-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolved CVEs #206
base: habana-main
Are you sure you want to change the base?
Resolved CVEs #206
Conversation
Hello, could you remind why libssl1.1 is needed and why openssl/libssl3 can't be used? thanks, |
Thank you for your question. I removed libssl1.1 due to some critical CVEs it introduced. Unfortunately, I’m unsure why libssl1.1 was initially included, especially since libssl3 comes out of the box with Ubuntu 22.04. |
I simply copy-pasted it from TGI's Dockerfile. It's not necessary, no reason to keep it 👍 |
opentelemetry-proto==1.15.0 ; python_version >= "3.9" and python_version < "3.13" | ||
opentelemetry-sdk==1.15.0 ; python_version >= "3.9" and python_version < "3.13" | ||
opentelemetry-semantic-conventions==0.36b0 ; python_version >= "3.9" and python_version < "3.13" | ||
nvidia-cublas-cu12==12.1.3.1 ; platform_system == "Linux" and platform_machine == "x86_64" and python_version >= "3.9" and python_version < "3.13" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we need all these nvidia packages?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those changes were added after I ran make install && make update-lock && make export-requirements
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We usually manually modify the requirements generated by Poetry to remove these dependencies and a few others. Note that there is now a dependency for torch==2.4.0
, which we absolutely don't want to keep as this would erase HPU's torch.
So I think you can just remove all the new dependencies in this file and just keep the ones that are updated.
transformers==4.40.2 ; python_version >= "3.9" and python_version < "3.13" | ||
transformers[sentencepiece]==4.40.2 ; python_version >= "3.9" and python_version < "3.13" | ||
triton==3.0.0 ; platform_system == "Linux" and platform_machine == "x86_64" and python_version < "3.13" and python_version >= "3.9" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is triton pulled in from somewhere else? i dont recall we having triton support, is this also coming from nvidia?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it should be removed too
WORKDIR /usr/src | ||
|
||
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ | ||
linux-libc-dev \ | ||
openssh-client \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we need openssh-client?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ModiIntel , pls address the comments in PR
Description:
This pull request addresses several critical and high-severity vulnerabilities identified in the tgi_gaudi container based on Ubuntu 22.04. The primary focus is on updating and patching key components to resolve these security issues and ensure a more secure environment.
Key Changes:
Resolved Critical CVE in PyTorch Lightning:
Package: lightning
Vulnerability: CVE-2024-5980 (Critical)
Action: Updated lightning from version 2.2.4 to 2.3.3.
Impact: Mitigates the arbitrary file write vulnerability via the /v1/runs API endpoint.
Resolved Multiple High CVEs in OpenSSL:
Package: libssl1.1
Vulnerabilities:
CVE-2021-3449: NULL pointer dereference in signature algorithms processing.
CVE-2021-3711: SM2 Decryption Buffer Overflow.
CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates.
CVE-2022-3602: X.509 Email Address Buffer Overflow.
CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow.
CVE-2023-0286: X.400 address type confusion in X.509 GeneralName.
Action: Updated OpenSSL library from 1.1.1f-1ubuntu2.23 to 3.0.2-0ubuntu1.8.
Impact: Addresses various vulnerabilities related to SSL/TLS communications, enhancing the security of encrypted connections.
General Security Enhancements:
Updated various other packages to their latest versions to mitigate other vulnerabilities and ensure the system remains secure and stable.
Remaining Vulnerabilities:
Despite these updates, two high-severity vulnerabilities remain:
linux-libc-dev:
CVE-2024-26800: Use-after-free vulnerability on failed backlog decryption.
CVE-2024-27397: Timestamp handling issue in netfilter leading to potential denial of service.
Action: Monitoring for the release of patched versions to address these issues.
Why This Is Important:
Addressing these vulnerabilities is crucial to maintaining the security and stability of the tgi_gaudi container.
The updates prevent potential exploitation, which could lead to data breaches, unauthorized access, or service disruptions.
Testing and Validation:
Unit Tests: Ran all relevant unit tests to ensure that the updates do not break existing functionality.
Integration Tests: Verified that the application functions correctly with the updated dependencies.
Manual Testing: Conducted manual testing to confirm the effectiveness of the security patches.
References:
CVE-2024-5980 Details
CVE-2021-3449 Details
CVE-2024-26800 Details
CVE-2024-27397 Details
Additional Notes:
The remaining vulnerabilities are being actively monitored, and further updates will be applied as soon as fixes are available.
No breaking changes have been introduced as part of this PR.