "CVE-2024-38570", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-38570.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-38570 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO busses\") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only.", + "vulnerability_id": "CVE-2024-42224", + "name": "CVE-2024-42224", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42224.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42224 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", + "vulnerability_id": "CVE-2024-39494", + "name": "CVE-2024-39494", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-39494.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-39494 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + } + ] +} \ No newline at end of file From cdcb2d4cb26532af20628ff0051a184dd06592d4 Mon Sep 17 00:00:00 2001 From: AWS Deep Learning Infrastructure <57232265+aws-dlinfra-bot@users.noreply.github.com> Date: Tue, 10 Sep 2024 10:30:04 -0700 Subject: [PATCH 2/6] update --- .../docker/2.2/py3/Dockerfile.ec2.cpu.py_scan_allowlist.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pytorch/inference/docker/2.2/py3/Dockerfile.ec2.cpu.py_scan_allowlist.json b/pytorch/inference/docker/2.2/py3/Dockerfile.ec2.cpu.py_scan_allowlist.json index 5cfe76d01596..add10535d17f 100644 --- a/pytorch/inference/docker/2.2/py3/Dockerfile.ec2.cpu.py_scan_allowlist.json +++ b/pytorch/inference/docker/2.2/py3/Dockerfile.ec2.cpu.py_scan_allowlist.json @@ -1,3 +1,4 @@ { - "70612": "[Package: jinja2] Conflicts for: jinja2" + "70612": "[Package: jinja2] Conflicts for: jinja2", + "71670": "[Package: torch] Conflicts for: torch" } \ No newline at end of file From 7921accba5f6e345bc47bf7845ce0e0e2052e18f Mon Sep 17 00:00:00 2001 From: AWS Deep Learning Infrastructure <57232265+aws-dlinfra-bot@users.noreply.github.com> Date: Tue, 10 Sep 2024 10:30:05 -0700 Subject: [PATCH 3/6] update --- .../Dockerfile.ec2.cpu.overall_history.txt | 83 ++++++++++++------- 1 file changed, 51 insertions(+), 32 deletions(-) diff --git a/pytorch/inference/docker/2.2/py3/Dockerfile.ec2.cpu.overall_history.txt b/pytorch/inference/docker/2.2/py3/Dockerfile.ec2.cpu.overall_history.txt index a44b1e4f368f..a9d6d35b0f9b 100644 --- a/pytorch/inference/docker/2.2/py3/Dockerfile.ec2.cpu.overall_history.txt +++ b/pytorch/inference/docker/2.2/py3/Dockerfile.ec2.cpu.overall_history.txt @@ -1,33 +1,52 @@ -#### First image: sha256:fd111a41c84f7d55fa48d86dd375a3b30359af6fdd59d5e67a3d5f2a8375866f #### -#### Patch contents for patch-1: sha256:e3ccdbde388081e518c98fe046767709caef39fc6d1b905841c9b2909a799e0d #### -pip install cryptography==42.0.5 -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils libbinutils libctf-nobfd0 libctf0 libtiff5 libuv1 libxml2 linux-libc-dev login openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre passwd -#### Patch contents for patch-2: sha256:e40fffca30e7706a7e534656cb6c5d63c819a15bcc26376f8f7735838b52607d #### -pip install cryptography==42.0.5 -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils libbinutils libctf-nobfd0 libctf0 libssl-dev libssl1.1 libtiff5 libuv1 libxml2 linux-libc-dev login openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd vim-common vim-runtime vim xxd -#### Patch contents for patch-3: sha256:3658bf5e554dca671dd8be86ec6c671c1a255c134e54126fc9c43c04a875015c #### -pip install cryptography==42.0.5 pillow==10.3.0 -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils bsdutils curl fdisk libbinutils libblkid1 libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libfdisk1 libmount1 libsmartcols1 libssl-dev libssl1.1 libtiff5 libuuid1 libuv1 libxml2 linux-libc-dev login mount openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd util-linux vim-common vim-runtime vim xxd -#### Patch contents for patch-4: sha256:3b717ab693d6ef7144a989251ffd2e864a868df0fc20f62b9ce9fcd10c5a975e #### -pip install cryptography==42.0.5 pillow==10.3.0 -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils bsdutils curl fdisk libbinutils libblkid1 libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libfdisk1 libmount1 libsmartcols1 libssl-dev libssl1.1 libtiff5 libuuid1 libuv1 libxml2 login mount openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd util-linux vim-common vim-runtime vim xxd -#### Patch contents for patch-5: sha256:ce6bd0ca43840d32cfb11614619768ef233d60e6a9b8e073b0119fb2d8be8506 #### -pip install cryptography==42.0.5 idna==3.7 pillow==10.3.0 -python -m pip install --upgrade pip -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils bsdutils curl fdisk libbinutils libblkid1 libc6 libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libfdisk1 libgnutls30 libmount1 libnss3 libsmartcols1 libssl-dev libssl1.1 libtiff5 libuuid1 libuv1 libxml2 login mount openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd util-linux vim-common vim-runtime vim xxd -#### Patch contents for patch-6: sha256:9bfbfe716b52b38fef614b4b31c5602290a3c7eab6978f949a7d6b1c329b58cd #### -pip install cryptography==42.0.5 idna==3.7 pillow==10.3.0 -python -m pip install --upgrade pip -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils bsdutils curl fdisk libbinutils libblkid1 libc6 libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libfdisk1 libgnutls30 libmount1 libnghttp2-14 libnss3 libsmartcols1 libssl-dev libssl1.1 libtiff5 libuuid1 libuv1 libxml2 linux-libc-dev login mount openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd util-linux vim-common vim-runtime vim xxd -#### Patch contents for patch-7: sha256:997263dc4126047c30c3216714319228e3f7790073754479c095de7f7c9b7958 #### -pip install cryptography==42.0.7 idna==3.7 pillow==10.3.0 tqdm==4.66.4 -python -m pip install --upgrade pip -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils bsdutils curl fdisk libbinutils libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libfdisk1 libgnutls30 libmount1 libnghttp2-14 libnss3 libsmartcols1 libssl-dev libssl1.1 libtiff5 libuuid1 libuv1 libxml2 linux-libc-dev login mount openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd util-linux vim-common vim-runtime vim xxd -#### Patch contents for patch-8: sha256:75ec3c842c56487a6e39486035d653deaa4292e18efc13c0b455481426475b5e #### -pip install cryptography==42.0.7 idna==3.7 pillow==10.3.0 tqdm==4.66.4 -python -m pip install --upgrade pip -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils bsdutils curl fdisk libbinutils libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libfdisk1 libglib2.0-0 libgnutls30 libmount1 libnghttp2-14 libnss3 libsmartcols1 libssl-dev libssl1.1 libtiff5 libuuid1 libuv1 libxml2 linux-libc-dev login mount openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd util-linux vim-common vim-runtime vim xxd +#### First image: sha256:98fe388ff73211b6c919276e83c9ab963f0306dd46059d69e1360e74d87e0385 #### +#### Patch contents for patch-1: sha256:bf8537a8203da85483917f6c48d9942195272fcf79ae4c8353d813c8fb37b6dd #### +pip install requests==2.32.3 +apt-get update && apt-get install -y --only-upgrade git-man git +#### Patch contents for patch-2: sha256:8192c5daa3b463e1b8fa2539e0c627d306ccdcd0c40a15f449df27d72c4bd2ad #### +pip install requests==2.32.3 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 +#### Patch contents for patch-3: sha256:4c28586ed533ec9bbec5fe666223c6bcac5e581bc0fc99b864093f41544fe37c #### +pip install requests==2.32.3 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libgdk-pixbuf2.0-0 openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre +#### Patch contents for patch-4: sha256:8993bc18daf73bf7a34c7899d970df5aec500df8c81d74b35fc6be342fee7bda #### +pip install requests==2.32.3 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libgdk-pixbuf2.0-0 openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre +#### Patch contents for patch-5: sha256:a66d908fd22b5c306b8d23a9d62b62ee99f5a99688db727e6d88484d9a9789a3 #### +pip install requests==2.32.3 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libgdk-pixbuf2.0-0 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre +#### Patch contents for patch-6: sha256:9df16ec827e805c5db7459898b0e0d89b57a0721e7ad95a6709dfa676a8fd4b7 #### +pip install requests==2.32.3 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libgdk-pixbuf2.0-0 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre +#### Patch contents for patch-7: sha256:2e3818d5709286bb151db48f85bda03bcd9cf00bde0056d5cb36094f88013532 #### +pip install cryptography==42.0.8 requests==2.32.3 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre +#### Patch contents for patch-8: sha256:456abb59e79e64b9d89fb84997e10d7969ee41c57bb5b05a9c4c58efd70bfa9e #### +pip install cryptography==42.0.8 requests==2.32.3 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre wget +#### Patch contents for patch-9: sha256:62e12df254d8c37fc8c73b3b7a3b37cd1c820f9afd134fe83ce69772d94502be #### +pip install cryptography==42.0.8 requests==2.32.3 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre wget +#### Patch contents for patch-10: sha256:a933f893a32647bdaf375044166f24873c206614207839d46f5e37976cd53201 #### +pip install cryptography==42.0.8 requests==2.32.3 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre wget +#### Patch contents for patch-11: sha256:c7755e1620c997d9b0705a3761ec44b87aad963157190c3e73cbe9572ef0cff3 #### +pip install certifi==2024.7.4 cryptography==42.0.8 requests==2.32.3 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre wget +#### Patch contents for patch-12: sha256:6d0adca63a38dadd340c9de25557d38a1e7b39a8e812aac9fead6c089de836dd #### +pip install certifi==2024.7.4 cryptography==42.0.8 requests==2.32.3 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre wget +#### Patch contents for patch-13: sha256:de0b81d2d146b3a4b1c8658ed066269ffbdff0b31a9436befd1a50930953c6c3 #### +pip install certifi==2024.7.4 cryptography==42.0.8 requests==2.32.3 setuptools==71.0.4 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libgtk-3-0 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre wget +#### Patch contents for patch-14: sha256:4c1d4dbc7141be9d78915b7d2329bf20d602edce256576fc8051354a09054193 #### +pip install certifi==2024.7.4 cryptography==42.0.8 requests==2.32.3 setuptools==71.1.0 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libgtk-3-0 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre wget +#### Patch contents for patch-15: sha256:cc86bea8c1565bee04dcc7ba428d28abb658cbdc4aba89ffc224bcebda01f9c8 #### +pip install certifi==2024.7.4 cryptography==42.0.8 requests==2.32.3 setuptools==71.1.0 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git imagemagick-6-common libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libgtk-3-0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre wget +#### Patch contents for patch-16: sha256:bf7e93932387fedacf7e0e2617ce56bdeb0467b84ff8150fab1a322d74bc5e59 #### +pip install certifi==2024.7.4 cryptography==42.0.8 requests==2.32.3 setuptools==72.1.0 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade curl git-man git imagemagick-6-common libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libgdk-pixbuf2.0-0 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libssl1.1 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre wget #### Current Patch contents #### -pip install cryptography==42.0.7 idna==3.7 pillow==10.3.0 tqdm==4.66.4 -python -m pip install --upgrade pip -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils bsdutils curl fdisk libbinutils libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libfdisk1 libglib2.0-0 libgnutls30 libmount1 libnghttp2-14 libnss3 libsmartcols1 libssl-dev libssl1.1 libtiff5 libuuid1 libuv1 libxml2 linux-libc-dev login mount openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd util-linux vim-common vim-runtime vim xxd +pip install certifi==2024.8.30 cryptography==42.0.8 requests==2.32.3 setuptools==74.0.0 urllib3==1.26.20 +apt-get update && apt-get install -y --only-upgrade curl git-man git imagemagick-6-common libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libgdk-pixbuf2.0-0 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libssl1.1 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre wget From 6c4f866698ff721bee77aee95126a7141f22c576 Mon Sep 17 00:00:00 2001 From: AWS Deep Learning Infrastructure <57232265+aws-dlinfra-bot@users.noreply.github.com> Date: Tue, 10 Sep 2024 10:30:06 -0700 Subject: [PATCH 4/6] update --- .../Dockerfile.ec2.gpu.os_scan_allowlist.json | 498 +++++++++++++++++- 1 file changed, 497 insertions(+), 1 deletion(-) diff --git a/pytorch/inference/docker/2.2/py3/cu118/Dockerfile.ec2.gpu.os_scan_allowlist.json b/pytorch/inference/docker/2.2/py3/cu118/Dockerfile.ec2.gpu.os_scan_allowlist.json index 9e26dfeeb6e6..e078d1e33cde 100644 --- a/pytorch/inference/docker/2.2/py3/cu118/Dockerfile.ec2.gpu.os_scan_allowlist.json +++ b/pytorch/inference/docker/2.2/py3/cu118/Dockerfile.ec2.gpu.os_scan_allowlist.json @@ -1 +1,497 @@ -{} \ No newline at end of file +{ + "linux": [ + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO busses\") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only.", + "vulnerability_id": "CVE-2024-42224", + "name": "CVE-2024-42224", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42224.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42224 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "A out-of-bound vulnerability is found in the jfs subsystem. When an xattr size is not what is expected, it is printed out to the kernel log in hex format as a form of debugging. But when that xattr size is bigger than the expected size, printing it out can cause an access off the end of the buffer. This may lead to system crash.", + "vulnerability_id": "CVE-2024-40902", + "name": "CVE-2024-40902", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-40902.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-40902 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiq_etop: fix double free in detach The number of the currently released descriptor is never incremented which results in the same skb being released multiple times.", + "vulnerability_id": "CVE-2024-41046", + "name": "CVE-2024-41046", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-41046.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-41046 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: filelock: fix potential use-after-free in posix_lock_inode Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode(). The request pointer had been changed earlier to point to a lock entry that was added to the inode's list. However, before the tracepoint could fire, another task raced in and freed that lock. Fix this by moving the tracepoint inside the spinlock, which should ensure that this doesn't happen.", + "vulnerability_id": "CVE-2024-41049", + "name": "CVE-2024-41049", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-41049.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-41049 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", + "vulnerability_id": "CVE-2024-38570", + "name": "CVE-2024-38570", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-38570.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-38570 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", + "vulnerability_id": "CVE-2024-42160", + "name": "CVE-2024-42160", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42160.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42160 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).", + "vulnerability_id": "CVE-2024-42154", + "name": "CVE-2024-42154", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 9.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 9.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "CRITICAL", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42154.html", + "source": "UBUNTU_CVE", + "severity": "CRITICAL", + "status": "ACTIVE", + "title": "CVE-2024-42154 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: sch_multiq: fix possible OOB write in multiq_tune() q->bands will be assigned to qopt->bands to execute subsequent code logic after kmalloc. So the old q->bands should not be used in kmalloc. Otherwise, an out-of-bounds write will occur.", + "vulnerability_id": "CVE-2024-36978", + "name": "CVE-2024-36978", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-36978.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-36978 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", + "vulnerability_id": "CVE-2024-42228", + "name": "CVE-2024-42228", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.0, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.0, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42228.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42228 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net/dpaa2: Avoid explicit cpumask var allocation on stack For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask variable on stack is not recommended since it can cause potential stack overflow. Instead, kernel code should always use *cpumask_var API(s) to allocate cpumask var in config-neutral way, leaving allocation strategy to CONFIG_CPUMASK_OFFSTACK. Use *cpumask_var API(s) to address it.", + "vulnerability_id": "CVE-2024-42093", + "name": "CVE-2024-42093", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42093.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42093 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", + "vulnerability_id": "CVE-2024-39494", + "name": "CVE-2024-39494", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-39494.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-39494 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net/iucv: Avoid explicit cpumask var allocation on stack For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask variable on stack is not recommended since it can cause potential stack overflow. Instead, kernel code should always use *cpumask_var API(s) to allocate cpumask var in config-neutral way, leaving allocation strategy to CONFIG_CPUMASK_OFFSTACK. Use *cpumask_var API(s) to address it.", + "vulnerability_id": "CVE-2024-42094", + "name": "CVE-2024-42094", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42094.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42094 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix double free on error If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump to the err_out label, which will call devres_release_group(). devres_release_group() will trigger a call to ata_host_release(). ata_host_release() calls kfree(host), so executing the kfree(host) in ata_host_alloc() will lead to a double free: kernel BUG at mm/slub.c:553! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:kfree+0x2cf/0x2f0 Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246 RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320 RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0 RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000 R10: ffffc9000", + "vulnerability_id": "CVE-2024-41087", + "name": "CVE-2024-41087", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-41087.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-41087 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", + "vulnerability_id": "CVE-2022-48791", + "name": "CVE-2022-48791", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-48791.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2022-48791 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() In function bond_option_arp_ip_targets_set(), if newval->string is an empty string, newval->string+1 will point to the byte after the string, causing an out-of-bound read. BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc1/0x5e0 mm/kasan/report.c:475 kasan_report+0xbe/0xf0 mm/kasan/report.c:588 strlen+0x7d/0xa0 lib/string.c:418 __fortify_strlen include/linux/fortify-string.h:210 [inline] in4_pton+0xa3/0x3f0 net/core/utils.c:130 bond_option_arp_ip_targets_set+0xc2/0x910 d", + "vulnerability_id": "CVE-2024-39487", + "name": "CVE-2024-39487", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.1, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.1, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-39487.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-39487 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: add missing check for inode numbers on directory entries Syzbot reported that mounting and unmounting a specific pattern of corrupted nilfs2 filesystem images causes a use-after-free of metadata file inodes, which triggers a kernel bug in lru_add_fn(). As Jan Kara pointed out, this is because the link count of a metadata file gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(), tries to delete that inode (ifile inode in this case). The inconsistency occurs because directories containing the inode numbers of these metadata files that should not be visible in the namespace are read without checking. Fix this issue by treating the inode numbers of these internal files as errors in the sanity check helper when reading directory folios/pages. Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer analysis.", + "vulnerability_id": "CVE-2024-42104", + "name": "CVE-2024-42104", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42104.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42104 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: greybus: Fix use-after-free bug in gb_interface_release due to race condition. In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object \"intf\". However, if gb_interface_mode_switch_work is scheduled to run after kfree, it may cause use-after-free error as gb_interface_mode_switch_work will use the object \"intf\". The possible execution flow that may lead to the issue is as follows: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (free) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (use) Fix it by canceling the work before kfree.", + "vulnerability_id": "CVE-2024-39495", + "name": "CVE-2024-39495", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-39495.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-39495 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + } + ] +} \ No newline at end of file From 2333bc03b1bb90c9711398f93531fdc8b10ee3f8 Mon Sep 17 00:00:00 2001 From: AWS Deep Learning Infrastructure <57232265+aws-dlinfra-bot@users.noreply.github.com> Date: Tue, 10 Sep 2024 10:30:07 -0700 Subject: [PATCH 5/6] update --- .../2.2/py3/cu118/Dockerfile.ec2.gpu.py_scan_allowlist.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pytorch/inference/docker/2.2/py3/cu118/Dockerfile.ec2.gpu.py_scan_allowlist.json b/pytorch/inference/docker/2.2/py3/cu118/Dockerfile.ec2.gpu.py_scan_allowlist.json index 5cfe76d01596..add10535d17f 100644 --- a/pytorch/inference/docker/2.2/py3/cu118/Dockerfile.ec2.gpu.py_scan_allowlist.json +++ b/pytorch/inference/docker/2.2/py3/cu118/Dockerfile.ec2.gpu.py_scan_allowlist.json @@ -1,3 +1,4 @@ { - "70612": "[Package: jinja2] Conflicts for: jinja2" + "70612": "[Package: jinja2] Conflicts for: jinja2", + "71670": "[Package: torch] Conflicts for: torch" } \ No newline at end of file From a5763c9dc01d69da5b93b5b963fc730603c55357 Mon Sep 17 00:00:00 2001 From: AWS Deep Learning Infrastructure <57232265+aws-dlinfra-bot@users.noreply.github.com> Date: Tue, 10 Sep 2024 10:30:08 -0700 Subject: [PATCH 6/6] update --- .../Dockerfile.ec2.gpu.overall_history.txt | 83 ++++++++++++------- 1 file changed, 51 insertions(+), 32 deletions(-) diff --git a/pytorch/inference/docker/2.2/py3/cu118/Dockerfile.ec2.gpu.overall_history.txt b/pytorch/inference/docker/2.2/py3/cu118/Dockerfile.ec2.gpu.overall_history.txt index 7aad69eb7af1..cf2faed8b508 100644 --- a/pytorch/inference/docker/2.2/py3/cu118/Dockerfile.ec2.gpu.overall_history.txt +++ b/pytorch/inference/docker/2.2/py3/cu118/Dockerfile.ec2.gpu.overall_history.txt @@ -1,33 +1,52 @@ -#### First image: sha256:bcbe331af1263f98b2bebc717cf04d4137a2e23ab7e44eba3396dd9b337b8449 #### -#### Patch contents for patch-1: sha256:bd08ca573ae96678e1ce5e9d04300b2f61d5d73204def67d58c807ea9350d9fe #### -pip install cryptography==42.0.5 -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils libbinutils libctf-nobfd0 libctf0 libtiff5 libuv1 libxml2 linux-libc-dev login openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre passwd -#### Patch contents for patch-2: sha256:b8a88a6e206fcedc2500ca8e74ea747e3fcf9067b87db2c832aa147a5e6705e7 #### -pip install cryptography==42.0.5 -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils libbinutils libctf-nobfd0 libctf0 libssl-dev libssl1.1 libtiff5 libuv1 libxml2 linux-libc-dev login openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd vim-common vim-runtime vim xxd -#### Patch contents for patch-3: sha256:c3c07b338b557756effe2240dc6ae323bac7276a9230fa09e9e1786d8753cdab #### -pip install cryptography==42.0.5 pillow==10.3.0 -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils bsdutils curl fdisk libbinutils libblkid1 libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libfdisk1 libmount1 libsmartcols1 libssl-dev libssl1.1 libtiff5 libuuid1 libuv1 libxml2 linux-libc-dev login mount openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd util-linux vim-common vim-runtime vim xxd -#### Patch contents for patch-4: sha256:86d690cc0761e94712ccbff2f7c305f649c9ea10c6479adddcc922355eab38f8 #### -pip install cryptography==42.0.5 pillow==10.3.0 -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils bsdutils curl fdisk libbinutils libblkid1 libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libfdisk1 libmount1 libsmartcols1 libssl-dev libssl1.1 libtiff5 libuuid1 libuv1 libxml2 login mount openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd util-linux vim-common vim-runtime vim xxd -#### Patch contents for patch-5: sha256:4608a5de21268f40cab7006564c6d5ab03c74ffd2f11f162a963f5ba6412bb53 #### -pip install cryptography==42.0.5 idna==3.7 pillow==10.3.0 -python -m pip install --upgrade pip -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils bsdutils curl fdisk libbinutils libblkid1 libc6 libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libfdisk1 libgnutls30 libmount1 libnss3 libsmartcols1 libssl-dev libssl1.1 libtiff5 libuuid1 libuv1 libxml2 login mount openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd util-linux vim-common vim-runtime vim xxd -#### Patch contents for patch-6: sha256:f6200e8ddbaaacdeff40f1c1bb314867c6cafb5973d7782ad9f42d740fbf49da #### -pip install cryptography==42.0.5 idna==3.7 pillow==10.3.0 -python -m pip install --upgrade pip -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils bsdutils curl fdisk libbinutils libblkid1 libc6 libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libfdisk1 libgnutls30 libmount1 libnghttp2-14 libnss3 libsmartcols1 libssl-dev libssl1.1 libtiff5 libuuid1 libuv1 libxml2 linux-libc-dev login mount openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd util-linux vim-common vim-runtime vim xxd -#### Patch contents for patch-7: sha256:d0f2516aaf8c5b39dfa0e98f171ee09382ab8a59d60f35c3a263b6aa41874aff #### -pip install cryptography==42.0.7 idna==3.7 pillow==10.3.0 tqdm==4.66.4 -python -m pip install --upgrade pip -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils bsdutils curl fdisk libbinutils libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libfdisk1 libgnutls30 libmount1 libnghttp2-14 libnss3 libsmartcols1 libssl-dev libssl1.1 libtiff5 libuuid1 libuv1 libxml2 linux-libc-dev login mount openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd util-linux vim-common vim-runtime vim xxd -#### Patch contents for patch-8: sha256:00867ad6f1544523db26c5c4c8a1137fd4a21d93611fa9a155c60d517cdafa78 #### -pip install cryptography==42.0.7 idna==3.7 pillow==10.3.0 tqdm==4.66.4 -python -m pip install --upgrade pip -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils bsdutils curl fdisk libbinutils libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libfdisk1 libglib2.0-0 libgnutls30 libmount1 libnghttp2-14 libnss3 libsmartcols1 libssl-dev libssl1.1 libtiff5 libuuid1 libuv1 libxml2 linux-libc-dev login mount openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd util-linux vim-common vim-runtime vim xxd +#### First image: sha256:520ea041337ebb950815c41a45cbf54addb61ad1613c9d75bd6be0852a410b41 #### +#### Patch contents for patch-1: sha256:25c18ec596c5b73be0c62c847c61a192c130eddf8a5155e083cd7f8e42eaf508 #### +pip install requests==2.32.3 triton==2.2.0 +apt-get update && apt-get install -y --only-upgrade git-man git +#### Patch contents for patch-2: sha256:94fc06ea4022fe35d5cf09063fcc6ee948fdcebcd219b313753a0932fb062eda #### +pip install requests==2.32.3 triton==2.2.0 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 +#### Patch contents for patch-3: sha256:c235e92b88d28e599c40081606d229633417bda0e6b4344fa21527e69aac0aeb #### +pip install requests==2.32.3 triton==2.2.0 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libgdk-pixbuf2.0-0 openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre +#### Patch contents for patch-4: sha256:1f6dba464cbdb4e684c126880c6bd4213984d62d5e4136d318e14e9ab1c34c28 #### +pip install requests==2.32.3 triton==2.2.0 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libgdk-pixbuf2.0-0 openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre +#### Patch contents for patch-5: sha256:9af6548fd757e708589bd4e5fda5d31437598a46b9886607550dbee02a33d53e #### +pip install requests==2.32.3 triton==2.2.0 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libgdk-pixbuf2.0-0 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre +#### Patch contents for patch-6: sha256:0392eb08f9dbef4c080eb5a0f61bc0ef305e2d21307624be9466ae04d6cd8e5b #### +pip install requests==2.32.3 triton==2.2.0 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libgdk-pixbuf2.0-0 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre +#### Patch contents for patch-7: sha256:af5de9a9763f60870f0d0dc54d81816968adf04170f61ae5e4cdd05f4767ddd7 #### +pip install cryptography==42.0.8 requests==2.32.3 triton==2.2.0 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre +#### Patch contents for patch-8: sha256:ea98b4e944c78114606e8d47c0cadc0e39fb98bf44bec2dff930b8d353e2659e #### +pip install cryptography==42.0.8 requests==2.32.3 triton==2.2.0 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre wget +#### Patch contents for patch-9: sha256:21fcb89c94af1d831746dcdfca5a80973bf3f7567e6e0cd7b0f5444092d87b5b #### +pip install cryptography==42.0.8 requests==2.32.3 triton==2.2.0 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre wget +#### Patch contents for patch-10: sha256:b8c7a0b4e5a47dc4d35eafce1a97fa80ddc447d4303f0f46128e2b98bed6a1d3 #### +pip install cryptography==42.0.8 requests==2.32.3 triton==2.2.0 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre wget +#### Patch contents for patch-11: sha256:5ebb0b1304a5946f10883679f3dbfd48593d754a21fba6751690884822b1d806 #### +pip install certifi==2024.7.4 cryptography==42.0.8 requests==2.32.3 triton==2.2.0 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre wget +#### Patch contents for patch-12: sha256:1b5aecc538c70292e112026f2a973e7221ee97b45921e446b31a1df041c13702 #### +pip install certifi==2024.7.4 cryptography==42.0.8 requests==2.32.3 triton==2.2.0 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libpython3.8-dev libpython3.8-minimal libpython3.8-stdlib libpython3.8 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre python3.8-dev python3.8-minimal python3.8 wget +#### Patch contents for patch-13: sha256:db143d22036963fd0a36a2de8ffb861feaaf09a2e83aa1fb1ac9ed05844b8a99 #### +pip install certifi==2024.7.4 cryptography==42.0.8 requests==2.32.3 setuptools==71.0.4 triton==2.2.0 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libgtk-3-0 libpython3.8-dev libpython3.8-minimal libpython3.8-stdlib libpython3.8 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre python3.8-dev python3.8-minimal python3.8 wget +#### Patch contents for patch-14: sha256:e9154688c9e30ba3799d2c9135c7b7c4e5706346bdf7d6a39646cd2bf8491035 #### +pip install certifi==2024.7.4 cryptography==42.0.8 requests==2.32.3 setuptools==71.1.0 triton==2.2.0 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libgtk-3-0 libpython3.8-dev libpython3.8-minimal libpython3.8-stdlib libpython3.8 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre python3.8-dev python3.8-minimal python3.8 wget +#### Patch contents for patch-15: sha256:b24507aaa09e9f4c70bd5e7edb8fce9e7ce8d7d23aca1dbb0c9da82967260e1d #### +pip install certifi==2024.7.4 cryptography==42.0.8 requests==2.32.3 setuptools==71.1.0 triton==2.2.0 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade git-man git imagemagick-6-common libc-bin libc-dev-bin libc6-dev libc6 libcups2 libgdk-pixbuf2.0-0 libgtk-3-0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libpython3.8-dev libpython3.8-minimal libpython3.8-stdlib libpython3.8 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre python3.8-dev python3.8-minimal python3.8 wget +#### Patch contents for patch-16: sha256:c03aa15fa8156672c8a28633aad2fb568f0d10d7ab0b5ff023a75940371a1d5e #### +pip install certifi==2024.7.4 cryptography==42.0.8 requests==2.32.3 setuptools==72.1.0 triton==2.2.0 urllib3==1.26.19 +apt-get update && apt-get install -y --only-upgrade curl git-man git imagemagick-6-common libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libgdk-pixbuf2.0-0 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libpython3.8-dev libpython3.8-minimal libpython3.8-stdlib libpython3.8 libssl1.1 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre python3.8-dev python3.8-minimal python3.8 wget #### Current Patch contents #### -pip install cryptography==42.0.7 idna==3.7 pillow==10.3.0 tqdm==4.66.4 -python -m pip install --upgrade pip -apt-get update && apt-get install -y --only-upgrade binutils-common binutils-x86-64-linux-gnu binutils bsdutils curl fdisk libbinutils libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libfdisk1 libglib2.0-0 libgnutls30 libmount1 libnghttp2-14 libnss3 libsmartcols1 libssl-dev libssl1.1 libtiff5 libuuid1 libuv1 libxml2 linux-libc-dev login mount openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre openssl passwd util-linux vim-common vim-runtime vim xxd +pip install certifi==2024.8.30 cryptography==42.0.8 requests==2.32.3 setuptools==74.0.0 triton==2.2.0 urllib3==1.26.20 +apt-get update && apt-get install -y --only-upgrade curl git-man git imagemagick-6-common libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4-openssl-dev libcurl4 libgdk-pixbuf2.0-0 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libpython3.8-dev libpython3.8-minimal libpython3.8-stdlib libpython3.8 libssl1.1 libtiff5 linux-libc-dev openjdk-17-jdk-headless openjdk-17-jdk openjdk-17-jre-headless openjdk-17-jre python3.8-dev python3.8-minimal python3.8 wget