Skip to content

Commit 0cfc0c1

Browse files
authored
Merge branch 'rel-3.46.0' into maurever_GH-16676_remove_offset_effects
2 parents 6f5a719 + d0b0868 commit 0cfc0c1

16 files changed

Lines changed: 715 additions & 28 deletions

File tree

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
# .github/workflows/trigger-h2o-3-devops.yml
2+
name: Trigger H2O-3 DevOps Workflows
3+
4+
permissions:
5+
contents: read
6+
7+
on:
8+
push:
9+
branches: [master, rel-3.46.0]
10+
workflow_dispatch:
11+
12+
jobs:
13+
trigger:
14+
runs-on: ubuntu-latest
15+
steps:
16+
- name: Trigger Vulnerability Scan
17+
run: |
18+
curl -X POST \
19+
-H "Accept: application/vnd.github+json" \
20+
-H "Authorization: Bearer ${{ secrets.H2O_3_DEVOPS_REPO_TOKEN }}" \
21+
-H "X-GitHub-Api-Version: 2022-11-28" \
22+
https://api.github.com/repos/h2oai/h2o-3-devops/dispatches \
23+
-d '{"event_type":"h2o3-push","client_payload":{"branch":"${{ github.ref_name }}","sha":"${{ github.sha }}"}}'

Changes.md

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,34 @@
22

33
## H2O
44

5+
### 3.46.0.10 - 3/12/2026
6+
7+
Download at: <a href='http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/10/index.html'>http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/10/index.html</a>
8+
9+
#### Bug
10+
- [[#16433]](https://github.com/h2oai/h2o-3/issues/16433) – Fixed minor errors in GAM, GLM, and ModelSelection.
11+
- [[#16129]](https://github.com/h2oai/h2o-3/issues/16129) – Fixed issues building Docker image using Dockerfile.
12+
- [[#16736]](https://github.com/h2oai/h2o-3/issues/16736) – Fixed R CRAN check.
13+
- [[#16755]](https://github.com/h2oai/h2o-3/issues/16755) – Fixed XGBoost H-statistic example.
14+
15+
#### New Feature
16+
- [[#16769]](https://github.com/h2oai/h2o-3/issues/16769) – Added control variables MOJO support for regression and binomial distribution.
17+
18+
#### Improvement
19+
- [[#16718]](https://github.com/h2oai/h2o-3/issues/16718) – Removed support for Python 3.6.
20+
- [[#16707]](https://github.com/h2oai/h2o-3/issues/16707) – Added support for R 4.5.
21+
22+
#### Docs
23+
- [[#15991]](https://github.com/h2oai/h2o-3/issues/15991) – Updated Infogram pydocs.
24+
- [[#16216]](https://github.com/h2oai/h2o-3/issues/16216) – Updated AutoML user guide page to adhere to style guide.
25+
- [[#16604]](https://github.com/h2oai/h2o-3/issues/16604) – Removed HDP from supported version in the documentation.
26+
27+
#### Security
28+
- [[#16744]](https://github.com/h2oai/h2o-3/issues/16744) – Fixed CVE-2025-68161 in log4j.
29+
- [[#16754]](https://github.com/h2oai/h2o-3/issues/16754) – FedRAMP vulnerability remediation (2026-02-02).
30+
- [[#16773]](https://github.com/h2oai/h2o-3/issues/16773) – Upgraded jackson-databind because of GHSA-72hv-8253-57qq.
31+
- [[#16775]](https://github.com/h2oai/h2o-3/issues/16775) – Added vulnerable PostgreSQL JDBC parameters to default disallowed parameters.
32+
533
### 3.46.0.9 - 11/24/2025
634

735
Download at: <a href='http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/9/index.html'>http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/9/index.html</a>

SECURITY.md

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,12 @@ If the issue is confirmed, we will release a patch as soon as possible depending
88
## Known Vulnerabilities
99
We located these vulnerabilites from our security scans. The following list shows the vulnerabilities and the libraries they were found in:
1010

11-
Total: 8 (UNKNOWN: 0, LOW: 2, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
11+
Total: 4 (UNKNOWN: 0, LOW: 2, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
1212

13-
| Library | Vulnerability | Severity | Status | Installed Version | Fixed Version | Title |
14-
|---------------------------------|----------------|---------|---------|-----------------|---------------|----------------------------------------------------------------------|
15-
| commons-lang:commons-lang | CVE-2025-48924 | MEDIUM | affected | 2.6 | | commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang [Link](https://avd.aquasec.com/nvd/cve-2025-48924) |
16-
| org.apache.hadoop:hadoop-common | CVE-2024-23454 | LOW | fixed | 3.3.6 | 3.4.0 | Apache Hadoop: Temporary File Local Information Disclosure [Link](https://avd.aquasec.com/nvd/cve-2024-23454) |
17-
| org.eclipse.jetty:jetty-http | CVE-2024-6763 | MEDIUM | | 9.4.57.v20241219| 12.0.12 | org.eclipse.jetty:jetty-http: jetty: Jetty URI parsing of invalid authority [Link](https://avd.aquasec.com/nvd/cve-2024-6763) |
13+
| Library | Vulnerability | Severity | Installed Version | Fixed Version | Title | Mitigation Status |
14+
|---------------------------------|----------------|---------|-----------------|---------------|-------|-------------------|
15+
| commons-lang:commons-lang | CVE-2025-48924 | MEDIUM | 2.6 | | Uncontrolled Recursion vulnerability in `ClassUtils.getClass()` [Link](https://avd.aquasec.com/nvd/cve-2025-48924) | Not affected. H2O does not use `ClassUtils` anywhere in the codebase. H2O only uses safe utility methods from this library (e.g., `ArrayUtils`, `StringUtils.join`, `StringUtils.repeat`). |
16+
| org.eclipse.jetty:jetty-http | CVE-2024-6763 | MEDIUM | 9.4.57.v20241219| 12.0.12 | Jetty URI parsing of invalid authority [Link](https://avd.aquasec.com/nvd/cve-2024-6763) | Not affected. The vulnerability only affects applications that use `HttpURI` directly as a utility for URI validation. H2O does not use `HttpURI` in application code; only Jetty's own internal `Response.encodeURL()` references it, which the [Jetty advisory](https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh) confirms is not vulnerable. |
17+
| org.apache.hadoop:hadoop-common | CVE-2024-23454 | LOW | 3.3.6 | 3.4.0 | Apache Hadoop: Temporary File Local Information Disclosure [Link](https://avd.aquasec.com/nvd/cve-2024-23454) | Not affected. The vulnerability involves Hadoop's `FileUtil.createTempFile()` creating temporary files with world-readable permissions (0666). H2O does not use Hadoop's `FileUtil` for temporary file creation. All temp file operations use Java's standard `File.createTempFile()`, and credential/keytab files are written via Java's `FileOutputStream` directly. |
18+
| org.eclipse.jetty:jetty-http | CVE-2025-11143 | LOW | 9.4.57.v20241219| 12.0.31, 12.1.5 | Security bypass due to different URI parsing between Jetty HttpURI and java.net.URI [Link](https://avd.aquasec.com/nvd/cve-2025-11143) | Not affected. The vulnerability requires an application to use both Jetty's `HttpURI` and Java's `java.net.URI` for security decisions, creating a parsing inconsistency bypass. H2O only uses Jetty's servlet API (`getServletPath()`) for URI extraction, does not use `HttpURI` or `java.net.URI` for security-critical comparisons, and its authentication constraint uses a blanket wildcard `/*` path that applies to all requests regardless of URI parsing. |
1819

gradle/prCheck.gradle

Lines changed: 21 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -100,17 +100,33 @@ def checkPull(changeId) {
100100
connection.setRequestMethod("POST")
101101
connection.setDoOutput(true)
102102
connection.setRequestProperty("Authorization", "Bearer ${System.getenv("H2O3_GET_PROJECT_TOKEN")}")
103+
connection.setRequestProperty("Content-Type", "application/json")
103104
connection.connect()
104105
try(OutputStream os = connection.getOutputStream()) {
105106
os.write(projectRequest.getBytes());
106107
}
107-
try(InputStream is = connection.getInputStream()) {
108-
def responseText = is.getText()
109-
def projectResponse = jsonSlurper.parseText(responseText)
110-
if (projectResponse.data.repository.issue.projectV2 == null) {
111-
errorMessages.add("The associated GitHub issue #${issueId} must be assigned to H2O-3 project.")
108+
109+
def responseText
110+
def responseCode = connection.getResponseCode()
111+
if (responseCode == 200) {
112+
try(InputStream is = connection.getInputStream()) {
113+
responseText = is.getText()
114+
}
115+
} else {
116+
try(InputStream es = connection.getErrorStream()) {
117+
responseText = es.getText()
112118
}
113119
}
120+
121+
println "GraphQL Response (${responseCode}): ${responseText}"
122+
def projectResponse = jsonSlurper.parseText(responseText)
123+
124+
if (projectResponse.errors) {
125+
println "GraphQL Errors: ${projectResponse.errors}"
126+
errorMessages.add("Failed to check project assignment for GitHub issue #${issueId}: ${projectResponse.errors[0].message}")
127+
} else if (projectResponse.data?.repository?.issue?.projectV2 == null) {
128+
errorMessages.add("The associated GitHub issue #${issueId} must be assigned to H2O-3 project.")
129+
}
114130

115131
if (errorMessages.isEmpty()) {
116132
println "Pull request #$changeId seems correct. Thank you and good luck in code review!"

h2o-algos/src/main/java/hex/glm/GLMModel.java

Lines changed: 16 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
import org.apache.commons.math3.distribution.TDistribution;
1414
import org.apache.commons.math3.special.Gamma;
1515
import water.*;
16-
import water.codegen.CodeGenerator;
16+
import water.codegen.CodeGenerator; conflict
1717
import water.codegen.CodeGeneratorPipeline;
1818
import water.exceptions.JCodeSB;
1919
import water.fvec.Chunk;
@@ -2362,7 +2362,10 @@ public double score(double[] data) {
23622362
classCtx.add(new CodeGenerator() {
23632363
@Override
23642364
public void generate(JCodeSB out) {
2365-
JCodeGen.toClassWithArray(out, "public static", "BETA", beta_internal()); // "The Coefficients"
2365+
if (_parms._control_variables != null && _parms._control_variables.length > 0)
2366+
JCodeGen.toClassWithArray(out, "public static", "BETA", _output.getControlValBeta(beta_internal().clone())); // "The Control Variables Coefficients"
2367+
else
2368+
JCodeGen.toClassWithArray(out, "public static", "BETA", beta_internal()); // "The Coefficients"
23662369
JCodeGen.toClassWithArray(out, "static", "NUM_MEANS", _output._dinfo._numNAFill,"Imputed numeric values");
23672370
JCodeGen.toClassWithArray(out, "static", "CAT_MODES", _output._dinfo.catNAFill(),"Imputed categorical values.");
23682371
JCodeGen.toStaticVar(out, "CATOFFS", dinfo()._catOffsets, "Categorical Offsets");
@@ -2526,18 +2529,24 @@ protected ModelMetrics.MetricBuilder scoreMetrics(Frame adaptFrm) {
25262529

25272530
@Override
25282531
public boolean haveMojo() {
2529-
if (_parms._control_variables != null && _parms._control_variables.length>0)
2530-
return false;
2531-
if (_parms._remove_offset_effects) {
2532-
return false;
2533-
}
2532+
if (_parms._control_variables != null && _parms._control_variables.length > 0)
2533+
return _parms.interactionSpec() == null &&
2534+
!_parms._family.equals(Family.multinomial) &&
2535+
!_parms._family.equals(Family.ordinal) &&
2536+
super.haveMojo();
25342537
if (_parms.interactionSpec() == null)
25352538
return super.haveMojo();
25362539
return false;
25372540
}
25382541

25392542
@Override
25402543
public boolean havePojo() {
2544+
if (_parms._control_variables != null && _parms._control_variables.length > 0)
2545+
return _parms.interactionSpec() == null &&
2546+
_parms._offset_column == null &&
2547+
!_parms._family.equals(Family.multinomial) &&
2548+
!_parms._family.equals(Family.ordinal) &&
2549+
super.havePojo();
25412550
if (_parms.interactionSpec() == null && _parms._offset_column == null) return super.havePojo();
25422551
else return false;
25432552
}

h2o-algos/src/main/java/hex/glm/GLMMojoWriter.java

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -31,8 +31,10 @@ protected void writeModelData() throws IOException {
3131
writekv("num_means", model.dinfo().numNAFill());
3232
writekv("cat_modes", model.dinfo().catNAFill());
3333
}
34-
35-
writekv("beta", model.beta_internal());
34+
if (model._parms._control_variables != null && model._parms._control_variables.length > 0)
35+
writekv("beta", model._output.getControlValBeta(model.beta_internal().clone())); // "The Control Variables Coefficients"
36+
else
37+
writekv("beta", model.beta_internal()); // "The Coefficients"
3638

3739
writekv("family", model._parms._family);
3840
writekv("link", model._parms._link);

0 commit comments

Comments
 (0)