aws · sirutBuasai · Mar 26, 2025 · Mar 25, 2025 · Mar 25, 2025 · Mar 25, 2025
@@ -5,7 +5,7 @@ framework: &FRAMEWORK tensorflow
 version: &VERSION 2.18.0
 short_version: &SHORT_VERSION "2.18"
 arch_type: x86
-# autopatch_build: "True"
+autopatch_build: "True"
 
 repository_info:
   training_repository: &TRAINING_REPOSITORY
@@ -39,7 +39,7 @@ images:
     tag_python_version: &TAG_PYTHON_VERSION py310
     os_version: &OS_VERSION ubuntu22.04
     tag: !join [ *VERSION, "-", *DEVICE_TYPE, "-", *TAG_PYTHON_VERSION, "-", *OS_VERSION, "-sagemaker" ]
-    # latest_release_tag: !join [ *VERSION, "-", *DEVICE_TYPE, "-", *TAG_PYTHON_VERSION, "-", *OS_VERSION, "-sagemaker" ]
+    latest_release_tag: !join [ *VERSION, "-", *DEVICE_TYPE, "-", *TAG_PYTHON_VERSION, "-", *OS_VERSION, "-sagemaker" ]
     docker_file: !join [ docker/, *SHORT_VERSION, /, *DOCKER_PYTHON_VERSION, /Dockerfile., *DEVICE_TYPE ]
     # build_tag_override: "pr:2.16.2-cpu-py310-ubuntu20.04-sagemaker-pr-4362-autopatch"
     target: sagemaker
@@ -56,7 +56,7 @@ images:
     cuda_version: &CUDA_VERSION cu125
     os_version: &OS_VERSION ubuntu22.04
     tag: !join [ *VERSION, "-", *DEVICE_TYPE, "-", *TAG_PYTHON_VERSION, "-", *CUDA_VERSION, "-", *OS_VERSION, "-sagemaker" ]
-    # latest_release_tag: !join [ *VERSION, "-", *DEVICE_TYPE, "-", *TAG_PYTHON_VERSION, "-", *CUDA_VERSION, "-", *OS_VERSION, "-sagemaker" ]
+    latest_release_tag: !join [ *VERSION, "-", *DEVICE_TYPE, "-", *TAG_PYTHON_VERSION, "-", *CUDA_VERSION, "-", *OS_VERSION, "-sagemaker" ]
     docker_file: !join [ docker/, *SHORT_VERSION, /, *DOCKER_PYTHON_VERSION, /, *CUDA_VERSION, /Dockerfile., *DEVICE_TYPE ]
     # build_tag_override: "pr:2.16.2-gpu-py310-cu123-ubuntu20.04-sagemaker-pr-4362-autopatch"
     target: sagemaker

@@ -1,4 +1,246 @@
 {
+  "cross-spawn": [
+    {
+      "description": "Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.",
+      "vulnerability_id": "CVE-2024-21538",
+      "name": "CVE-2024-21538",
+      "package_name": "cross-spawn",
+      "package_details": {
+        "file_path": "/usr/local/lib/python3.10/site-packages/jupyterlab/staging/yarn.lock",
+        "name": "cross-spawn",
+        "package_manager": "NODE",
+        "version": "7.0.3",
+        "release": null
+      },
+      "remediation": {
+        "recommendation": {
+          "text": "None Provided"
+        }
+      },
+      "cvss_v3_score": 7.5,
+      "cvss_v30_score": 0.0,
+      "cvss_v31_score": 7.5,
+      "cvss_v2_score": 0.0,
+      "cvss_v3_severity": "HIGH",
+      "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21538",
+      "source": "NVD",
+      "severity": "HIGH",
+      "status": "ACTIVE",
+      "title": "CVE-2024-21538 - cross-spawn, cross-spawn and 1 more",
+      "reason_to_ignore": "N/A"
+    },
+    {
+      "description": "Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.",
+      "vulnerability_id": "CVE-2024-21538",
+      "name": "CVE-2024-21538",
+      "package_name": "cross-spawn",
+      "package_details": {
+        "file_path": "/usr/local/lib/python3.10/site-packages/jupyterlab/tests/mock_packages/test-hyphens-underscore/yarn.lock",
+        "name": "cross-spawn",
+        "package_manager": "NODE",
+        "version": "7.0.3",
+        "release": null
+      },
+      "remediation": {
+        "recommendation": {
+          "text": "None Provided"
+        }
+      },
+      "cvss_v3_score": 7.5,
+      "cvss_v30_score": 0.0,
+      "cvss_v31_score": 7.5,
+      "cvss_v2_score": 0.0,
+      "cvss_v3_severity": "HIGH",
+      "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21538",
+      "source": "NVD",
+      "severity": "HIGH",
+      "status": "ACTIVE",
+      "title": "CVE-2024-21538 - cross-spawn, cross-spawn and 1 more",
+      "reason_to_ignore": "N/A"
+    },
+    {
+      "description": "Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.",
+      "vulnerability_id": "CVE-2024-21538",
+      "name": "CVE-2024-21538",
+      "package_name": "cross-spawn",
+      "package_details": {
+        "file_path": "/usr/local/lib/python3.10/site-packages/jupyterlab/tests/mock_packages/test_no_hyphens/yarn.lock",
+        "name": "cross-spawn",
+        "package_manager": "NODE",
+        "version": "7.0.3",
+        "release": null
+      },
+      "remediation": {
+        "recommendation": {
+          "text": "None Provided"
+        }
+      },
+      "cvss_v3_score": 7.5,
+      "cvss_v30_score": 0.0,
+      "cvss_v31_score": 7.5,
+      "cvss_v2_score": 0.0,
+      "cvss_v3_severity": "HIGH",
+      "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21538",
+      "source": "NVD",
+      "severity": "HIGH",
+      "status": "ACTIVE",
+      "title": "CVE-2024-21538 - cross-spawn, cross-spawn and 1 more",
+      "reason_to_ignore": "N/A"
+    }
+  ],
+  "ip": [
+    {
+      "description": "The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.",
+      "vulnerability_id": "CVE-2024-29415",
+      "name": "CVE-2024-29415",
+      "package_name": "ip",
+      "package_details": {
+        "file_path": "/usr/local/lib/python3.10/site-packages/jupyterlab/staging/yarn.lock",
+        "name": "ip",
+        "package_manager": "NODE",
+        "version": "2.0.1",
+        "release": null
+      },
+      "remediation": {
+        "recommendation": {
+          "text": "None Provided"
+        }
+      },
+      "cvss_v3_score": 8.1,
+      "cvss_v30_score": 0.0,
+      "cvss_v31_score": 8.1,
+      "cvss_v2_score": 0.0,
+      "cvss_v3_severity": "HIGH",
+      "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29415",
+      "source": "NVD",
+      "severity": "HIGH",
+      "status": "ACTIVE",
+      "title": "CVE-2024-29415 - ip",
+      "reason_to_ignore": "N/A"
+    }
+  ],
+  "path-to-regexp": [
+    {
+      "description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.",
+      "vulnerability_id": "CVE-2024-45296",
+      "name": "CVE-2024-45296",
+      "package_name": "path-to-regexp",
+      "package_details": {
+        "file_path": "/usr/local/lib/python3.10/site-packages/jupyterlab/staging/yarn.lock",
+        "name": "path-to-regexp",
+        "package_manager": "NODE",
+        "version": "0.1.7",
+        "release": null
+      },
+      "remediation": {
+        "recommendation": {
+          "text": "None Provided"
+        }
+      },
+      "cvss_v3_score": 7.5,
+      "cvss_v30_score": 0.0,
+      "cvss_v31_score": 7.5,
+      "cvss_v2_score": 0.0,
+      "cvss_v3_severity": "HIGH",
+      "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296",
+      "source": "NVD",
+      "severity": "HIGH",
+      "status": "ACTIVE",
+      "title": "CVE-2024-45296 - path-to-regexp",
+      "reason_to_ignore": "N/A"
+    }
+  ],
+  "python-json-logger": [
+    {
+      "description": "Python JSON Logger is a JSON Formatter for Python Logging. Between 30 December 2024 and 4 March 2025 Python JSON Logger was vulnerable to RCE through a missing dependency. This occurred because msgspec-python313-pre was deleted by the owner leaving the name open to being claimed by a third party. If the package was claimed, it would allow them RCE on any Python JSON Logger user who installed the development dependencies on Python 3.13 (e.g. pip install python-json-logger[dev]). This issue has been resolved with 3.3.0.",
+      "vulnerability_id": "CVE-2025-27607",
+      "name": "CVE-2025-27607",
+      "package_name": "python-json-logger",
+      "package_details": {
+        "file_path": "/usr/local/lib/python3.10/site-packages/python_json_logger-3.2.1.dist-info/METADATA",
+        "name": "python-json-logger",
+        "package_manager": "PYTHON",
+        "version": "3.2.1",
+        "release": null
+      },
+      "remediation": {
+        "recommendation": {
+          "text": "None Provided"
+        }
+      },
+      "cvss_v3_score": 8.8,
+      "cvss_v30_score": 0.0,
+      "cvss_v31_score": 8.8,
+      "cvss_v2_score": 0.0,
+      "cvss_v3_severity": "HIGH",
+      "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27607",
+      "source": "NVD",
+      "severity": "HIGH",
+      "status": "ACTIVE",
+      "title": "CVE-2025-27607 - python-json-logger",
+      "reason_to_ignore": "N/A"
+    }
+  ],
+  "ws": [
+    {
+      "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.",
+      "vulnerability_id": "CVE-2024-37890",
+      "name": "CVE-2024-37890",
+      "package_name": "ws",
+      "package_details": {
+        "file_path": "/usr/local/lib/python3.10/site-packages/jupyterlab/tests/mock_packages/test-hyphens-underscore/yarn.lock",
+        "name": "ws",
+        "package_manager": "NODE",
+        "version": "8.16.0",
+        "release": null
+      },
+      "remediation": {
+        "recommendation": {
+          "text": "None Provided"
+        }
+      },
+      "cvss_v3_score": 7.5,
+      "cvss_v30_score": 0.0,
+      "cvss_v31_score": 7.5,
+      "cvss_v2_score": 0.0,
+      "cvss_v3_severity": "HIGH",
+      "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890",
+      "source": "NVD",
+      "severity": "HIGH",
+      "status": "ACTIVE",
+      "title": "CVE-2024-37890 - ws, ws",
+      "reason_to_ignore": "N/A"
+    },
+    {
+      "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.",
+      "vulnerability_id": "CVE-2024-37890",
+      "name": "CVE-2024-37890",
+      "package_name": "ws",
+      "package_details": {
+        "file_path": "/usr/local/lib/python3.10/site-packages/jupyterlab/tests/mock_packages/test_no_hyphens/yarn.lock",
+        "name": "ws",
+        "package_manager": "NODE",
+        "version": "8.16.0",
+        "release": null
+      },
+      "remediation": {
+        "recommendation": {
+          "text": "None Provided"
+        }
+      },
+      "cvss_v3_score": 7.5,
+      "cvss_v30_score": 0.0,
+      "cvss_v31_score": 7.5,
+      "cvss_v2_score": 0.0,
+      "cvss_v3_severity": "HIGH",
+      "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890",
+      "source": "NVD",
+      "severity": "HIGH",
+      "status": "ACTIVE",
+      "title": "CVE-2024-37890 - ws, ws",
+      "reason_to_ignore": "N/A"
+    }
+  ],
   "ffmpeg": [
     {
       "description": "Integer Overflow vulnerability in function filter_sobel in libavfilter/vf_convolution.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts.",