Merge remote-tracking branch origin/rel-3.46.0

h2o-ops · h2o-ops · commit 12cc0800b8ae · 2026-03-11T14:23:32.000Z
diff --git a/Changes.md b/Changes.md
@@ -2,6 +2,34 @@
 
 ## H2O
 
+### 3.46.0.10 - 3/12/2026
+
+Download at: <a href='http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/10/index.html'>http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/10/index.html</a>
+
+#### Bug
+- [[#16433]](https://github.com/h2oai/h2o-3/issues/16433) – Fixed minor errors in GAM, GLM, and ModelSelection.
+- [[#16129]](https://github.com/h2oai/h2o-3/issues/16129) – Fixed issues building Docker image using Dockerfile.
+- [[#16736]](https://github.com/h2oai/h2o-3/issues/16736) – Fixed R CRAN check.
+- [[#16755]](https://github.com/h2oai/h2o-3/issues/16755) – Fixed XGBoost H-statistic example.
+
+#### New Feature
+- [[#16769]](https://github.com/h2oai/h2o-3/issues/16769) – Added control variables MOJO support for regression and binomial distribution.
+
+#### Improvement
+- [[#16718]](https://github.com/h2oai/h2o-3/issues/16718) – Removed support for Python 3.6.
+- [[#16707]](https://github.com/h2oai/h2o-3/issues/16707) – Added support for R 4.5.
+
+#### Docs
+- [[#15991]](https://github.com/h2oai/h2o-3/issues/15991) – Updated Infogram pydocs.
+- [[#16216]](https://github.com/h2oai/h2o-3/issues/16216) – Updated AutoML user guide page to adhere to style guide.
+- [[#16604]](https://github.com/h2oai/h2o-3/issues/16604) – Removed HDP from supported version in the documentation.
+
+#### Security
+- [[#16744]](https://github.com/h2oai/h2o-3/issues/16744) – Fixed CVE-2025-68161 in log4j.
+- [[#16754]](https://github.com/h2oai/h2o-3/issues/16754) – FedRAMP vulnerability remediation (2026-02-02).
+- [[#16773]](https://github.com/h2oai/h2o-3/issues/16773) – Upgraded jackson-databind because of GHSA-72hv-8253-57qq.
+- [[#16775]](https://github.com/h2oai/h2o-3/issues/16775) – Added vulnerable PostgreSQL JDBC parameters to default disallowed parameters.
+
 ### 3.46.0.9 - 11/24/2025
 
 Download at: <a href='http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/9/index.html'>http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/9/index.html</a>
diff --git a/SECURITY.md b/SECURITY.md
@@ -8,11 +8,10 @@ If the issue is confirmed, we will release a patch as soon as possible depending
 ## Known Vulnerabilities
 We located these vulnerabilites from our security scans. The following list shows the vulnerabilities and the libraries they were found in:
 
-Total: 8 (UNKNOWN: 0, LOW: 2, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
+Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
 
-| Library                         | Vulnerability    | Severity | Status   | Installed Version | Fixed Version | Title                                                                 |
-|---------------------------------|----------------|---------|---------|-----------------|---------------|----------------------------------------------------------------------|
-| commons-lang:commons-lang       | CVE-2025-48924 | MEDIUM  | affected | 2.6             |               | commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang [Link](https://avd.aquasec.com/nvd/cve-2025-48924) |
-| org.apache.hadoop:hadoop-common | CVE-2024-23454 | LOW     | fixed    | 3.3.6           | 3.4.0         | Apache Hadoop: Temporary File Local Information Disclosure [Link](https://avd.aquasec.com/nvd/cve-2024-23454) |
-| org.eclipse.jetty:jetty-http    | CVE-2024-6763  | MEDIUM  |         | 9.4.57.v20241219| 12.0.12       | org.eclipse.jetty:jetty-http: jetty: Jetty URI parsing of invalid authority [Link](https://avd.aquasec.com/nvd/cve-2024-6763) |
+| Library                         | Vulnerability    | Severity | Installed Version | Fixed Version | Title | Mitigation Status |
+|---------------------------------|----------------|---------|-----------------|---------------|-------|-------------------|
+| commons-lang:commons-lang       | CVE-2025-48924 | MEDIUM  | 2.6             |               | Uncontrolled Recursion vulnerability in `ClassUtils.getClass()` [Link](https://avd.aquasec.com/nvd/cve-2025-48924) | Not affected. H2O does not use `ClassUtils` anywhere in the codebase. H2O only uses safe utility methods from this library (e.g., `ArrayUtils`, `StringUtils.join`, `StringUtils.repeat`). |
+| org.eclipse.jetty:jetty-http    | CVE-2024-6763  | MEDIUM  | 9.4.57.v20241219| 12.0.12       | Jetty URI parsing of invalid authority [Link](https://avd.aquasec.com/nvd/cve-2024-6763) | Not affected. The vulnerability only affects applications that use `HttpURI` directly as a utility for URI validation. H2O does not use `HttpURI` in application code; only Jetty's own internal `Response.encodeURL()` references it, which the [Jetty advisory](https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh) confirms is not vulnerable. |
 
