CVE-2021-32640

Advisory

Determined 0.16.0rc0 updates its dependency 'ws' to v7.4.6 to patch a security vulnerability.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

d5145feb docs: Release notes for 0.15.6. (2493)
068bb33f fix: prevent zoom reset if chart is already zoomed [DET-5514] (2525)
3f44c83f fix: stop parsing notebook config on every edit [DET-5605] (2528)
03b28bef chore: fix client for new password handling (2546)
fe05b0b0 chore: avoid defaulting to filter by current user [DET-5602] (2540)
1e945afb feat: expose a default Determined in det.experimental.client (2532)
76230f83 chore: remove swagger-generated python code (2541)
c7ac21d6 fix: password handling in python sdk. (2543)
56dd19d4 feat: pull tensorboard images from experiment configs (2544)
48ceaf2a fix: fix hparam string representation failure [DET-5616] (2539)
8dfa0888 feat: pull tensorboard images from experiment configs (2534)
0ebeba33 chore: fix dropped cert argument in Authentication (2542)
d0adc51c feat: multimaster Authentication objects [DET-5308] (2531)
f1c9b1f4 feat: bump JupyterLab to 3.0.16 [DET-4872] (2526)
12a8cae4 chore: bump default environment CPU and GPU images to tf-2.4 (2523)
caf61c97 docs: add release notes for profiling features [DET-5351] (2535)
deb4cbf4 chore: initialize cli_cert in e2e tests (2530)
81eefc75 chore: bump transformers version for model-hub (2522)
e9f5947e fix: add init_invalid_hp to master [DET-5569] (2478)
ccdcaa8b chore: allow non-singleton Authentication (2513)
0a887e9d fix: trial profiling system metric chart ignoring zero [DET-5505] (2515)
0d9a5401 fix: allow bumpenvs to update nvcr images in helm charts (2520)
ec89928b feat: provide tensorflow 2.5 image [DET-5522] (2517)
55c3353f docs: recommend users upgrade to 0.16.0 to avoid k8s master crashes (2518)
a2f6fc26 chore: improved pynvml usage by profiler [DET-5394] (2487)
a06d3a2e chore: minor edits to cli behaviors (2519)
23160572 fix: add back bindmounts entry to command's default config (2521)
3d34e1c9 fix: notebook modal improvements [DET-5599] (2511)
6db82632 feat: add experiment notes & name [DET-5352] (2307)
17976404 chore: update urllib3 (2504)
49aec0db feat: support back-filling in the priority scheduler [DET-5397] (2436)
aec1074b chore: handle error when loading notebook config (2512)
09fca004 feat: add bind mounts to task container defaults [DET-5362] (2516)
4068fde9 chore: collect prometheus metrics (2501)
ed896c77 fix: python api create experiment bug (2510)
0c9ec27e fix: avoid rc dev release mismatch notifications (2405)
4fd33262 chore: task list filters [DET-5390] (2466)
1f49553e test: add e2e tests for profiling features [DET-5245] (2481)
ec9932df chore: upgrade ws to patch security vulnerability (2505)
3857f945 chore: add experiment name to breadcrumb on trial detail page [DET-5284] (2318)
87b1e598 docs: add release note for printable config (2507)
212aa936 chore: disable profiling after restart [DET-5424] (2486)
24432fe1 docs: add profiling how-to [DET-5209] (2384)
2b04bf0c chore: fix TrialsSnapshotResponse comment typo (2492)
1ca42b44 chore: fix TF version detection and RNG usage in test (2500)
106294a6 chore: migrate away from spot checks and move towards waiting for an expected case (2495)
eecc4461 fix: generating printable master config does not alter original (2502)
bf9b3ac1 fix: observability webui fixes [DET-5567][DET-5246][DET-5506][DET-5531][DET-5530][DET-5571] (2488)
5b73278f chore: improve profiler throughput collectors (2490)
55b122ea chore: remove native init() functions [DET-5574] (2480)
6ac0268d chore: add testing for `eventually` schema [DET-5560] (2467)
6f86594e chore: remove trial old messages and consolidate others (2464)
bae9c2d5 chore: fix some semi-broken unit tests (2483)
3f9f2daa fix: ship gpu_free_memory correctly [DET-5508] (2497)
0dae8015 chore: add non-streaming APIs for trial profiler endpoints (2484)
0b0e9ca8 chore: update eslint-no-unused-vars to handle special cases (2496)
d81f8ade fix: notebook modal bugs [DET-5573] (2476)
8ee598d8 chore: improve performance of tfevent file filtering (2469)
341fb4fa chore: trim unused parts of rendezvous info (2381)
ba07a04e chore: promote profiler APIs out of unimplemented (2485) [DET-5587]
3f532898 fix: send all batches from harness profiler [DET-5566] (2473)
c5201873 chore: deprecate det.experimental.create_trial_instance() (2479)
b0f57d69 fix: ProfilingAgent serializing timestamps incorrectly (2482)
6a673830 fix: propagate slots when it is 0 (2477)
4b97010a chore: measure profiler timings with time.time() (2475)
2e38dfab chore: reword README for schemas (2474)
3d6e73db fix: show x axis label on all plots [DET-5500] (2471)
2e83f225 fix: make tf estimator dtrain work with tf 2.5 [DET-5563, DET-3762] (2468)
f893eeef fix: timing metric chart x-axis tick off [DET-5501] (2472)
aa8d4427 chore: log running of migrations (2463)
36139a1d docs: add instructions to use dtrain workflow for inference with PyTorch (2386)
66c64521 feat: hook ProfilerAgent into harness and add profiler timings [DET-5062, DET-5204] (2348)
c52c6165 chore: move run increment to allocation not termination [DET-5559, DET-5450] (2462)
feac8cf7 feat: add launch notebook modal [DET-5376] [DET-5377] [DET-5380] [DET-5378] [DET-5379] [DET-5375] (2398)
7c178564 chore: catch ruamel.yaml Duplicate Key Errors and format for users [DET-5542] (2450)
2584c5b8 chore: rem to px [DET-5327] (2433)
ddf8693d fix: allow custom registries with determined env images [DET-5556] (2465)
8c1d0a99 fix: cleanup iter(DataLoader) before exiting [DET-5558] [DET-5554] (2459)
2c3bfa38 fix: use user preferences when no search params are present (2460)
80f4375b chore: disable dashboard recent tasks tests temporarily (2461)
7f1c61d1 feat: `det deploy --image-repo-prefix` for pulling images from a custom docker repo (2454)
a5170400 fix: synchronize pods actor startup in k8s resource manager [DET-5536] (2453)
ea4566f1 fix: update Buf image and CLI usage (2455)
80920725 chore: bump buf and protoc version [DET-5534] (2446)
92bf2c63 fix: prevent concurrent updates to a single expconf object [DET-5543] (2451)
ea66301a revert added example model (tf classification) (2452)
71a35025 fix: prevent spot resource pool contention [DET-5349] (2423)
8def1560 cli: small rewording in shell help (2448)
bac39242 ci: regen buf image with buf 0.12.1 (2447) [DET-5534]
193ac654 docs: fix broken links (2439)
da7fe34c fix: introduce LegacyConfig for tensorboard and checkpoint gc [DET-5533] (2444)
a9f0fe87 fix: omit internal fields in previewed notebook [DET-5523] (2434)
a690381a fix: allow EOL searchers in configs only [DET-5526] (2445)



Docker images

- `docker pull determinedai/determined-master:0.16.0`
- `docker pull determinedai/determined-master:f5a590b8`
- `docker pull determinedai/determined-master:f5a590b8e8b0f589f8086111c93a42f92760041c`
- `docker pull determinedai/determined-dev:determined-master-f5a590b8`
- `docker pull determinedai/determined-dev:determined-master-f5a590b8e8b0f589f8086111c93a42f92760041c`
- `docker pull nvcr.io/isv-ngc-partner/determined/determined-master:0.16.0`
- `docker pull nvcr.io/isv-ngc-partner/determined/determined-master:f5a590b8`
- `docker pull nvcr.io/isv-ngc-partner/determined/determined-master:f5a590b8e8b0f589f8086111c93a42f92760041c`

Resources

• https://pypi.org/project/determined
• https://pyup.io/changelogs/determined/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32640