Sourced from nbconvert's releases.

5.5.0 Documentation Release

This tag is used to provide a working documentation build for RTD.

• cefe0bf Release 6.3.0
• a534fb9 Release 6.3.0b0
• 87920c5 Add changelog for 6.3.0 (#1669)
• dd6d9c7 add slide numbering (#1654)
• 5d2c5e2 Update state filter (#1664)
• 11ea593 fix: avoid closing the script tag early by escaping a forward slash (#1665)
• 968c5fb Fix HTML templates mentioned in help docs (#1653)
• 35c4d07 Add a new output filter that excludes widgets if there is no state (#1643)
• c663c75 6.2.0
• fd1dd15 6.2.0rc2
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from numpy's releases.

v1.21.0

NumPy 1.21.0 Release Notes

The NumPy 1.21.0 release highlights are

• continued SIMD work covering more functions and platforms,
• initial work on the new dtype infrastructure and casting,
• universal2 wheels for Python 3.8 and Python 3.9 on Mac,
• improved documentation,
• improved annotations,
• new PCG64DXSM bitgenerator for random numbers.

In addition there are the usual large number of bug fixes and other improvements.

The Python versions supported for this release are 3.7-3.9. Official support for Python 3.10 will be added when it is released.

:warning: Warning: there are unresolved problems compiling NumPy 1.21.0 with gcc-11.1 .

• Optimization level -O3 results in many wrong warnings when running the tests.
• On some hardware NumPy will hang in an infinite loop.

New functions

Add PCG64DXSM BitGenerator

Uses of the PCG64 BitGenerator in a massively-parallel context have been shown to have statistical weaknesses that were not apparent at the first release in numpy 1.17. Most users will never observe this weakness and are safe to continue to use PCG64. We have introduced a new PCG64DXSM BitGenerator that will eventually become the new default BitGenerator implementation used by default_rng in future releases. PCG64DXSM solves the statistical weakness while preserving the performance and the features of PCG64.

See upgrading-pcg64 for more details.

(gh-18906)

Expired deprecations

• The shape argument numpy.unravel_index cannot be passed as dims keyword argument anymore. (Was deprecated in NumPy 1.16.)

... (truncated)

• b235f9e Merge pull request #19283 from charris/prepare-1.21.0-release
• 34aebc2 MAINT: Update 1.21.0-notes.rst
• 493b64b MAINT: Update 1.21.0-changelog.rst
• 07d7e72 MAINT: Remove accidentally created directory.
• 032fca5 Merge pull request #19280 from charris/backport-19277
• 7d25b81 BUG: Fix refcount leak in ResultType
• fa5754e BUG: Add missing DECREF in new path
• 61127bb Merge pull request #19268 from charris/backport-19264
• 143d45f Merge pull request #19269 from charris/backport-19228
• d80e473 BUG: Removed typing for == and != in dtypes
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from html5lib's changelog.

• ebf6225 0.99999999 release! Let's party!
• a8ba43e Merge pull request #270 from gsnedders/rename_stuff
• 8cb144b Update the docs after all the renaming and add CHANGES
• 00977d6 Rename a bunch of serializer module variables to be underscore prefixed
• 18a7102 Have only one set of allowed elements/attributes for the sanitizer
• c4dd677 Move a whole bunch of private modules to be underscore prefixed
• 8db5828 Rename treewalkers.lxmletree to .etree_lxml for consistency
• 1a61c44 Rename treewalkers.genshistream to .genshi for consistency
• 6c30d0b Move serializer.htmlserializer to serializer
• 7bbde54 Rename filters._base to .base to reflect public status
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from twisted's releases.

Twisted 22.4.0 (2022-04-11)

Features

• twisted.python.failure.Failure tracebacks now capture module information, improving compatibility with the Raven Sentry client. (#7796)
• twisted.python.failure.Failure objects are now compatible with dis.distb, improving compatibility with post-mortem debuggers. (#9599)

Bugfixes

• twisted.internet.interfaces.IReactorSSL.listenSSL now has correct type annotations. (#10274)
• twisted.internet.test.test_glibbase.GlibReactorBaseTests now passes. (#10317)

Conch

Features

- twisted.conch.ssh now supports using RSA keys with SHA-2 signatures (RFC 8332) when acting as a server.  The rsa-sha2-512 and rsa-sha2-256 public key signature algorithms are automatically preferred over ssh-rsa if the client advertises support for them; the actual public keys do not need to change. ([#9765](https://github.com/twisted/twisted/issues/9765))
- twisted.conch.ssh now has an alternative Ed25519 implementation using PyNaCl, in order to support platforms that lack OpenSSL >= 1.1.1b.  The new "conch_nacl" extra has the necessary dependency. ([#10208](https://github.com/twisted/twisted/issues/10208))
Misc

-  ([#10313](https://github.com/twisted/twisted/issues/10313))
Web
Features
</code></pre>
<ul>
<li>Twisted is now compatible with h2 4.x.x. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/10182">#10182</a>)</li>
</ul>
<p>Bugfixes</p>
<pre><code>

twisted.web.http had several several defects in HTTP request parsing that could permit HTTP request smuggling. It now disallows signed Content-Length headers, forbids illegal characters in chunked extensions, forbids a 0x prefix to chunk lengths, and only strips spaces and horizontal tab characters from header values. These changes address CVE-2022-24801 and GHSA-c2jg-hw38-jrqq. (#10323)

Mail
&lt;/tr&gt;&lt;/table&gt;
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/twisted/twisted/blob/trunk/NEWS.rst">twisted's changelog</a>.</em></p>
<blockquote>
<h1>Twisted 22.4.0 (2022-04-11)</h1>
<h2>Features</h2>
<ul>
<li>twisted.python.failure.Failure tracebacks now capture module information, improving compatibility with the Raven Sentry client. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/7796">#7796</a>)</li>
<li>twisted.python.failure.Failure objects are now compatible with dis.distb, improving compatibility with post-mortem debuggers. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/9599">#9599</a>)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>twisted.internet.interfaces.IReactorSSL.listenSSL now has correct type annotations. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/10274">#10274</a>)</li>
<li>twisted.internet.test.test_glibbase.GlibReactorBaseTests now passes. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/10317">#10317</a>)</li>
</ul>
<h2>Conch</h2>
<p>Features</p>
<pre><code>

twisted.conch.ssh now supports using RSA keys with SHA-2 signatures (RFC 8332) when acting as a server.  The rsa-sha2-512 and rsa-sha2-256 public key signature algorithms are automatically preferred over ssh-rsa if the client advertises support for them; the actual public keys do not need to change. (#9765)
twisted.conch.ssh now has an alternative Ed25519 implementation using PyNaCl, in order to support platforms that lack OpenSSL &gt;= 1.1.1b.  The new &quot;conch_nacl&quot; extra has the necessary dependency. (#10208)

Misc


(#10313)

Web
Features

• Twisted is now compatible with h2 4.x.x. (#10182)

Bugfixes

- twisted.web.http had several several defects in HTTP request parsing that could permit HTTP request smuggling. It now disallows signed Content-Length headers, forbids illegal characters in chunked extensions, forbids a ``0x`` prefix to chunk lengths, and only strips spaces and horizontal tab characters from header values. These changes address CVE-2022-24801 and GHSA-c2jg-hw38-jrqq. ([#10323](https://github.com/twisted/twisted/issues/10323))
Mail
</tr></table>

... (truncated)

• ed86633 Mark as misc.
• c894617 Update format for release notes item.
• 5c5c046 Revert coverage reporting changes.
• 682f2c3 Manual fix the news.
• dd98e9c python -m incremental.update Twisted --newversion 22.4.0
• 3eabae5 Fix coverage reporting as codecov v1 was removed.
• a265267 Update after review.
• efac92c tox -e towncrier
• 5ece2d4 python -m incremental.update Twisted --rc
• 592217e Merge pull request from GHSA-c2jg-hw38-jrqq
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from tensorflow's releases.

TensorFlow 2.7.2

Release 2.7.2

This releases introduces several vulnerability fixes:

• Fixes a code injection in saved_model_cli (CVE-2022-29216)
• Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)
• Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)
• Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)
• Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)
• Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)
• Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)
• Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)
• Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)
• Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)
• Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)
• Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)
• Fixes a segfault due to missing support for quantized types (CVE-2022-29205)
• Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)
• Fixes a missing validation which results in undefined behavior in QuantizedConv2D (CVE-2022-29201)
• Fixes an integer overflow in SpaceToBatchND (CVE-2022-29203)
• Fixes a segfault and OOB write due to incomplete validation in EditDistance (CVE-2022-29208)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29204)
• Fixes a denial of service in tf.ragged.constant due to lack of validation (CVE-2022-29202)
• Fixes a segfault when tf.histogram_fixed_width is called with NaN values (CVE-2022-29211)
• Fixes a core dump when loading TFLite models with quantization (CVE-2022-29212)
• Fixes crashes stemming from incomplete validation in signal ops (CVE-2022-29213)
• Fixes a type confusion leading to CHECK-failure based denial of service (CVE-2022-29209)
• Updates curl to 7.83.1 to handle (CVE-2022-22576, (CVE-2022-27774, (CVE-2022-27775, (CVE-2022-27776, (CVE-2022-27778, (CVE-2022-27779, (CVE-2022-27780, (CVE-2022-27781, (CVE-2022-27782 and (CVE-2022-30115
• Updates zlib to 1.2.12 after 1.2.11 was pulled due to security issue

TensorFlow 2.7.1

Release 2.7.1

This releases introduces several vulnerability fixes:

• Fixes a floating point division by 0 when executing convolution operators (CVE-2022-21725)
• Fixes a heap OOB read in shape inference for ReverseSequence (CVE-2022-21728)
• Fixes a heap OOB access in Dequantize (CVE-2022-21726)
• Fixes an integer overflow in shape inference for Dequantize (CVE-2022-21727)
• Fixes a heap OOB access in FractionalAvgPoolGrad (CVE-2022-21730)
• Fixes an overflow and divide by zero in UnravelIndex (CVE-2022-21729)
• Fixes a type confusion in shape inference for ConcatV2 (CVE-2022-21731)
• Fixes an OOM in ThreadPoolHandle (CVE-2022-21732)
• Fixes an OOM due to integer overflow in StringNGrams (CVE-2022-21733)
• Fixes more issues caused by incomplete validation in boosted trees code (CVE-2021-41208)
• Fixes an integer overflows in most sparse component-wise ops (CVE-2022-23567)
• Fixes an integer overflows in AddManySparseToTensorsMap (CVE-2022-23568)

... (truncated)

Sourced from tensorflow's changelog.

Release 2.7.2

This releases introduces several vulnerability fixes:

• Fixes a code injection in saved_model_cli (CVE-2022-29216)
• Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)
• Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)
• Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)
• Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)
• Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)
• Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)
• Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)
• Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)
• Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)
• Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)
• Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)
• Fixes a segfault due to missing support for quantized types (CVE-2022-29205)
• Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)
• Fixes a missing validation which results in undefined behavior in QuantizedConv2D (CVE-2022-29201)
• Fixes an integer overflow in SpaceToBatchND (CVE-2022-29203)
• Fixes a segfault and OOB write due to incomplete validation in EditDistance (CVE-2022-29208)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29204)
• Fixes a denial of service in tf.ragged.constant due to lack of validation (CVE-2022-29202)
• Fixes a segfault when tf.histogram_fixed_width is called with NaN values (CVE-2022-29211)
• Fixes a core dump when loading TFLite models with quantization (CVE-2022-29212)
• Fixes crashes stemming from incomplete validation in signal ops (CVE-2022-29213)
• Fixes a type confusion leading to CHECK-failure based denial of service (CVE-2022-29209)
• Updates curl to 7.83.1 to handle (CVE-2022-22576, (CVE-2022-27774, (CVE-2022-27775, (CVE-2022-27776, (CVE-2022-27778, (CVE-2022-27779, (CVE-2022-27780, (CVE-2022-27781, (CVE-2022-27782 and (CVE-2022-30115
• Updates zlib to 1.2.12 after 1.2.11 was pulled due to security issue

Release 2.6.4

This releases introduces several vulnerability fixes:

• Fixes a code injection in saved_model_cli (CVE-2022-29216)
• Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)
• Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)
• Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)
• Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)
• Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)
• Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)
• Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)
• Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)
• Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)
• Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)
• Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)
• Fixes a segfault due to missing support for quantized types (CVE-2022-29205)
• Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)

... (truncated)

• dd7b8a3 Merge pull request #56034 from tensorflow-jenkins/relnotes-2.7.2-15779
• 1e7d6ea Update RELEASE.md
• 5085135 Merge pull request #56069 from tensorflow/mm-cp-52488e5072f6fe44411d70c6af09e...
• adafb45 Merge pull request #56060 from yongtang:curl-7.83.1
• 01cb1b8 Merge pull request #56038 from tensorflow-jenkins/version-numbers-2.7.2-4733
• 8c90c2f Update version numbers to 2.7.2
• 43f3cdc Update RELEASE.md
• 98b0a48 Insert release notes place-fill
• dfa5cf3 Merge pull request #56028 from tensorflow/disable-tests-on-r2.7
• 501a65c Disable timing out tests
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from tensorflow-gpu's releases.

TensorFlow 2.7.2

Release 2.7.2

This releases introduces several vulnerability fixes:

• Fixes a code injection in saved_model_cli (CVE-2022-29216)
• Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)
• Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)
• Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)
• Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)
• Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)
• Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)
• Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)
• Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)
• Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)
• Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)
• Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)
• Fixes a segfault due to missing support for quantized types (CVE-2022-29205)
• Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)
• Fixes a missing validation which results in undefined behavior in QuantizedConv2D (CVE-2022-29201)
• Fixes an integer overflow in SpaceToBatchND (CVE-2022-29203)
• Fixes a segfault and OOB write due to incomplete validation in EditDistance (CVE-2022-29208)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29204)
• Fixes a denial of service in tf.ragged.constant due to lack of validation (CVE-2022-29202)
• Fixes a segfault when tf.histogram_fixed_width is called with NaN values (CVE-2022-29211)
• Fixes a core dump when loading TFLite models with quantization (CVE-2022-29212)
• Fixes crashes stemming from incomplete validation in signal ops (CVE-2022-29213)
• Fixes a type confusion leading to CHECK-failure based denial of service (CVE-2022-29209)
• Updates curl to 7.83.1 to handle (CVE-2022-22576, (CVE-2022-27774, (CVE-2022-27775, (CVE-2022-27776, (CVE-2022-27778, (CVE-2022-27779, (CVE-2022-27780, (CVE-2022-27781, (CVE-2022-27782 and (CVE-2022-30115
• Updates zlib to 1.2.12 after 1.2.11 was pulled due to security issue

TensorFlow 2.7.1

Release 2.7.1

This releases introduces several vulnerability fixes:

• Fixes a floating point division by 0 when executing convolution operators (CVE-2022-21725)
• Fixes a heap OOB read in shape inference for ReverseSequence (CVE-2022-21728)
• Fixes a heap OOB access in Dequantize (CVE-2022-21726)
• Fixes an integer overflow in shape inference for Dequantize (CVE-2022-21727)
• Fixes a heap OOB access in FractionalAvgPoolGrad (CVE-2022-21730)
• Fixes an overflow and divide by zero in UnravelIndex (CVE-2022-21729)
• Fixes a type confusion in shape inference for ConcatV2 (CVE-2022-21731)
• Fixes an OOM in ThreadPoolHandle (CVE-2022-21732)
• Fixes an OOM due to integer overflow in StringNGrams (CVE-2022-21733)
• Fixes more issues caused by incomplete validation in boosted trees code (CVE-2021-41208)
• Fixes an integer overflows in most sparse component-wise ops (CVE-2022-23567)
• Fixes an integer overflows in AddManySparseToTensorsMap (CVE-2022-23568)

... (truncated)

Sourced from tensorflow-gpu's changelog.

Release 2.7.2

This releases introduces several vulnerability fixes:

• Fixes a code injection in saved_model_cli (CVE-2022-29216)
• Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)
• Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)
• Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)
• Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)
• Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)
• Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)
• Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)
• Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)
• Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)
• Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)
• Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)
• Fixes a segfault due to missing support for quantized types (CVE-2022-29205)
• Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)
• Fixes a missing validation which results in undefined behavior in QuantizedConv2D (CVE-2022-29201)
• Fixes an integer overflow in SpaceToBatchND (CVE-2022-29203)
• Fixes a segfault and OOB write due to incomplete validation in EditDistance (CVE-2022-29208)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29204)
• Fixes a denial of service in tf.ragged.constant due to lack of validation (CVE-2022-29202)
• Fixes a segfault when tf.histogram_fixed_width is called with NaN values (CVE-2022-29211)
• Fixes a core dump when loading TFLite models with quantization (CVE-2022-29212)
• Fixes crashes stemming from incomplete validation in signal ops (CVE-2022-29213)
• Fixes a type confusion leading to CHECK-failure based denial of service (CVE-2022-29209)
• Updates curl to 7.83.1 to handle (CVE-2022-22576, (CVE-2022-27774, (CVE-2022-27775, (CVE-2022-27776, (CVE-2022-27778, (CVE-2022-27779, (CVE-2022-27780, (CVE-2022-27781, (CVE-2022-27782 and (CVE-2022-30115
• Updates zlib to 1.2.12 after 1.2.11 was pulled due to security issue

Release 2.6.4

This releases introduces several vulnerability fixes:

• Fixes a code injection in saved_model_cli (CVE-2022-29216)
• Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)
• Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)
• Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)
• Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)
• Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)
• Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)
• Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)
• Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)
• Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)
• Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)
• Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)
• Fixes a segfault due to missing support for quantized types (CVE-2022-29205)
• Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)

... (truncated)

• dd7b8a3 Merge pull request #56034 from tensorflow-jenkins/relnotes-2.7.2-15779
• 1e7d6ea Update RELEASE.md
• 5085135 Merge pull request #56069 from tensorflow/mm-cp-52488e5072f6fe44411d70c6af09e...
• adafb45 Merge pull request #56060 from yongtang:curl-7.83.1
• 01cb1b8 Merge pull request #56038 from tensorflow-jenkins/version-numbers-2.7.2-4733
• 8c90c2f Update version numbers to 2.7.2
• 43f3cdc Update RELEASE.md
• 98b0a48 Insert release notes place-fill
• dfa5cf3 Merge pull request #56028 from tensorflow/disable-tests-on-r2.7
• 501a65c Disable timing out tests
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from ujson's releases.

5.2.0

Added

• Support parsing NaN, Infinity and -Infinity (#514) @​Erotemic
• Support dynamically linking against system double-conversion library (#508) @​musicinmybrain
• Add env var to control stripping debug info (#507) @​musicinmybrain
• Add JSONDecodeError (#498) @​JustAnotherArchivist

Fixed

• Fix buffer overflows (CVE-2021-45958) (#519) @​JustAnotherArchivist
• Upgrade Black to fix Click (#515) @​hugovk
• simplify exception handling on integer overflow (#510) @​RouquinBlanc
• Remove dead code that used to handle the separate int type in Python 2 (#509) @​JustAnotherArchivist
• Fix exceptions on encoding list or dict elements and non-overflow errors on int handling getting silenced (#505) @​JustAnotherArchivist

5.1.0

Changed

• Strip debugging symbols from Linux binaries (#493) @​bwoodsend

5.0.0

Added

• Use cibuildwheel to build wheels (#491) @​bwoodsend

Removed

• Drop support for soon-EOL Python 3.6 (#490) @​hugovk

Fixed

• Install Twine to upload to PyPI (#492) @​hugovk

4.3.0

Added

• Enable Windows on ARM64 target (#488) @​nsait-linaro

4.2.0

Added

• Add a default keyword argument to dumps (#470) @​garenchan
• Add support for Python 3.10 (#472) @​hugovk
• Build 32-bit wheels for Windows (#481) @​hugovk
• Build PyPy3 wheels for manylinux (#475) @​hugovk
• Build wheels for musl aarch64 (aka ARM) Linux (musllinux_1_1_aarch64) (#478) @​bwoodsend
• Build wheels for musl Linux (musllinux_1_1_x86_64) (#476) @​bwoodsend

Changed

... (truncated)

• f6860f1 Remove shebang
• c0ff7b1 python -m pytest
• 362fed3 Clearer pytest command
• 82917c0 actions/checkout@v3
• 3c095f1 Widen tests to cover more possible buffer overflows
• f4d2c87 Refactor buffer reservations to ensure sufficient space on all additions
• 1846e08 Add fuzz test to CI/CD.
• 5875168 Fix some more seg-faults on encoding.
• 1a39406 Remove the hidden JSON_NO_EXTRA_WHITESPACE compile knob.
• 20aa1a6 Add a fuzzing test to search for segfaults in encoding.
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from tensorflow's releases.

TensorFlow 2.6.4

Release 2.6.4

This releases introduces several vulnerability fixes:

• Fixes a code injection in saved_model_cli (CVE-2022-29216)
• Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)
• Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)
• Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)
• Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)
• Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)
• Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)
• Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)
• Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)
• Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)
• Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)
• Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)
• Fixes a segfault due to missing support for quantized types (CVE-2022-29205)
• Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)
• Fixes a missing validation which results in undefined behavior in QuantizedConv2D (CVE-2022-29201)
• Fixes an integer overflow in SpaceToBatchND (CVE-2022-29203)
• Fixes a segfault and OOB write due to incomplete validation in EditDistance (CVE-2022-29208)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29204)
• Fixes a denial of service in tf.ragged.constant due to lack of validation (CVE-2022-29202)
• Fixes a segfault when tf.histogram_fixed_width is called with NaN values (CVE-2022-29211)
• Fixes a core dump when loading TFLite models with quantization (CVE-2022-29212)
• Fixes crashes stemming from incomplete validation in signal ops (CVE-2022-29213)
• Fixes a type confusion leading to CHECK-failure based denial of service (CVE-2022-29209)
• Updates curl to 7.83.1 to handle (CVE-2022-22576, (CVE-2022-27774, (CVE-2022-27775, (CVE-2022-27776, (CVE-2022-27778, (CVE-2022-27779, (CVE-2022-27780, (CVE-2022-27781, (CVE-2022-27782 and (CVE-2022-30115
• Updates zlib to 1.2.12 after 1.2.11 was pulled due to security issue

TensorFlow 2.6.3

Release 2.6.3

This releases introduces several vulnerability fixes:

• Fixes a floating point division by 0 when executing convolution operators (CVE-2022-21725)
• Fixes a heap OOB read in shape inference for ReverseSequence (CVE-2022-21728)
• Fixes a heap OOB access in Dequantize (CVE-2022-21726)
• Fixes an integer overflow in shape inference for Dequantize (CVE-2022-21727)
• Fixes a heap OOB access in FractionalAvgPoolGrad (CVE-2022-21730)
• Fixes an overflow and divide by zero in UnravelIndex (CVE-2022-21729)
• Fixes a type confusion in shape inference for ConcatV2 (CVE-2022-21731)
• Fixes an OOM in ThreadPoolHandle (CVE-2022-21732)
• Fixes an OOM due to integer overflow in StringNGrams (CVE-2022-21733)
• Fixes more issues caused by incomplete validation in boosted trees code (CVE-2021-41208)
• Fixes an integer overflows in most sparse component-wise ops (CVE-2022-23567)
• Fixes an integer overflows in AddManySparseToTensorsMap (CVE-2022-23568)
• Fixes a number of CHECK-failures in MapStage (CVE-2022-21734)

... (truncated)

Sourced from tensorflow's changelog.

Release 2.6.4

This releases introduces several vulnerability fixes:

• Fixes a code injection in saved_model_cli (CVE-2022-29216)
• Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)
• Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)
• Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)
• Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)
• Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)
• Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)
• Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)
• Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)
• Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)
• Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)
• Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)
• Fixes a segfault due to missing support for quantized types (CVE-2022-29205)
• Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)
• Fixes a missing validation which results in undefined behavior in QuantizedConv2D (CVE-2022-29201)
• Fixes an integer overflow in SpaceToBatchND (CVE-2022-29203)
• Fixes a segfault and OOB write due to incomplete validation in EditDistance (CVE-2022-29208)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29204)
• Fixes a denial of service in tf.ragged.constant due to lack of validation (CVE-2022-29202)
• Fixes a segfault when tf.histogram_fixed_width is called with NaN values (CVE-2022-29211)
• Fixes a core dump when loading TFLite models with quantization (CVE-2022-29212)
• Fixes crashes stemming from incomplete validation in signal ops (CVE-2022-29213)
• Fixes a type confusion leading to CHECK-failure based denial of service (CVE-2022-29209)
• Updates curl to 7.83.1 to handle (CVE-2022-22576, (CVE-2022-27774, (CVE-2022-27775, (CVE-2022-27776, (CVE-2022-27778, (CVE-2022-27779, (CVE-2022-27780, (CVE-2022-27781, (CVE-2022-27782 and (CVE-2022-30115
• Updates zlib to 1.2.12 after 1.2.11 was pulled due to security issue

Release 2.8.0

Major Features and Improvements

• tf.lite:

  • Added TFLite builtin op support for the following TF ops:
    • tf.raw_ops.Bucketize op on CPU.
    • tf.where op for data types tf.int32/tf.uint32/tf.int8/tf.uint8/tf.int64.
    • tf.random.normal op for output data type tf.float32 on CPU.
    • tf.random.uniform op for output data type tf.float32 on CPU.
    • tf.random.categorical op for output data type tf.int64 on CPU.

• tensorflow.experimental.tensorrt:

  • conversion_params is now deprecated inside TrtGraphConverterV2 in favor of direct arguments: max_workspace_size_bytes, precision_mode, minimum_segment_size, maximum_cached_engines, use_calibration and

... (truncated)

• 33ed2b1 Merge pull request #56102 from tensorflow/mihaimaruseac-patch-1
• e1ec480 Fix build due to importlib-metadata/setuptools
• 63f211c Merge pull request #56033 from tensorflow-jenkins/relnotes-2.6.4-6677
• 22b8fe4 Update RELEASE.md
• ec30684 Merge pull request #56070 from tensorflow/mm-cp-adafb45c781-on-r2.6
• 38774ed Merge pull request #56060 from yongtang:curl-7.83.1
• 9ef1604 Merge pull request #56036 from tensorflow-jenkins/version-numbers-2.6.4-9925
• a6526a3 Update version numbers to 2.6.4
• cb1a481 Update RELEASE.md
• 4da550f Insert release notes place-fill
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from tensorflow-gpu's releases.

TensorFlow 2.6.4

Release 2.6.4

This releases introduces several vulnerability fixes:

• Fixes a code injection in saved_model_cli (CVE-2022-29216)
• Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)
• Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)
• Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)
• Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)
• Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)
• Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)
• Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)
• Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)
• Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)
• Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)
• Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)
• Fixes a segfault due to missing support for quantized types (CVE-2022-29205)
• Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)
• Fixes a missing validation which results in undefined behavior in QuantizedConv2D (CVE-2022-29201)
• Fixes an integer overflow in SpaceToBatchND (CVE-2022-29203)
• Fixes a segfault and OOB write due to incomplete validation in EditDistance (CVE-2022-29208)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29204)
• Fixes a denial of service in tf.ragged.constant due to lack of validation (CVE-2022-29202)
• Fixes a segfault when tf.histogram_fixed_width is called with NaN values (CVE-2022-29211)
• Fixes a core dump when loading TFLite models with quantization (CVE-2022-29212)
• Fixes crashes stemming from incomplete validation in signal ops (CVE-2022-29213)
• Fixes a type confusion leading to CHECK-failure based denial of service (CVE-2022-29209)
• Updates curl to 7.83.1 to handle (CVE-2022-22576, (CVE-2022-27774, (CVE-2022-27775, (CVE-2022-27776, (CVE-2022-27778, (CVE-2022-27779, (CVE-2022-27780, (CVE-2022-27781, (CVE-2022-27782 and (CVE-2022-30115
• Updates zlib to 1.2.12 after 1.2.11 was pulled due to security issue

TensorFlow 2.6.3

Release 2.6.3

This releases introduces several vulnerability fixes:

• Fixes a floating point division by 0 when executing convolution operators (CVE-2022-21725)
• Fixes a heap OOB read in shape inference for ReverseSequence (CVE-2022-21728)
• Fixes a heap OOB access in Dequantize (CVE-2022-21726)
• Fixes an integer overflow in shape inference for Dequantize (CVE-2022-21727)
• Fixes a heap OOB access in FractionalAvgPoolGrad (CVE-2022-21730)
• Fixes an overflow and divide by zero in UnravelIndex (CVE-2022-21729)
• Fixes a type confusion in shape inference for ConcatV2 (CVE-2022-21731)
• Fixes an OOM in ThreadPoolHandle (CVE-2022-21732)
• Fixes an OOM due to integer overflow in StringNGrams (CVE-2022-21733)
• Fixes more issues caused by incomplete validation in boosted trees code (CVE-2021-41208)
• Fixes an integer overflows in most sparse component-wise ops (CVE-2022-23567)
• Fixes an integer overflows in AddManySparseToTensorsMap (CVE-2022-23568)
• Fixes a number of CHECK-failures in MapStage (CVE-2022-21734)

... (truncated)

Sourced from tensorflow-gpu's changelog.

Release 2.6.4

This releases introduces several vulnerability fixes:

• Fixes a code injection in saved_model_cli (CVE-2022-29216)
• Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)
• Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)
• Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)
• Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)
• Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)
• Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)
• Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)
• Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)
• Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)
• Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)
• Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)
• Fixes a segfault due to missing support for quantized types (CVE-2022-29205)
• Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)
• Fixes a missing validation which results in undefined behavior in QuantizedConv2D (CVE-2022-29201)
• Fixes an integer overflow in SpaceToBatchND (CVE-2022-29203)
• Fixes a segfault and OOB write due to incomplete validation in EditDistance (CVE-2022-29208)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29204)
• Fixes a denial of service in tf.ragged.constant due to lack of validation (CVE-2022-29202)
• Fixes a segfault when tf.histogram_fixed_width is called with NaN values (CVE-2022-29211)
• Fixes a core dump when loading TFLite models with quantization (CVE-2022-29212)
• Fixes crashes stemming from incomplete validation in signal ops (CVE-2022-29213)
• Fixes a type confusion leading to CHECK-failure based denial of service (CVE-2022-29209)
• Updates curl to 7.83.1 to handle (CVE-2022-22576, (CVE-2022-27774, (CVE-2022-27775, (CVE-2022-27776, (CVE-2022-27778, (CVE-2022-27779, (CVE-2022-27780, (CVE-2022-27781, (CVE-2022-27782 and (CVE-2022-30115
• Updates zlib to 1.2.12 after 1.2.11 was pulled due to security issue

Release 2.8.0

Major Features and Improvements

• tf.lite:

  • Added TFLite builtin op support for the following TF ops:
    • tf.raw_ops.Bucketize op on CPU.
    • tf.where op for data types tf.int32/tf.uint32/tf.int8/tf.uint8/tf.int64.
    • tf.random.normal op for output data type tf.float32 on CPU.
    • tf.random.uniform op for output data type tf.float32 on CPU.
    • tf.random.categorical op for output data type tf.int64 on CPU.

• tensorflow.experimental.tensorrt:

  • conversion_params is now deprecated inside TrtGraphConverterV2 in favor of direct arguments: max_workspace_size_bytes, precision_mode, minimum_segment_size, maximum_cached_engines, use_calibration and

... (truncated)

• 33ed2b1 Merge pull request #56102 from tensorflow/mihaimaruseac-patch-1
• e1ec480 Fix build due to importlib-metadata/setuptools
• 63f211c Merge pull request #56033 from tensorflow-jenkins/relnotes-2.6.4-6677
• 22b8fe4 Update RELEASE.md
• ec30684 Merge pull request #56070 from tensorflow/mm-cp-adafb45c781-on-r2.6
• 38774ed Merge pull request #56060 from yongtang:curl-7.83.1
• 9ef1604 Merge pull request #56036 from tensorflow-jenkins/version-numbers-2.6.4-9925
• a6526a3 Update version numbers to 2.6.4
• cb1a481 Update RELEASE.md
• 4da550f Insert release notes place-fill
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from pillow's releases.

9.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/9.3.0.html

Changes

• Initialize libtiff buffer when saving #6699 [@​radarhere]
• Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [@​wiredfool]
• Inline fname2char to fix memory leak #6329 [@​nulano]
• Fix memory leaks related to text features #6330 [@​nulano]
• Use double quotes for version check on old CPython on Windows #6695 [@​hugovk]
• GHA: replace deprecated set-output command with GITHUB_OUTPUT file #6697 [@​nulano]
• Remove backup implementation of Round for Windows platforms #6693 [@​cgohlke]
• Upload fribidi.dll to GitHub Actions #6532 [@​nulano]
• Fixed set_variation_by_name offset #6445 [@​radarhere]
• Windows build improvements #6562 [@​nulano]
• Fix malloc in _imagingft.c:font_setvaraxes #6690 [@​cgohlke]
• Only use ASCII characters in C source file #6691 [@​cgohlke]
• Release Python GIL when converting images using matrix operations #6418 [@​hmaarrfk]
• Added ExifTags enums #6630 [@​radarhere]
• Do not modify previous frame when calculating delta in PNG #6683 [@​radarhere]
• Added support for reading BMP images with RLE4 compression #6674 [@​npjg]
• Decode JPEG compressed BLP1 data in original mode #6678 [@​radarhere]
• pylint warnings #6659 [@​marksmayo]
• Added GPS TIFF tag info #6661 [@​radarhere]
• Added conversion between RGB/RGBA/RGBX and LAB #6647 [@​radarhere]
• Do not attempt normalization if mode is already normal #6644 [@​radarhere]
• Fixed seeking to an L frame in a GIF #6576 [@​radarhere]
• Consider all frames when selecting mode for PNG save_all #6610 [@​radarhere]
• Don't reassign crc on ChunkStream close #6627 [@​radarhere]
• Raise a warning if NumPy failed to raise an error during conversion #6594 [@​radarhere]
• Only read a maximum of 100 bytes at a time in IMT header #6623 [@​radarhere]
• Show all frames in ImageShow #6611 [@​radarhere]
• Allow FLI palette chunk to not be first #6626 [@​radarhere]
• If first GIF frame has transparency for RGB_ALWAYS loading strategy, use RGBA mode #6592 [@​radarhere]
• Round box position to integer when pasting embedded color #6517 [@​radarhere]
• Removed EXIF prefix when saving WebP #6582 [@​radarhere]
• Pad IM palette to 768 bytes when saving #6579 [@​radarhere]
• Added DDS BC6H reading #6449 [@​ShadelessFox]
• Added support for opening WhiteIsZero 16-bit integer TIFF images #6642 [@​JayWiz]
• Raise an error when allocating translucent color to RGB palette #6654 [@​jsbueno]
• Moved mode check outside of loops #6650 [@​radarhere]
• Added reading of TIFF child images #6569 [@​radarhere]
• Improved ImageOps palette handling #6596 [@​PososikTeam]
• Defer parsing of palette into colors #6567 [@​radarhere]
• Apply transparency to P images in ImageTk.PhotoImage #6559 [@​radarhere]
• Use rounding in ImageOps contain() and pad() #6522 [@​bibinhashley]
• Fixed GIF remapping to palette with duplicate entries #6548 [@​radarhere]
• Allow remap_palette() to return an image with less than 256 palette entries #6543 [@​radarhere]
• Corrected BMP and TGA palette size when saving #6500 [@​radarhere]

... (truncated)

Sourced from pillow's changelog.

9.3.0 (2022-10-29)

• Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [wiredfool]

• Initialize libtiff buffer when saving #6699 [radarhere]

• Inline fname2char to fix memory leak #6329 [nulano]

• Fix memory leaks related to text features #6330 [nulano]

• Use double quotes for version check on old CPython on Windows #6695 [hugovk]

• Remove backup implementation of Round for Windows platforms #6693 [cgohlke]

• Fixed set_variation_by_name offset #6445 [radarhere]

• Fix malloc in _imagingft.c:font_setvaraxes #6690 [cgohlke]

• Release Python GIL when converting images using matrix operations #6418 [hmaarrfk]

• Added ExifTags enums #6630 [radarhere]

• Do not modify previous frame when calculating delta in PNG #6683 [radarhere]

• Added support for reading BMP images with RLE4 compression #6674 [npjg, radarhere]

• Decode JPEG compressed BLP1 data in original mode #6678 [radarhere]

• Added GPS TIFF tag info #6661 [radarhere]

• Added conversion between RGB/RGBA/RGBX and LAB #6647 [radarhere]

• Do not attempt normalization if mode is already normal #6644 [radarhere]

... (truncated)

• d594f4c Update CHANGES.rst [ci skip]
• 909dc64 9.3.0 version bump
• 1a51ce7 Merge pull request #6699 from hugovk/security-libtiff_buffer
• 2444cdd Merge pull request #6700 from hugovk/security-samples_per_pixel-sec
• 744f455 Added release notes
• 0846bfa Add to release notes
• 799a6a0 Fix linting
• 00b25fd Hide UserWarning in logs
• 05b175e Tighter test case
• 13f2c5a Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from tensorflow's releases.

TensorFlow 2.9.3

Release 2.9.3

This release introduces several vulnerability fixes:

• Fixes an overflow in tf.keras.losses.poisson (CVE-2022-41887)
• Fixes a heap OOB failure in ThreadUnsafeUnigramCandidateSampler caused by missing validation (CVE-2022-41880)
• Fixes a segfault in ndarray_tensor_bridge (CVE-2022-41884)
• Fixes an overflow in FusedResizeAndPadConv2D (CVE-2022-41885)
• Fixes a overflow in ImageProjectiveTransformV2 (CVE-2022-41886)
• Fixes an FPE in tf.image.generate_bounding_box_proposals on GPU (CVE-2022-41888)
• Fixes a segfault in pywrap_tfe_src caused by invalid attributes (CVE-2022-41889)
• Fixes a CHECK fail in BCast (CVE-2022-41890)
• Fixes a segfault in TensorListConcat (CVE-2022-41891)
• Fixes a CHECK_EQ fail in TensorListResize (CVE-2022-41893)
• Fixes an overflow in CONV_3D_TRANSPOSE on TFLite (CVE-2022-41894)
• Fixes a heap OOB in MirrorPadGrad (CVE-2022-41895)
• Fixes a crash in Mfcc (CVE-2022-41896)
• Fixes a heap OOB in FractionalMaxPoolGrad (CVE-2022-41897)
• Fixes a CHECK fail in SparseFillEmptyRowsGrad (CVE-2022-41898)
• Fixes a CHECK fail in SdcaOptimizer (CVE-2022-41899)
• Fixes a heap OOB in FractionalAvgPool and FractionalMaxPool(CVE-2022-41900)
• Fixes a CHECK_EQ in SparseMatrixNNZ (CVE-2022-41901)
• Fixes an OOB write in grappler (CVE-2022-41902)
• Fixes a overflow in ResizeNearestNeighborGrad (CVE-2022-41907)
• Fixes a CHECK fail in PyFunc (CVE-2022-41908)
• Fixes a segfault in CompositeTensorVariantToComponents (CVE-2022-41909)
• Fixes a invalid char to bool conversion in printing a tensor (CVE-2022-41911)
• Fixes a heap overflow in QuantizeAndDequantizeV2 (CVE-2022-41910)
• Fixes a CHECK failure in SobolSample via missing validation (CVE-2022-35935)
• Fixes a CHECK fail in TensorListScatter and TensorListScatterV2 in eager mode (CVE-2022-35935)

TensorFlow 2.9.2

Release 2.9.2

This releases introduces several vulnerability fixes:

• Fixes a CHECK failure in tf.reshape caused by overflows (CVE-2022-35934)
• Fixes a CHECK failure in SobolSample caused by missing validation (CVE-2022-35935)
• Fixes an OOB read in Gather_nd op in TF Lite (CVE-2022-35937)
• Fixes a CHECK failure in TensorListReserve caused by missing validation (CVE-2022-35960)
• Fixes an OOB write in Scatter_nd op in TF Lite (CVE-2022-35939)
• Fixes an integer overflow in RaggedRangeOp (CVE-2022-35940)
• Fixes a CHECK failure in AvgPoolOp (CVE-2022-35941)
• Fixes a CHECK failures in UnbatchGradOp (CVE-2022-35952)
• Fixes a segfault TFLite converter on per-channel quantized transposed convolutions (CVE-2022-36027)
• Fixes a CHECK failures in AvgPool3DGrad (CVE-2022-35959)
• Fixes a CHECK failures in FractionalAvgPoolGrad (CVE-2022-35963)
• Fixes a segfault in BlockLSTMGradV2 (CVE-2022-35964)
• Fixes a segfault in LowerBound and UpperBound (CVE-2022-35965)

... (truncated)

Sourced from tensorflow's changelog.

Release 2.9.3

This release introduces several vulnerability fixes:

• Fixes an overflow in tf.keras.losses.poisson (CVE-2022-41887)
• Fixes a heap OOB failure in ThreadUnsafeUnigramCandidateSampler caused by missing validation (CVE-2022-41880)
• Fixes a segfault in ndarray_tensor_bridge (CVE-2022-41884)
• Fixes an overflow in FusedResizeAndPadConv2D (CVE-2022-41885)
• Fixes a overflow in ImageProjectiveTransformV2 (CVE-2022-41886)
• Fixes an FPE in tf.image.generate_bounding_box_proposals on GPU (CVE-2022-41888)
• Fixes a segfault in pywrap_tfe_src caused by invalid attributes (CVE-2022-41889)
• Fixes a CHECK fail in BCast (CVE-2022-41890)
• Fixes a segfault in TensorListConcat (CVE-2022-41891)
• Fixes a CHECK_EQ fail in TensorListResize (CVE-2022-41893)
• Fixes an overflow in CONV_3D_TRANSPOSE on TFLite (CVE-2022-41894)
• Fixes a heap OOB in MirrorPadGrad (CVE-2022-41895)
• Fixes a crash in Mfcc (CVE-2022-41896)
• Fixes a heap OOB in FractionalMaxPoolGrad (CVE-2022-41897)
• Fixes a CHECK fail in SparseFillEmptyRowsGrad (CVE-2022-41898)
• Fixes a CHECK fail in SdcaOptimizer (CVE-2022-41899)
• Fixes a heap OOB in FractionalAvgPool and FractionalMaxPool(CVE-2022-41900)
• Fixes a CHECK_EQ in SparseMatrixNNZ (CVE-2022-41901)
• Fixes an OOB write in grappler (CVE-2022-41902)
• Fixes a overflow in ResizeNearestNeighborGrad (CVE-2022-41907)
• Fixes a CHECK fail in PyFunc (CVE-2022-41908)
• Fixes a segfault in CompositeTensorVariantToComponents (CVE-2022-41909)
• Fixes a invalid char to bool conversion in printing a tensor (CVE-2022-41911)
• Fixes a heap overflow in QuantizeAndDequantizeV2 (CVE-2022-41910)
• Fixes a CHECK failure in SobolSample via missing validation (CVE-2022-35935)
• Fixes a CHECK fail in TensorListScatter and TensorListScatterV2 in eager mode (CVE-2022-35935)

Release 2.8.4

This release introduces several vulnerability fixes:

• Fixes a heap OOB failure in ThreadUnsafeUnigramCandidateSampler caused by missing validation (CVE-2022-41880)
• Fixes a segfault in ndarray_tensor_bridge (CVE-2022-41884)
• Fixes an overflow in FusedResizeAndPadConv2D (CVE-2022-41885)
• Fixes a overflow in ImageProjectiveTransformV2 (CVE-2022-41886)
• Fixes an FPE in tf.image.generate_bounding_box_proposals on GPU (CVE-2022-41888)
• Fixes a segfault in pywrap_tfe_src caused by invalid attributes (CVE-2022-41889)
• Fixes a CHECK fail in BCast (CVE-2022-41890)
• Fixes a segfault in TensorListConcat (CVE-2022-41891)
• Fixes a CHECK_EQ fail in TensorListResize (CVE-2022-41893)
• Fixes an overflow in CONV_3D_TRANSPOSE on TFLite (CVE-2022-41894)
• Fixes a heap OOB in MirrorPadGrad (CVE-2022-41895)
• Fixes a crash in Mfcc (CVE-2022-41896)
• Fixes a heap OOB in FractionalMaxPoolGrad (CVE-2022-41897)
• Fixes a CHECK fail in SparseFillEmptyRowsGrad (CVE-2022-41898)
• Fixes a CHECK fail in SdcaOptimizer (CVE-2022-41899)

... (truncated)

• a5ed5f3 Merge pull request #58584 from tensorflow/vinila21-patch-2
• 258f9a1 Update py_func.cc
• cd27cfb Merge pull request #58580 from tensorflow-jenkins/version-numbers-2.9.3-24474
• 3e75385 Update version numbers to 2.9.3
• bc72c39 Merge pull request #58482 from tensorflow-jenkins/relnotes-2.9.3-25695
• 3506c90 Update RELEASE.md
• 8dcb48e Update RELEASE.md
• 4f34ec8 Merge pull request #58576 from pak-laura/c2.99f03a9d3bafe902c1e6beb105b2f2417...
• 6fc67e4 Replace CHECK with returning an InternalError on failing to create python tuple
• 5dbe90a Merge pull request #58570 from tensorflow/r2.9-7b174a0f2e4
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from tensorflow-gpu's releases.

TensorFlow 2.9.3

Release 2.9.3

This release introduces several vulnerability fixes:

• Fixes an overflow in tf.keras.losses.poisson (CVE-2022-41887)
• Fixes a heap OOB failure in ThreadUnsafeUnigramCandidateSampler caused by missing validation (CVE-2022-41880)
• Fixes a segfault in ndarray_tensor_bridge (CVE-2022-41884)
• Fixes an overflow in FusedResizeAndPadConv2D (CVE-2022-41885)
• Fixes a overflow in ImageProjectiveTransformV2 (CVE-2022-41886)
• Fixes an FPE in tf.image.generate_bounding_box_proposals on GPU (CVE-2022-41888)
• Fixes a segfault in pywrap_tfe_src caused by invalid attributes (CVE-2022-41889)
• Fixes a CHECK fail in BCast (CVE-2022-41890)
• Fixes a segfault in TensorListConcat (CVE-2022-41891)
• Fixes a CHECK_EQ fail in TensorListResize (CVE-2022-41893)
• Fixes an overflow in CONV_3D_TRANSPOSE on TFLite (CVE-2022-41894)
• Fixes a heap OOB in MirrorPadGrad (CVE-2022-41895)
• Fixes a crash in Mfcc (CVE-2022-41896)
• Fixes a heap OOB in FractionalMaxPoolGrad (CVE-2022-41897)
• Fixes a CHECK fail in SparseFillEmptyRowsGrad (CVE-2022-41898)
• Fixes a CHECK fail in SdcaOptimizer (CVE-2022-41899)
• Fixes a heap OOB in FractionalAvgPool and FractionalMaxPool(CVE-2022-41900)
• Fixes a CHECK_EQ in SparseMatrixNNZ (CVE-2022-41901)
• Fixes an OOB write in grappler (CVE-2022-41902)
• Fixes a overflow in ResizeNearestNeighborGrad (CVE-2022-41907)
• Fixes a CHECK fail in PyFunc (CVE-2022-41908)
• Fixes a segfault in CompositeTensorVariantToComponents (CVE-2022-41909)
• Fixes a invalid char to bool conversion in printing a tensor (CVE-2022-41911)
• Fixes a heap overflow in QuantizeAndDequantizeV2 (CVE-2022-41910)
• Fixes a CHECK failure in SobolSample via missing validation (CVE-2022-35935)
• Fixes a CHECK fail in TensorListScatter and TensorListScatterV2 in eager mode (CVE-2022-35935)

TensorFlow 2.9.2

Release 2.9.2

This releases introduces several vulnerability fixes:

• Fixes a CHECK failure in tf.reshape caused by overflows (CVE-2022-35934)
• Fixes a CHECK failure in SobolSample caused by missing validation (CVE-2022-35935)
• Fixes an OOB read in Gather_nd op in TF Lite (CVE-2022-35937)
• Fixes a CHECK failure in TensorListReserve caused by missing validation (CVE-2022-35960)
• Fixes an OOB write in Scatter_nd op in TF Lite (CVE-2022-35939)
• Fixes an integer overflow in RaggedRangeOp (CVE-2022-35940)
• Fixes a CHECK failure in AvgPoolOp (CVE-2022-35941)
• Fixes a CHECK failures in UnbatchGradOp (CVE-2022-35952)
• Fixes a segfault TFLite converter on per-channel quantized transposed convolutions (CVE-2022-36027)
• Fixes a CHECK failures in AvgPool3DGrad (CVE-2022-35959)
• Fixes a CHECK failures in FractionalAvgPoolGrad (CVE-2022-35963)
• Fixes a segfault in BlockLSTMGradV2 (CVE-2022-35964)
• Fixes a segfault in LowerBound and UpperBound (CVE-2022-35965)

... (truncated)

Sourced from tensorflow-gpu's changelog.

Release 2.9.3

This release introduces several vulnerability fixes:

• Fixes an overflow in tf.keras.losses.poisson (CVE-2022-41887)
• Fixes a heap OOB failure in ThreadUnsafeUnigramCandidateSampler caused by missing validation (CVE-2022-41880)
• Fixes a segfault in ndarray_tensor_bridge (CVE-2022-41884)
• Fixes an overflow in FusedResizeAndPadConv2D (CVE-2022-41885)
• Fixes a overflow in ImageProjectiveTransformV2 (CVE-2022-41886)
• Fixes an FPE in tf.image.generate_bounding_box_proposals on GPU (CVE-2022-41888)
• Fixes a segfault in pywrap_tfe_src caused by invalid attributes (CVE-2022-41889)
• Fixes a CHECK fail in BCast (CVE-2022-41890)
• Fixes a segfault in TensorListConcat (CVE-2022-41891)
• Fixes a CHECK_EQ fail in TensorListResize (CVE-2022-41893)
• Fixes an overflow in CONV_3D_TRANSPOSE on TFLite (CVE-2022-41894)
• Fixes a heap OOB in MirrorPadGrad (CVE-2022-41895)
• Fixes a crash in Mfcc (CVE-2022-41896)
• Fixes a heap OOB in FractionalMaxPoolGrad (CVE-2022-41897)
• Fixes a CHECK fail in SparseFillEmptyRowsGrad (CVE-2022-41898)
• Fixes a CHECK fail in SdcaOptimizer (CVE-2022-41899)
• Fixes a heap OOB in FractionalAvgPool and FractionalMaxPool(CVE-2022-41900)
• Fixes a CHECK_EQ in SparseMatrixNNZ (CVE-2022-41901)
• Fixes an OOB write in grappler (CVE-2022-41902)
• Fixes a overflow in ResizeNearestNeighborGrad (CVE-2022-41907)
• Fixes a CHECK fail in PyFunc (CVE-2022-41908)
• Fixes a segfault in CompositeTensorVariantToComponents (CVE-2022-41909)
• Fixes a invalid char to bool conversion in printing a tensor (CVE-2022-41911)
• Fixes a heap overflow in QuantizeAndDequantizeV2 (CVE-2022-41910)
• Fixes a CHECK failure in SobolSample via missing validation (CVE-2022-35935)
• Fixes a CHECK fail in TensorListScatter and TensorListScatterV2 in eager mode (CVE-2022-35935)

Release 2.8.4

This release introduces several vulnerability fixes:

• Fixes a heap OOB failure in ThreadUnsafeUnigramCandidateSampler caused by missing validation (CVE-2022-41880)
• Fixes a segfault in ndarray_tensor_bridge (CVE-2022-41884)
• Fixes an overflow in FusedResizeAndPadConv2D (CVE-2022-41885)
• Fixes a overflow in ImageProjectiveTransformV2 (CVE-2022-41886)
• Fixes an FPE in tf.image.generate_bounding_box_proposals on GPU (CVE-2022-41888)
• Fixes a segfault in pywrap_tfe_src caused by invalid attributes (CVE-2022-41889)
• Fixes a CHECK fail in BCast (CVE-2022-41890)
• Fixes a segfault in TensorListConcat (CVE-2022-41891)
• Fixes a CHECK_EQ fail in TensorListResize (CVE-2022-41893)
• Fixes an overflow in CONV_3D_TRANSPOSE on TFLite (CVE-2022-41894)
• Fixes a heap OOB in MirrorPadGrad (CVE-2022-41895)
• Fixes a crash in Mfcc (CVE-2022-41896)
• Fixes a heap OOB in FractionalMaxPoolGrad (CVE-2022-41897)
• Fixes a CHECK fail in SparseFillEmptyRowsGrad (CVE-2022-41898)
• Fixes a CHECK fail in SdcaOptimizer (CVE-2022-41899)

... (truncated)

• a5ed5f3 Merge pull request #58584 from tensorflow/vinila21-patch-2
• 258f9a1 Update py_func.cc
• cd27cfb Merge pull request #58580 from tensorflow-jenkins/version-numbers-2.9.3-24474
• 3e75385 Update version numbers to 2.9.3
• bc72c39 Merge pull request #58482 from tensorflow-jenkins/relnotes-2.9.3-25695
• 3506c90 Update RELEASE.md
• 8dcb48e Update RELEASE.md
• 4f34ec8 Merge pull request #58576 from pak-laura/c2.99f03a9d3bafe902c1e6beb105b2f2417...
• 6fc67e4 Replace CHECK with returning an InternalError on failing to create python tuple
• 5dbe90a Merge pull request #58570 from tensorflow/r2.9-7b174a0f2e4
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from twisted's releases.

Twisted 22.10.0 (2022-10-30)

This release contains a security fix for CVE-2022-39348. This is a low-severity security bug.

Twisted 22.10.0rc1 release candidate was released on 2022-10-26 and there are no changes between the release candidate and the final release.

Features

• The systemd: endpoint parser now supports "named" file descriptors. This is a more reliable mechanism for choosing among several inherited descriptors. (#8147)

Improved Documentation

• The systemd endpoint parser's index parameter is now documented as leading to non-deterministic results in which descriptor is selected. The new name parameter is now documented as preferred. (#8146)
• The implementers of Zope interfaces are once more displayed in the documentations. (#11690)

Deprecations and Removals

• twisted.protocols.dict, which was deprecated in 17.9, has been removed. (#11725)

Misc

• #11573, #11599, #11616, #11628, #11631, #11640, #11645, #11647, #11652, #11664, #11674, #11679, #11686, #11692, #11694, #11696, #11700, #11702, #11713, #11715, #11721

Conch

Bugfixes

- twisted.conch.manhole.ManholeInterpreter now captures tracebacks even if sys.excepthook has been modified. ([#11638](https://github.com/twisted/twisted/issues/11638))
Web
Features

... (truncated)

Sourced from twisted's changelog.

Twisted 22.10.0 (2022-10-30)

This release contains a security fix for CVE-2022-39348. This is a low-severity security bug.

Twisted 22.10.0rc1 release candidate was released on 2022-10-26 and there are no changes between the release candidate and the final release.

Features

• The systemd: endpoint parser now supports "named" file descriptors. This is a more reliable mechanism for choosing among several inherited descriptors. (#8147)

Improved Documentation

• The systemd endpoint parser's index parameter is now documented as leading to non-deterministic results in which descriptor is selected. The new name parameter is now documented as preferred. (#8146)
• The implementers of Zope interfaces are once more displayed in the documentations. (#11690)

Deprecations and Removals

• twisted.protocols.dict, which was deprecated in 17.9, has been removed. (#11725)

Misc

• #11573, #11599, #11616, #11628, #11631, #11640, #11645, #11647, #11652, #11664, #11674, #11679, #11686, #11692, #11694, #11696, #11700, #11702, #11713, #11715, #11721

Conch

Bugfixes

- twisted.conch.manhole.ManholeInterpreter now captures tracebacks even if sys.excepthook has been modified. ([#11638](https://github.com/twisted/twisted/issues/11638))
Web
Features

... (truncated)

• 39ee213 Update news for final version.
• 7e76513 python -m incremental.update Twisted --newversion 22.10.0
• 3f1f502 Apply suggestions from twm.
• 3185b01 Add info about CVE at the start of the release notes.
• 15aa477 tox -e towncrier
• 0a29d34 python -m incremental.update Twisted --rc
• f2f5e81 Merge pull request from GHSA-vg46-2rrj-3647
• b0545bc Merge branch 'trunk' into advisory-fix-1
• 50761f4 #11715: Use NEXT in deprecation examples (#11720)
• 927a5dc Add newsfragment
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from protobuf's releases.

Protocol Buffers v3.18.3

C++

• Reduce memory consumption of MessageSet parsing
• This release addresses a Security Advisory for C++ and Python users

Protocol Buffers v3.16.1

Java

• Improve performance characteristics of UnknownFieldSet parsing (#9371)

Protocol Buffers v3.18.2

Java

• Improve performance characteristics of UnknownFieldSet parsing (#9371)

Protocol Buffers v3.18.1

Python

• Update setup.py to reflect that we now require at least Python 3.5 (#8989)
• Performance fix for DynamicMessage: force GetRaw() to be inlined (#9023)

Ruby

• Update ruby_generator.cc to allow proto2 imports in proto3 (#9003)

Protocol Buffers v3.18.0

C++

• Fix warnings raised by clang 11 (#8664)
• Make StringPiece constructible from std::string_view (#8707)
• Add missing capability attributes for LLVM 12 (#8714)
• Stop using std::iterator (deprecated in C++17). (#8741)
• Move field_access_listener from libprotobuf-lite to libprotobuf (#8775)
• Fix #7047 Safely handle setlocale (#8735)
• Remove deprecated version of SetTotalBytesLimit() (#8794)
• Support arena allocation of google::protobuf::AnyMetadata (#8758)
• Fix undefined symbol error around SharedCtor() (#8827)
• Fix default value of enum(int) in json_util with proto2 (#8835)
• Better Smaller ByteSizeLong
• Introduce event filters for inject_field_listener_events
• Reduce memory usage of DescriptorPool
• For lazy fields copy serialized form when allowed.
• Re-introduce the InlinedStringField class
• v2 access listener
• Reduce padding in the proto's ExtensionRegistry map.
• GetExtension performance optimizations
• Make tracker a static variable rather than call static functions
• Support extensions in field access listener
• Annotate MergeFrom for field access listener
• Fix incomplete types for field access listener
• Add map_entry/new_map_entry to SpecificField in MessageDifferencer. They record the map items which are different in MessageDifferencer's reporter.
• Reduce binary size due to fieldless proto messages
• TextFormat: ParseInfoTree supports getting field end location in addition to start.

... (truncated)

• a902b39 No-op whitespace change
• ae62acd Updating version.json and repo version numbers to: 18.3
• f43ac49 Merge pull request #10542 from deannagarcia/3.18.x
• 9efdf55 Add missing includes
• d1635e1 Apply patch
• 5b37c91 Update version.json with "lts": true (#10534)
• c39d622 Merge pull request #10529 from protocolbuffers/deannagarcia-patch-5
• f77d3b6 Update version.json
• 8178b06 Merge pull request #10503 from deannagarcia/3.18.x
• 24ca839 Add version file
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from nbconvert's releases.

Release 6.5.1

No release notes provided.

6.5.0

What's Changed

• Drop dependency on testpath. by @​anntzer in jupyter/nbconvert#1723
• Adopt pre-commit by @​blink1073 in jupyter/nbconvert#1744
• Add pytest settings and handle warnings by @​blink1073 in jupyter/nbconvert#1745
• Apply Autoformatters by @​blink1073 in jupyter/nbconvert#1746
• Add git-blame-ignore-revs by @​blink1073 in jupyter/nbconvert#1748
• Update flake8 config by @​blink1073 in jupyter/nbconvert#1749
• support bleach 5, add packaging and tinycss2 dependencies by @​bollwyvl in jupyter/nbconvert#1755
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jupyter/nbconvert#1752
• update cli example by @​leahecole in jupyter/nbconvert#1753
• Clean up pre-commit by @​blink1073 in jupyter/nbconvert#1757
• Clean up workflows by @​blink1073 in jupyter/nbconvert#1750

New Contributors

• @​pre-commit-ci made their first contribution in jupyter/nbconvert#1752

Full Changelog: https://github.com/jupyter/nbconvert/compare/6.4.5...6.5

6.4.3

What's Changed

• Add section to customizing showing how to use template inheritance by @​stefanv in jupyter/nbconvert#1719
• Remove ipython genutils by @​rgs258 in jupyter/nbconvert#1727
• Update changelog for 6.4.3 by @​blink1073 in jupyter/nbconvert#1728

New Contributors

• @​stefanv made their first contribution in jupyter/nbconvert#1719
• @​rgs258 made their first contribution in jupyter/nbconvert#1727

Full Changelog: https://github.com/jupyter/nbconvert/compare/6.4.2...6.4.3

6.4.0

What's Changed

• Optionally speed up validation by @​gwincr11 in jupyter/nbconvert#1672
• Adding missing div compared to JupyterLab DOM structure by @​SylvainCorlay in jupyter/nbconvert#1678
• Allow passing extra args to code highlighter by @​yuvipanda in jupyter/nbconvert#1683
• Prevent page breaks in outputs when printing by @​SylvainCorlay in jupyter/nbconvert#1679
• Add collapsers to template by @​SylvainCorlay in jupyter/nbconvert#1689
• Fix recent pandoc latex tables by adding calc and array (#1536, #1566) by @​cgevans in jupyter/nbconvert#1686
• Add an invalid notebook error by @​gwincr11 in jupyter/nbconvert#1675
• Fix typos in execute.py by @​TylerAnderson22 in jupyter/nbconvert#1692
• Modernize latex greek math handling (partially fixes #1673) by @​cgevans in jupyter/nbconvert#1687
• Fix use of deprecated API and update test matrix by @​blink1073 in jupyter/nbconvert#1696
• Update nbconvert_library.ipynb by @​letterphile in jupyter/nbconvert#1695
• Changelog for 6.4 by @​blink1073 in jupyter/nbconvert#1697

New Contributors

... (truncated)

• 7471b75 Release 6.5.1
• c1943e0 Fix pre-commit
• 8685e93 Fix tests
• 0abf290 Run black and prettier
• 418d545 Run test on 6.x branch
• bef65d7 Convert input to string prior to escape HTML
• 0818628 Check input type before escaping
• b206470 GHSL-2021-1017, GHSL-2021-1020, GHSL-2021-1021
• a03cbb8 GHSL-2021-1026, GHSL-2021-1025
• 48fe71e GHSL-2021-1024
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.