PyPi: Composer

CVE-2021-33503

Transitive

Safety vulnerability ID: 53696

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jun 29, 2021 Updated at Nov 14, 2024
Scan your Python projects for vulnerabilities →

Advisory

Composer 0.13.0 updates its dependency 'urllib3' requirement to '>=1.26.5,<2'' in Dockerfile to include a security fix.
https://github.com/mosaicml/composer/pull/2007

Affected package

composer

Latest version: 0.27.0

Composer is a PyTorch library that enables you to train neural networks faster, at lower cost, and to higher accuracy.

Affected versions

Fixed versions

Vulnerability changelog

**This release has been yanked due to a minor packaging issue, please skip directly to Composer v0.13.1**

What's Changed
* Raise error if max duration is in epochs and dataloader is infinite by dakinggg in https://github.com/mosaicml/composer/pull/1942
* Bump traitlets from 5.8.0 to 5.9.0 by dependabot in https://github.com/mosaicml/composer/pull/1946
* Deprecate HFCrossEntropy and Perplexity by dakinggg in https://github.com/mosaicml/composer/pull/1857
* Change functional surgery method return values to None by nik-mosaic in https://github.com/mosaicml/composer/pull/1543
* Retire Jenkins by bandish-shah in https://github.com/mosaicml/composer/pull/1943
* Update MCP GHA Name by mvpatel2000 in https://github.com/mosaicml/composer/pull/1951
* update memory monitor by mvpatel2000 in https://github.com/mosaicml/composer/pull/1940
* Move ffcv up in test order by dskhudia in https://github.com/mosaicml/composer/pull/1953
* Fix memory monitor test by mvpatel2000 in https://github.com/mosaicml/composer/pull/1957
* Fix model surgery failure due to functional API change by nik-mosaic in https://github.com/mosaicml/composer/pull/1949
* Change how we check for forwards args in models for HF models by bcui19 in https://github.com/mosaicml/composer/pull/1955
* add return dict false test and bug fix by dakinggg in https://github.com/mosaicml/composer/pull/1948
* remove jenkins ci by mvpatel2000 in https://github.com/mosaicml/composer/pull/1954
* add support for enc-dec batches without decoder_input_ids by dakinggg in https://github.com/mosaicml/composer/pull/1950
* Refactor EMA to improve memory efficiency by coryMosaicML in https://github.com/mosaicml/composer/pull/1941
* Add warning for untrusted checkpoints by mvpatel2000 in https://github.com/mosaicml/composer/pull/1959
* permit opt tokenizer by bmosaicml in https://github.com/mosaicml/composer/pull/1958
* GHA Docker build flow for PR's by bandish-shah in https://github.com/mosaicml/composer/pull/1883
* Update download badge link to pepy by karan6181 in https://github.com/mosaicml/composer/pull/1966
* Update python version in setup.py and fixed pypi download badge by karan6181 in https://github.com/mosaicml/composer/pull/1969
* allow eval metrics to be passed in to HuggingFaceModel directly by dakinggg in https://github.com/mosaicml/composer/pull/1971
* Make wandb checkpoint logging compatible with wandb model registry by growlix in https://github.com/mosaicml/composer/pull/1973
* Add support for FP8 on H100 using NVidia's TransformerEngine by dskhudia in https://github.com/mosaicml/composer/pull/1965
* Util for writing HuggingFace save_pretrained from a composer checkpoint by dakinggg in https://github.com/mosaicml/composer/pull/1974
* Enable sharded checkpoint save and load (support local, sharded, and full state dicts for FSDP) by eracah in https://github.com/mosaicml/composer/pull/1902
* Bump custom-inherit from 2.4.0 to 2.4.1 by dependabot in https://github.com/mosaicml/composer/pull/1981
* Bump gitpython from 3.1.30 to 3.1.31 by dependabot in https://github.com/mosaicml/composer/pull/1982
* Fix ICL race conditions by dakinggg in https://github.com/mosaicml/composer/pull/1978
* add map location to huggingface utils by dakinggg in https://github.com/mosaicml/composer/pull/1980
* fix log epoch by mvpatel2000 in https://github.com/mosaicml/composer/pull/1986
* GHA release workflow, refactor PR and Daily workflows by bandish-shah in https://github.com/mosaicml/composer/pull/1968
* Remove python-version input from Daily CPU tests by bandish-shah in https://github.com/mosaicml/composer/pull/1989
* Add some logic to pass the correct github ref to mcp script by bandish-shah in https://github.com/mosaicml/composer/pull/1990
* Fix typo in docstring for eval with missing space by mvpatel2000 in https://github.com/mosaicml/composer/pull/1992
* Fix failing sharded_checkpoint tests that fail when pytorch 1.13 is not installed by eracah in https://github.com/mosaicml/composer/pull/1988
* Add merge_group event trigger to GHA daily workflow by bandish-shah in https://github.com/mosaicml/composer/pull/1996
* Runtime estimator by mvpatel2000 in https://github.com/mosaicml/composer/pull/1991
* Reset scaler state by mvpatel2000 in https://github.com/mosaicml/composer/pull/1999
* Speed monitor refactor by mvpatel2000 in https://github.com/mosaicml/composer/pull/1987
* Test hf fsdp by dakinggg in https://github.com/mosaicml/composer/pull/1972
* Bug/sync optimization logger across ranks by bmosaicml in https://github.com/mosaicml/composer/pull/1970
* Fix optimizer monitor test gating with FSDP by mvpatel2000 in https://github.com/mosaicml/composer/pull/2000
* Low precision groupnorm by mvpatel2000 in https://github.com/mosaicml/composer/pull/1976
* Bump coverage[toml] from 7.1.0 to 7.2.1 by dependabot in https://github.com/mosaicml/composer/pull/2008
* Update docs to include runtime estimator by mvpatel2000 in https://github.com/mosaicml/composer/pull/2009
* Tag surgery algorithms LPLN and LPGN by mvpatel2000 in https://github.com/mosaicml/composer/pull/2011
* Update SpeedMonitor short-description for docs table by mvpatel2000 in https://github.com/mosaicml/composer/pull/2010
* Update Low Precision LayerNorm arguments by nik-mosaic in https://github.com/mosaicml/composer/pull/1994
* Medical Segmentation Example Typo by mvpatel2000 in https://github.com/mosaicml/composer/pull/2014
* Update wallclock logging to default hours by mvpatel2000 in https://github.com/mosaicml/composer/pull/2005
* Add HealthChecker Callback by hanlint in https://github.com/mosaicml/composer/pull/2002
* Allow FX graph mode post-training dynamic quantisation of BlurConv2d operations. by BrettRyland in https://github.com/mosaicml/composer/pull/1995
* Add multi-gpu testing to test_algorithm_resumption by eracah in https://github.com/mosaicml/composer/pull/2016
* Add backwards compatible checkpoint loading for EMA by coryMosaicML in https://github.com/mosaicml/composer/pull/2012
* fsdp with custom process groups by vchiley in https://github.com/mosaicml/composer/pull/2006
* Patch Speed Monitor MFU by mvpatel2000 in https://github.com/mosaicml/composer/pull/2013
* Remove runtime estimator state dict by mvpatel2000 in https://github.com/mosaicml/composer/pull/2015
* Update Docker images to fix resolve vulnerability scan issues by bandish-shah in https://github.com/mosaicml/composer/pull/2007
* Change Deprecation Warnings to Warnings for specifying ProgressBarLogger and ConsoleLogger to loggers by eracah in https://github.com/mosaicml/composer/pull/1846
* Fix eval duplicate logging issue by mvpatel2000 in https://github.com/mosaicml/composer/pull/2018
* Add workflow_dispatch trigger to pr-docker workflow by bandish-shah in https://github.com/mosaicml/composer/pull/2019
* Bump streaming version to less than 0.4.0 by karan6181 in https://github.com/mosaicml/composer/pull/2020
* Upgrade ipython installed in Docker images by bandish-shah in https://github.com/mosaicml/composer/pull/2021
* Upgrade torchmetrics by nik-mosaic in https://github.com/mosaicml/composer/pull/2017
* Complete upgrade of torchmetrics accuracy by nik-mosaic in https://github.com/mosaicml/composer/pull/2025
* Bump version to v0.13.0 by bandish-shah in https://github.com/mosaicml/composer/pull/2024

New Contributors
* BrettRyland made their first contribution in https://github.com/mosaicml/composer/pull/1995

**Full Changelog**: https://github.com/mosaicml/composer/compare/v0.12.1...v0.13.0

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Availability (A)
HIGH

CVSS v2 Details

MEDIUM 5.0
Access Vector (AV)
NETWORK
Access Complexity (AC)
LOW
Authentication (Au)
NONE
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Impact (A)
PARTIAL