-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump min torch to 1.13.1 to mitigate CVE-2022-45907 unsafe usage of eval #8296
base: dev
Are you sure you want to change the base?
Conversation
4a4f746
to
f406fed
Compare
See GHSA-47fc-vmwq-366v for more details. - https://nvd.nist.gov/vuln/detail/CVE-2022-45907 - https://security.snyk.io/vuln/SNYK-PYTHON-TORCH-3149871 Signed-off-by: James Butler <[email protected]>
f406fed
to
cfac884
Compare
Thanks @jamesobutler for the contribution! The PR overall looks good to me. @ericspod and @Nic-Ma, do you have any concern on this pr. For vulnerability reasons, we should indeed drop the pre-1.13.1 version of pytorch, do you have any concerns, because the PR will introduce some compatibility issues and remove some support for earlier versions. If you guys have no problems, I'll help further refine this PR as well as the updated Blossom CI (GPU testing happens over there). |
Thanks as well @jamesobutler. I think we should discuss internally what this implies because it's dropping support for a number of Pytorch versions. We should be refining what our policy is about when to drop versions, we do this for Python in that we drop non-supported versions but there's no sunset period defined by Pytorch for theirs (as far as I know). Honestly we could probably drop all of Pytorch 1.* and very few users would be impacted. Let's keep working on this either way. |
@ericspod Reviewing the PyTorch release history, the last time maintainers released a patch release out-of-order was when they released version 1.8.2 on August 17th 2021 which was after version 1.9.0 which was released June 15th 2021. This was part of the "PyTorch Enterprise Support Program". However that program only lasted about a 1.5 years as on November 10th 2022 they ended it. See this blog post https://pytorch.org/blog/pytorch-enterprise-support-update/. So therefore PyTorch versions become unmaintained whenever a new major/minor release version comes out. They do not have LTS support or issue patch releases for multiple minor versions.
I issued this PR to bump the torch version to mitigate "Critical" scored vulnerability issues and see how the https://security.snyk.io/package/pip/torch Other unrelated considerations to keep in mind if bumping minimum torch version beyond |
Hi @aylward, during our development meeting, we discussed the PR to bump the minimum Torch version to 1.13.1 in order to mitigate the critical vulnerabilities identified in PyTorch. We are all in agreement regarding this change, but we would still like to hear your thoughts on the matter. Thank you! |
Description
This bumps the minimum required
torch
version from 1.9.0 to 1.13.1.See GHSA-47fc-vmwq-366v for more details such as the highest severity scoring of "Critical".
Maintainers will need to update the required status checks for the
dev
branch to:cc: @KumoLiu
Types of changes
torch
versions)./runtests.sh -f -u --net --coverage
../runtests.sh --quick --unittests --disttests
.