Sourced from tensorflow's releases.

TensorFlow 2.7.2

Release 2.7.2

This releases introduces several vulnerability fixes:

• Fixes a code injection in saved_model_cli (CVE-2022-29216)
• Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)
• Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)
• Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)
• Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)
• Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)
• Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)
• Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)
• Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)
• Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)
• Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)
• Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)
• Fixes a segfault due to missing support for quantized types (CVE-2022-29205)
• Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)
• Fixes a missing validation which results in undefined behavior in QuantizedConv2D (CVE-2022-29201)
• Fixes an integer overflow in SpaceToBatchND (CVE-2022-29203)
• Fixes a segfault and OOB write due to incomplete validation in EditDistance (CVE-2022-29208)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29204)
• Fixes a denial of service in tf.ragged.constant due to lack of validation (CVE-2022-29202)
• Fixes a segfault when tf.histogram_fixed_width is called with NaN values (CVE-2022-29211)
• Fixes a core dump when loading TFLite models with quantization (CVE-2022-29212)
• Fixes crashes stemming from incomplete validation in signal ops (CVE-2022-29213)
• Fixes a type confusion leading to CHECK-failure based denial of service (CVE-2022-29209)
• Updates curl to 7.83.1 to handle (CVE-2022-22576, (CVE-2022-27774, (CVE-2022-27775, (CVE-2022-27776, (CVE-2022-27778, (CVE-2022-27779, (CVE-2022-27780, (CVE-2022-27781, (CVE-2022-27782 and (CVE-2022-30115
• Updates zlib to 1.2.12 after 1.2.11 was pulled due to security issue

TensorFlow 2.7.1

Release 2.7.1

This releases introduces several vulnerability fixes:

• Fixes a floating point division by 0 when executing convolution operators (CVE-2022-21725)
• Fixes a heap OOB read in shape inference for ReverseSequence (CVE-2022-21728)
• Fixes a heap OOB access in Dequantize (CVE-2022-21726)
• Fixes an integer overflow in shape inference for Dequantize (CVE-2022-21727)
• Fixes a heap OOB access in FractionalAvgPoolGrad (CVE-2022-21730)
• Fixes an overflow and divide by zero in UnravelIndex (CVE-2022-21729)
• Fixes a type confusion in shape inference for ConcatV2 (CVE-2022-21731)
• Fixes an OOM in ThreadPoolHandle (CVE-2022-21732)
• Fixes an OOM due to integer overflow in StringNGrams (CVE-2022-21733)
• Fixes more issues caused by incomplete validation in boosted trees code (CVE-2021-41208)
• Fixes an integer overflows in most sparse component-wise ops (CVE-2022-23567)
• Fixes an integer overflows in AddManySparseToTensorsMap (CVE-2022-23568)

... (truncated)

Sourced from tensorflow's changelog.

Release 2.7.2

This releases introduces several vulnerability fixes:

• Fixes a code injection in saved_model_cli (CVE-2022-29216)
• Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)
• Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)
• Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)
• Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)
• Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)
• Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)
• Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)
• Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)
• Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)
• Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)
• Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)
• Fixes a segfault due to missing support for quantized types (CVE-2022-29205)
• Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)
• Fixes a missing validation which results in undefined behavior in QuantizedConv2D (CVE-2022-29201)
• Fixes an integer overflow in SpaceToBatchND (CVE-2022-29203)
• Fixes a segfault and OOB write due to incomplete validation in EditDistance (CVE-2022-29208)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29204)
• Fixes a denial of service in tf.ragged.constant due to lack of validation (CVE-2022-29202)
• Fixes a segfault when tf.histogram_fixed_width is called with NaN values (CVE-2022-29211)
• Fixes a core dump when loading TFLite models with quantization (CVE-2022-29212)
• Fixes crashes stemming from incomplete validation in signal ops (CVE-2022-29213)
• Fixes a type confusion leading to CHECK-failure based denial of service (CVE-2022-29209)
• Updates curl to 7.83.1 to handle (CVE-2022-22576, (CVE-2022-27774, (CVE-2022-27775, (CVE-2022-27776, (CVE-2022-27778, (CVE-2022-27779, (CVE-2022-27780, (CVE-2022-27781, (CVE-2022-27782 and (CVE-2022-30115
• Updates zlib to 1.2.12 after 1.2.11 was pulled due to security issue

Release 2.6.4

This releases introduces several vulnerability fixes:

• Fixes a code injection in saved_model_cli (CVE-2022-29216)
• Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)
• Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)
• Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)
• Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)
• Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)
• Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)
• Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)
• Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)
• Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)
• Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)
• Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)
• Fixes a segfault due to missing support for quantized types (CVE-2022-29205)
• Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)

... (truncated)

• dd7b8a3 Merge pull request #56034 from tensorflow-jenkins/relnotes-2.7.2-15779
• 1e7d6ea Update RELEASE.md
• 5085135 Merge pull request #56069 from tensorflow/mm-cp-52488e5072f6fe44411d70c6af09e...
• adafb45 Merge pull request #56060 from yongtang:curl-7.83.1
• 01cb1b8 Merge pull request #56038 from tensorflow-jenkins/version-numbers-2.7.2-4733
• 8c90c2f Update version numbers to 2.7.2
• 43f3cdc Update RELEASE.md
• 98b0a48 Insert release notes place-fill
• dfa5cf3 Merge pull request #56028 from tensorflow/disable-tests-on-r2.7
• 501a65c Disable timing out tests
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from tensorflow's releases.

TensorFlow 2.6.4

Release 2.6.4

This releases introduces several vulnerability fixes:

• Fixes a code injection in saved_model_cli (CVE-2022-29216)
• Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)
• Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)
• Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)
• Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)
• Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)
• Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)
• Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)
• Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)
• Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)
• Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)
• Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)
• Fixes a segfault due to missing support for quantized types (CVE-2022-29205)
• Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)
• Fixes a missing validation which results in undefined behavior in QuantizedConv2D (CVE-2022-29201)
• Fixes an integer overflow in SpaceToBatchND (CVE-2022-29203)
• Fixes a segfault and OOB write due to incomplete validation in EditDistance (CVE-2022-29208)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29204)
• Fixes a denial of service in tf.ragged.constant due to lack of validation (CVE-2022-29202)
• Fixes a segfault when tf.histogram_fixed_width is called with NaN values (CVE-2022-29211)
• Fixes a core dump when loading TFLite models with quantization (CVE-2022-29212)
• Fixes crashes stemming from incomplete validation in signal ops (CVE-2022-29213)
• Fixes a type confusion leading to CHECK-failure based denial of service (CVE-2022-29209)
• Updates curl to 7.83.1 to handle (CVE-2022-22576, (CVE-2022-27774, (CVE-2022-27775, (CVE-2022-27776, (CVE-2022-27778, (CVE-2022-27779, (CVE-2022-27780, (CVE-2022-27781, (CVE-2022-27782 and (CVE-2022-30115
• Updates zlib to 1.2.12 after 1.2.11 was pulled due to security issue

TensorFlow 2.6.3

Release 2.6.3

This releases introduces several vulnerability fixes:

• Fixes a floating point division by 0 when executing convolution operators (CVE-2022-21725)
• Fixes a heap OOB read in shape inference for ReverseSequence (CVE-2022-21728)
• Fixes a heap OOB access in Dequantize (CVE-2022-21726)
• Fixes an integer overflow in shape inference for Dequantize (CVE-2022-21727)
• Fixes a heap OOB access in FractionalAvgPoolGrad (CVE-2022-21730)
• Fixes an overflow and divide by zero in UnravelIndex (CVE-2022-21729)
• Fixes a type confusion in shape inference for ConcatV2 (CVE-2022-21731)
• Fixes an OOM in ThreadPoolHandle (CVE-2022-21732)
• Fixes an OOM due to integer overflow in StringNGrams (CVE-2022-21733)
• Fixes more issues caused by incomplete validation in boosted trees code (CVE-2021-41208)
• Fixes an integer overflows in most sparse component-wise ops (CVE-2022-23567)
• Fixes an integer overflows in AddManySparseToTensorsMap (CVE-2022-23568)
• Fixes a number of CHECK-failures in MapStage (CVE-2022-21734)

... (truncated)

Sourced from tensorflow's changelog.

Release 2.6.4

This releases introduces several vulnerability fixes:

• Fixes a code injection in saved_model_cli (CVE-2022-29216)
• Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)
• Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)
• Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)
• Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)
• Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)
• Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)
• Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)
• Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)
• Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)
• Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)
• Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)
• Fixes a segfault due to missing support for quantized types (CVE-2022-29205)
• Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)
• Fixes a missing validation which results in undefined behavior in QuantizedConv2D (CVE-2022-29201)
• Fixes an integer overflow in SpaceToBatchND (CVE-2022-29203)
• Fixes a segfault and OOB write due to incomplete validation in EditDistance (CVE-2022-29208)
• Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29204)
• Fixes a denial of service in tf.ragged.constant due to lack of validation (CVE-2022-29202)
• Fixes a segfault when tf.histogram_fixed_width is called with NaN values (CVE-2022-29211)
• Fixes a core dump when loading TFLite models with quantization (CVE-2022-29212)
• Fixes crashes stemming from incomplete validation in signal ops (CVE-2022-29213)
• Fixes a type confusion leading to CHECK-failure based denial of service (CVE-2022-29209)
• Updates curl to 7.83.1 to handle (CVE-2022-22576, (CVE-2022-27774, (CVE-2022-27775, (CVE-2022-27776, (CVE-2022-27778, (CVE-2022-27779, (CVE-2022-27780, (CVE-2022-27781, (CVE-2022-27782 and (CVE-2022-30115
• Updates zlib to 1.2.12 after 1.2.11 was pulled due to security issue

Release 2.8.0

Major Features and Improvements

• tf.lite:

  • Added TFLite builtin op support for the following TF ops:
    • tf.raw_ops.Bucketize op on CPU.
    • tf.where op for data types tf.int32/tf.uint32/tf.int8/tf.uint8/tf.int64.
    • tf.random.normal op for output data type tf.float32 on CPU.
    • tf.random.uniform op for output data type tf.float32 on CPU.
    • tf.random.categorical op for output data type tf.int64 on CPU.

• tensorflow.experimental.tensorrt:

  • conversion_params is now deprecated inside TrtGraphConverterV2 in favor of direct arguments: max_workspace_size_bytes, precision_mode, minimum_segment_size, maximum_cached_engines, use_calibration and

... (truncated)

• 33ed2b1 Merge pull request #56102 from tensorflow/mihaimaruseac-patch-1
• e1ec480 Fix build due to importlib-metadata/setuptools
• 63f211c Merge pull request #56033 from tensorflow-jenkins/relnotes-2.6.4-6677
• 22b8fe4 Update RELEASE.md
• ec30684 Merge pull request #56070 from tensorflow/mm-cp-adafb45c781-on-r2.6
• 38774ed Merge pull request #56060 from yongtang:curl-7.83.1
• 9ef1604 Merge pull request #56036 from tensorflow-jenkins/version-numbers-2.6.4-9925
• a6526a3 Update version numbers to 2.6.4
• cb1a481 Update RELEASE.md
• 4da550f Insert release notes place-fill
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from pillow's releases.

9.0.1

https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html

Changes

• In show_file, use os.remove to remove temporary images. CVE-2022-24303 #6010 [@​radarhere, @​hugovk]
• Restrict builtins within lambdas for ImageMath.eval. CVE-2022-22817 #6009 [radarhere]

9.0.0

https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html

Changes

• Restrict builtins for ImageMath.eval() #5923 [@​radarhere]
• Ensure JpegImagePlugin stops at the end of a truncated file #5921 [@​radarhere]
• Fixed ImagePath.Path array handling #5920 [@​radarhere]
• Remove consecutive duplicate tiles that only differ by their offset #5919 [@​radarhere]
• Removed redundant part of condition #5915 [@​radarhere]
• Explicitly enable strip chopping for large uncompressed TIFFs #5517 [@​kmilos]
• Use the Windows method to get TCL functions on Cygwin #5807 [@​DWesl]
• Changed error type to allow for incremental WebP parsing #5404 [@​radarhere]
• Improved I;16 operations on big endian #5901 [@​radarhere]
• Ensure that BMP pixel data offset does not ignore palette #5899 [@​radarhere]
• Limit quantized palette to number of colors #5879 [@​radarhere]
• Use latin1 encoding to decode bytes #5870 [@​radarhere]
• Fixed palette index for zeroed color in FASTOCTREE quantize #5869 [@​radarhere]
• When saving RGBA to GIF, make use of first transparent palette entry #5859 [@​radarhere]
• Pass SAMPLEFORMAT to libtiff #5848 [@​radarhere]
• Added rounding when converting P and PA #5824 [@​radarhere]
• Improved putdata() documentation and data handling #5910 [@​radarhere]
• Exclude carriage return in PDF regex to help prevent ReDoS #5912 [@​radarhere]
• Image.NONE is only used for resampling and dithers #5908 [@​radarhere]
• Fixed freeing pointer in ImageDraw.Outline.transform #5909 [@​radarhere]
• Add Tidelift alignment action and badge #5763 [@​aclark4life]
• Replaced further direct invocations of setup.py #5906 [@​radarhere]
• Added ImageShow support for xdg-open #5897 [@​m-shinder]
• Fixed typo #5902 [@​radarhere]
• Switched from deprecated "setup.py install" to "pip install ." #5896 [@​radarhere]
• Support 16-bit grayscale ImageQt conversion #5856 [@​cmbruns]
• Fixed raising OSError in _safe_read when size is greater than SAFEBLOCK #5872 [@​radarhere]
• Convert subsequent GIF frames to RGB or RGBA #5857 [@​radarhere]
• WebP: Fix memory leak during decoding on failure #5798 [@​ilai-deutel]
• Do not prematurely return in ImageFile when saving to stdout #5665 [@​infmagic2047]
• Added support for top right and bottom right TGA orientations #5829 [@​radarhere]
• Corrected ICNS file length in header #5845 [@​radarhere]
• Block tile TIFF tags when saving #5839 [@​radarhere]
• Added line width argument to ImageDraw polygon #5694 [@​radarhere]
• Do not redeclare class each time when converting to NumPy #5844 [@​radarhere]
• Only prevent repeated polygon pixels when drawing with transparency #5835 [@​radarhere]

... (truncated)

Sourced from pillow's changelog.

9.0.1 (2022-02-03)

• In show_file, use os.remove to remove temporary images. CVE-2022-24303 #6010 [radarhere, hugovk]

• Restrict builtins within lambdas for ImageMath.eval. CVE-2022-22817 #6009 [radarhere]

9.0.0 (2022-01-02)

• Restrict builtins for ImageMath.eval(). CVE-2022-22817 #5923 [radarhere]

• Ensure JpegImagePlugin stops at the end of a truncated file #5921 [radarhere]

• Fixed ImagePath.Path array handling. CVE-2022-22815, CVE-2022-22816 #5920 [radarhere]

• Remove consecutive duplicate tiles that only differ by their offset #5919 [radarhere]

• Improved I;16 operations on big endian #5901 [radarhere]

• Limit quantized palette to number of colors #5879 [radarhere]

• Fixed palette index for zeroed color in FASTOCTREE quantize #5869 [radarhere]

• When saving RGBA to GIF, make use of first transparent palette entry #5859 [radarhere]

• Pass SAMPLEFORMAT to libtiff #5848 [radarhere]

• Added rounding when converting P and PA #5824 [radarhere]

• Improved putdata() documentation and data handling #5910 [radarhere]

• Exclude carriage return in PDF regex to help prevent ReDoS #5912 [hugovk]

• Fixed freeing pointer in ImageDraw.Outline.transform #5909 [radarhere]

... (truncated)

• 6deac9e 9.0.1 version bump
• c04d812 Update CHANGES.rst [ci skip]
• 4fabec3 Added release notes for 9.0.1
• 02affaa Added delay after opening image with xdg-open
• ca0b585 Updated formatting
• 427221e In show_file, use os.remove to remove temporary images
• c930be0 Restrict builtins within lambdas for ImageMath.eval
• 75b69dd Dont need to pin for GHA
• cd938a7 Autolink CWE numbers with sphinx-issues
• 2e9c461 Add CVE IDs
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from tensorflow's releases.

TensorFlow 2.5.3

Release 2.5.3

Note: This is the last release in the 2.5 series.

This releases introduces several vulnerability fixes:

• Fixes a floating point division by 0 when executing convolution operators (CVE-2022-21725)
• Fixes a heap OOB read in shape inference for ReverseSequence (CVE-2022-21728)
• Fixes a heap OOB access in Dequantize (CVE-2022-21726)
• Fixes an integer overflow in shape inference for Dequantize (CVE-2022-21727)
• Fixes a heap OOB access in FractionalAvgPoolGrad (CVE-2022-21730)
• Fixes an overflow and divide by zero in UnravelIndex (CVE-2022-21729)
• Fixes a type confusion in shape inference for ConcatV2 (CVE-2022-21731)
• Fixes an OOM in ThreadPoolHandle (CVE-2022-21732)
• Fixes an OOM due to integer overflow in StringNGrams (CVE-2022-21733)
• Fixes more issues caused by incomplete validation in boosted trees code (CVE-2021-41208)
• Fixes an integer overflows in most sparse component-wise ops (CVE-2022-23567)
• Fixes an integer overflows in AddManySparseToTensorsMap (CVE-2022-23568)
• Fixes a number of CHECK-failures in MapStage (CVE-2022-21734)
• Fixes a division by zero in FractionalMaxPool (CVE-2022-21735)
• Fixes a number of CHECK-fails when building invalid/overflowing tensor shapes (CVE-2022-23569)
• Fixes an undefined behavior in SparseTensorSliceDataset (CVE-2022-21736)
• Fixes an assertion failure based denial of service via faulty bin count operations (CVE-2022-21737)
• Fixes a reference binding to null pointer in QuantizedMaxPool (CVE-2022-21739)
• Fixes an integer overflow leading to crash in SparseCountSparseOutput (CVE-2022-21738)
• Fixes a heap overflow in SparseCountSparseOutput (CVE-2022-21740)
• Fixes an FPE in BiasAndClamp in TFLite (CVE-2022-23557)
• Fixes an FPE in depthwise convolutions in TFLite (CVE-2022-21741)
• Fixes an integer overflow in TFLite array creation (CVE-2022-23558)
• Fixes an integer overflow in TFLite (CVE-2022-23559)
• Fixes a dangerous OOB write in TFLite (CVE-2022-23561)
• Fixes a vulnerability leading to read and write outside of bounds in TFLite (CVE-2022-23560)
• Fixes a set of vulnerabilities caused by using insecure temporary files (CVE-2022-23563)
• Fixes an integer overflow in Range resulting in undefined behavior and OOM (CVE-2022-23562)
• Fixes a vulnerability where missing validation causes tf.sparse.split to crash when axis is a tuple (CVE-2021-41206)
• Fixes a CHECK-fail when decoding resource handles from proto (CVE-2022-23564)
• Fixes a CHECK-fail with repeated AttrDef (CVE-2022-23565)
• Fixes a heap OOB write in Grappler (CVE-2022-23566)
• Fixes a CHECK-fail when decoding invalid tensors from proto (CVE-2022-23571)
• Fixes an unitialized variable access in AssignOp (CVE-2022-23573)
• Fixes an integer overflow in OpLevelCostEstimator::CalculateTensorSize (CVE-2022-23575)
• Fixes an integer overflow in OpLevelCostEstimator::CalculateOutputSize (CVE-2022-23576)
• Fixes a null dereference in GetInitOp (CVE-2022-23577)
• Fixes a memory leak when a graph node is invalid (CVE-2022-23578)
• Fixes an abort caused by allocating a vector that is too large (CVE-2022-23580)
• Fixes multiple CHECK-failures during Grappler's IsSimplifiableReshape (CVE-2022-23581)
• Fixes multiple CHECK-failures during Grappler's SafeToRemoveIdentity (CVE-2022-23579)
• Fixes multiple CHECK-failures in TensorByteSize (CVE-2022-23582)
• Fixes multiple CHECK-failures in binary ops due to type confusion (CVE-2022-23583)

... (truncated)

Sourced from tensorflow's changelog.

Release 2.5.3

This releases introduces several vulnerability fixes:

• Fixes a floating point division by 0 when executing convolution operators (CVE-2022-21725)
• Fixes a heap OOB read in shape inference for ReverseSequence (CVE-2022-21728)
• Fixes a heap OOB access in Dequantize (CVE-2022-21726)
• Fixes an integer overflow in shape inference for Dequantize (CVE-2022-21727)
• Fixes a heap OOB access in FractionalAvgPoolGrad (CVE-2022-21730)
• Fixes an overflow and divide by zero in UnravelIndex (CVE-2022-21729)
• Fixes a type confusion in shape inference for ConcatV2 (CVE-2022-21731)
• Fixes an OOM in ThreadPoolHandle (CVE-2022-21732)
• Fixes an OOM due to integer overflow in StringNGrams (CVE-2022-21733)
• Fixes more issues caused by incomplete validation in boosted trees code (CVE-2021-41208)
• Fixes an integer overflows in most sparse component-wise ops (CVE-2022-23567)
• Fixes an integer overflows in AddManySparseToTensorsMap (CVE-2022-23568)
• Fixes a number of CHECK-failures in MapStage (CVE-2022-21734)
• Fixes a division by zero in FractionalMaxPool (CVE-2022-21735)
• Fixes a number of CHECK-fails when building invalid/overflowing tensor shapes (CVE-2022-23569)
• Fixes an undefined behavior in SparseTensorSliceDataset (CVE-2022-21736)
• Fixes an assertion failure based denial of service via faulty bin count operations (CVE-2022-21737)
• Fixes a reference binding to null pointer in QuantizedMaxPool (CVE-2022-21739)
• Fixes an integer overflow leading to crash in SparseCountSparseOutput (CVE-2022-21738)
• Fixes a heap overflow in SparseCountSparseOutput (CVE-2022-21740)
• Fixes an FPE in BiasAndClamp in TFLite (CVE-2022-23557)
• Fixes an FPE in depthwise convolutions in TFLite (CVE-2022-21741)

... (truncated)

• 959e9b2 Merge pull request #54213 from tensorflow/fix-sanity-on-r2.5
• d05fcbc Fix sanity build
• f2526a0 Merge pull request #54205 from tensorflow/disable-flaky-tests-on-r2.5
• a5f94df Disable flaky test
• 7babe52 Merge pull request #54201 from tensorflow/cherrypick-510ae18200d0a4fad797c0bf...
• 0e5d378 Set Env Variable to override Setuptools new behavior
• fdd4195 Merge pull request #54176 from tensorflow-jenkins/relnotes-2.5.3-6805
• 4083165 Update RELEASE.md
• a2bb7f1 Merge pull request #54185 from tensorflow/cherrypick-d437dec4d549fc30f9b85c75...
• 5777ea3 Update third_party/icu/workspace.bzl
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from pillow's releases.

9.0.0

https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html

Changes

• Restrict builtins for ImageMath.eval() #5923 [@​radarhere]
• Ensure JpegImagePlugin stops at the end of a truncated file #5921 [@​radarhere]
• Fixed ImagePath.Path array handling #5920 [@​radarhere]
• Remove consecutive duplicate tiles that only differ by their offset #5919 [@​radarhere]
• Removed redundant part of condition #5915 [@​radarhere]
• Explicitly enable strip chopping for large uncompressed TIFFs #5517 [@​kmilos]
• Use the Windows method to get TCL functions on Cygwin #5807 [@​DWesl]
• Changed error type to allow for incremental WebP parsing #5404 [@​radarhere]
• Improved I;16 operations on big endian #5901 [@​radarhere]
• Ensure that BMP pixel data offset does not ignore palette #5899 [@​radarhere]
• Limit quantized palette to number of colors #5879 [@​radarhere]
• Use latin1 encoding to decode bytes #5870 [@​radarhere]
• Fixed palette index for zeroed color in FASTOCTREE quantize #5869 [@​radarhere]
• When saving RGBA to GIF, make use of first transparent palette entry #5859 [@​radarhere]
• Pass SAMPLEFORMAT to libtiff #5848 [@​radarhere]
• Added rounding when converting P and PA #5824 [@​radarhere]
• Improved putdata() documentation and data handling #5910 [@​radarhere]
• Exclude carriage return in PDF regex to help prevent ReDoS #5912 [@​radarhere]
• Image.NONE is only used for resampling and dithers #5908 [@​radarhere]
• Fixed freeing pointer in ImageDraw.Outline.transform #5909 [@​radarhere]
• Add Tidelift alignment action and badge #5763 [@​aclark4life]
• Replaced further direct invocations of setup.py #5906 [@​radarhere]
• Added ImageShow support for xdg-open #5897 [@​m-shinder]
• Fixed typo #5902 [@​radarhere]
• Switched from deprecated "setup.py install" to "pip install ." #5896 [@​radarhere]
• Support 16-bit grayscale ImageQt conversion #5856 [@​cmbruns]
• Fixed raising OSError in _safe_read when size is greater than SAFEBLOCK #5872 [@​radarhere]
• Convert subsequent GIF frames to RGB or RGBA #5857 [@​radarhere]
• WebP: Fix memory leak during decoding on failure #5798 [@​ilai-deutel]
• Do not prematurely return in ImageFile when saving to stdout #5665 [@​infmagic2047]
• Added support for top right and bottom right TGA orientations #5829 [@​radarhere]
• Corrected ICNS file length in header #5845 [@​radarhere]
• Block tile TIFF tags when saving #5839 [@​radarhere]
• Added line width argument to ImageDraw polygon #5694 [@​radarhere]
• Do not redeclare class each time when converting to NumPy #5844 [@​radarhere]
• Only prevent repeated polygon pixels when drawing with transparency #5835 [@​radarhere]
• Fix pushes_fd method signature #5833 [@​hoodmane]
• Add support for pickling TrueType fonts #5826 [@​hugovk]
• Only prefer command line tools SDK on macOS over default MacOSX SDK #5828 [@​radarhere]
• Fix compilation on 64-bit Termux #5793 [@​landfillbaby]
• Replace 'setup.py sdist' with '-m build --sdist' #5785 [@​hugovk]
• Use declarative package configuration #5784 [@​hugovk]
• Use title for display in ImageShow #5788 [@​radarhere]
• Fix for PyQt6 #5775 [@​hugovk]

... (truncated)

Sourced from pillow's changelog.

9.0.0 (2022-01-02)

• Restrict builtins for ImageMath.eval(). CVE-2022-22817 #5923 [radarhere]

• Ensure JpegImagePlugin stops at the end of a truncated file #5921 [radarhere]

• Fixed ImagePath.Path array handling. CVE-2022-22815, CVE-2022-22816 #5920 [radarhere]

• Remove consecutive duplicate tiles that only differ by their offset #5919 [radarhere]

• Improved I;16 operations on big endian #5901 [radarhere]

• Limit quantized palette to number of colors #5879 [radarhere]

• Fixed palette index for zeroed color in FASTOCTREE quantize #5869 [radarhere]

• When saving RGBA to GIF, make use of first transparent palette entry #5859 [radarhere]

• Pass SAMPLEFORMAT to libtiff #5848 [radarhere]

• Added rounding when converting P and PA #5824 [radarhere]

• Improved putdata() documentation and data handling #5910 [radarhere]

• Exclude carriage return in PDF regex to help prevent ReDoS #5912 [hugovk]

• Fixed freeing pointer in ImageDraw.Outline.transform #5909 [radarhere]

• Added ImageShow support for xdg-open #5897 [m-shinder, radarhere]

• Support 16-bit grayscale ImageQt conversion #5856 [cmbruns, radarhere]

• Convert subsequent GIF frames to RGB or RGBA #5857 [radarhere]

... (truncated)

• 82541b6 9.0.0 version bump
• cae5ac4 Merge pull request #5924 from radarhere/cves
• ed4cf78 CVEs TBD
• d7f60d1 Merge pull request #5923 from radarhere/imagemath_eval
• 8531b01 Restrict builtins for ImageMath.eval
• 1efb1d9 Merge pull request #5922 from radarhere/releasenotes
• f6c7871 Added release notes for #5919, #5920 and #5921
• 032d2dc Update CHANGES.rst [ci skip]
• baae9ec Merge pull request #5921 from radarhere/jpeg_eoi
• 1059eb5 If appended EOI did not work, do not keep trying
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from pillow's releases.

8.3.2

https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html

Security

• CVE-2021-23437 Raise ValueError if color specifier is too long [hugovk, radarhere]

• Fix 6-byte OOB read in FliDecode [wiredfool]

Python 3.10 wheels

• Add support for Python 3.10 #5569, #5570 [hugovk, radarhere]

Fixed regressions

• Ensure TIFF RowsPerStrip is multiple of 8 for JPEG compression #5588 [kmilos, radarhere]

• Updates for ImagePalette channel order #5599 [radarhere]

• Hide FriBiDi shim symbols to avoid conflict with real FriBiDi library #5651 [nulano]

8.3.1

https://pillow.readthedocs.io/en/stable/releasenotes/8.3.1.html

Changes

• Catch OSError when checking if fp is sys.stdout #5585 [@​radarhere]
• Handle removing orientation from alternate types of EXIF data #5584 [@​radarhere]
• Make Image.array take optional dtype argument #5572 [@​t-vi]

8.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html

Changes

• Use snprintf instead of sprintf #5567 [@​radarhere]
• Limit TIFF strip size when saving with LibTIFF #5514 [@​kmilos]
• Allow ICNS save on all operating systems #4526 [@​newpanjing]
• De-zigzag JPEG's DQT when loading; deprecate convert_dict_qtables #4989 [@​gofr]
• Do not use background or transparency index for new color #5564 [@​radarhere]
• Simplified code #5315 [@​radarhere]
• Replaced xml.etree.ElementTree #5565 [@​radarhere]

... (truncated)

Sourced from pillow's changelog.

8.3.2 (2021-09-02)

• CVE-2021-23437 Raise ValueError if color specifier is too long [hugovk, radarhere]

• Fix 6-byte OOB read in FliDecode [wiredfool]

• Add support for Python 3.10 #5569, #5570 [hugovk, radarhere]

• Ensure TIFF RowsPerStrip is multiple of 8 for JPEG compression #5588 [kmilos, radarhere]

• Updates for ImagePalette channel order #5599 [radarhere]

• Hide FriBiDi shim symbols to avoid conflict with real FriBiDi library #5651 [nulano]

8.3.1 (2021-07-06)

• Catch OSError when checking if fp is sys.stdout #5585 [radarhere]

• Handle removing orientation from alternate types of EXIF data #5584 [radarhere]

• Make Image.array take optional dtype argument #5572 [t-vi, radarhere]

8.3.0 (2021-07-01)

• Use snprintf instead of sprintf. CVE-2021-34552 #5567 [radarhere]

• Limit TIFF strip size when saving with LibTIFF #5514 [kmilos]

• Allow ICNS save on all operating systems #4526 [baletu, radarhere, newpanjing, hugovk]

• De-zigzag JPEG's DQT when loading; deprecate convert_dict_qtables #4989 [gofr, radarhere]

• Replaced xml.etree.ElementTree #5565 [radarhere]

... (truncated)

• 8013f13 8.3.2 version bump
• 23c7ca8 Update CHANGES.rst
• 8450366 Update release notes
• a0afe89 Update test case
• 9e08eb8 Raise ValueError if color specifier is too long
• bd5cf7d FLI tests for Oss-fuzz crash.
• 94a0cf1 Fix 6-byte OOB read in FliDecode
• cece64f Add 8.3.2 (2021-09-02) [CI skip]
• e422386 Add release notes for Pillow 8.3.2
• 08dcbb8 Pillow 8.3.2 supports Python 3.10 [ci skip]
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from tensorflow's releases.

TensorFlow 2.5.1

Release 2.5.1

This release introduces several vulnerability fixes:

• Fixes a heap out of bounds access in sparse reduction operations (CVE-2021-37635)
• Fixes a floating point exception in SparseDenseCwiseDiv (CVE-2021-37636)
• Fixes a null pointer dereference in CompressElement (CVE-2021-37637)
• Fixes a null pointer dereference in RaggedTensorToTensor (CVE-2021-37638)
• Fixes a null pointer dereference and a heap OOB read arising from operations restoring tensors (CVE-2021-37639)
• Fixes an integer division by 0 in sparse reshaping (CVE-2021-37640)
• Fixes a division by 0 in ResourceScatterDiv (CVE-2021-37642)
• Fixes a heap OOB in RaggedGather (CVE-2021-37641)
• Fixes a std::abort raised from TensorListReserve (CVE-2021-37644)
• Fixes a null pointer dereference in MatrixDiagPartOp (CVE-2021-37643)
• Fixes an integer overflow due to conversion to unsigned (CVE-2021-37645)
• Fixes a bad allocation error in StringNGrams caused by integer conversion (CVE-2021-37646)
• Fixes a null pointer dereference in SparseTensorSliceDataset (CVE-2021-37647)
• Fixes an incorrect validation of SaveV2 inputs (CVE-2021-37648)
• Fixes a null pointer dereference in UncompressElement (CVE-2021-37649)
• Fixes a segfault and a heap buffer overflow in {Experimental,}DatasetToTFRecord (CVE-2021-37650)
• Fixes a heap buffer overflow in FractionalAvgPoolGrad (CVE-2021-37651)
• Fixes a use after free in boosted trees creation (CVE-2021-37652)
• Fixes a division by 0 in ResourceGather (CVE-2021-37653)
• Fixes a heap OOB and a CHECK fail in ResourceGather (CVE-2021-37654)
• Fixes a heap OOB in ResourceScatterUpdate (CVE-2021-37655)
• Fixes an undefined behavior arising from reference binding to nullptr in RaggedTensorToSparse (CVE-2021-37656)
• Fixes an undefined behavior arising from reference binding to nullptr in MatrixDiagV* ops (CVE-2021-37657)
• Fixes an undefined behavior arising from reference binding to nullptr in MatrixSetDiagV* ops (CVE-2021-37658)
• Fixes an undefined behavior arising from reference binding to nullptr and heap OOB in binary cwise ops (CVE-2021-37659)
• Fixes a division by 0 in inplace operations (CVE-2021-37660)
• Fixes a crash caused by integer conversion to unsigned (CVE-2021-37661)
• Fixes an undefined behavior arising from reference binding to nullptr in boosted trees (CVE-2021-37662)
• Fixes a heap OOB in boosted trees (CVE-2021-37664)
• Fixes vulnerabilities arising from incomplete validation in QuantizeV2 (CVE-2021-37663)
• Fixes vulnerabilities arising from incomplete validation in MKL requantization (CVE-2021-37665)
• Fixes an undefined behavior arising from reference binding to nullptr in RaggedTensorToVariant (CVE-2021-37666)
• Fixes an undefined behavior arising from reference binding to nullptr in unicode encoding (CVE-2021-37667)
• Fixes an FPE in tf.raw_ops.UnravelIndex (CVE-2021-37668)
• Fixes a crash in NMS ops caused by integer conversion to unsigned (CVE-2021-37669)
• Fixes a heap OOB in UpperBound and LowerBound (CVE-2021-37670)
• Fixes an undefined behavior arising from reference binding to nullptr in map operations (CVE-2021-37671)
• Fixes a heap OOB in SdcaOptimizerV2 (CVE-2021-37672)
• Fixes a CHECK-fail in MapStage (CVE-2021-37673)
• Fixes a vulnerability arising from incomplete validation in MaxPoolGrad (CVE-2021-37674)
• Fixes an undefined behavior arising from reference binding to nullptr in shape inference (CVE-2021-37676)
• Fixes a division by 0 in most convolution operators (CVE-2021-37675)
• Fixes vulnerabilities arising from missing validation in shape inference for Dequantize (CVE-2021-37677)
• Fixes an arbitrary code execution due to YAML deserialization (CVE-2021-37678)
• Fixes a heap OOB in nested tf.map_fn with RaggedTensors (CVE-2021-37679)

... (truncated)

Sourced from tensorflow's changelog.

Release 2.5.1

This release introduces several vulnerability fixes:

• Fixes a heap out of bounds access in sparse reduction operations (CVE-2021-37635)
• Fixes a floating point exception in SparseDenseCwiseDiv (CVE-2021-37636)
• Fixes a null pointer dereference in CompressElement (CVE-2021-37637)
• Fixes a null pointer dereference in RaggedTensorToTensor (CVE-2021-37638)
• Fixes a null pointer dereference and a heap OOB read arising from operations restoring tensors (CVE-2021-37639)
• Fixes an integer division by 0 in sparse reshaping (CVE-2021-37640)
• Fixes a division by 0 in ResourceScatterDiv (CVE-2021-37642)
• Fixes a heap OOB in RaggedGather (CVE-2021-37641)
• Fixes a std::abort raised from TensorListReserve (CVE-2021-37644)
• Fixes a null pointer dereference in MatrixDiagPartOp (CVE-2021-37643)
• Fixes an integer overflow due to conversion to unsigned (CVE-2021-37645)
• Fixes a bad allocation error in StringNGrams caused by integer conversion (CVE-2021-37646)
• Fixes a null pointer dereference in SparseTensorSliceDataset (CVE-2021-37647)
• Fixes an incorrect validation of SaveV2 inputs (CVE-2021-37648)
• Fixes a null pointer dereference in UncompressElement (CVE-2021-37649)
• Fixes a segfault and a heap buffer overflow in {Experimental,}DatasetToTFRecord (CVE-2021-37650)
• Fixes a heap buffer overflow in FractionalAvgPoolGrad (CVE-2021-37651)
• Fixes a use after free in boosted trees creation (CVE-2021-37652)
• Fixes a division by 0 in ResourceGather (CVE-2021-37653)
• Fixes a heap OOB and a CHECK fail in ResourceGather (CVE-2021-37654)
• Fixes a heap OOB in ResourceScatterUpdate (CVE-2021-37655)
• Fixes an undefined behavior arising from reference binding to nullptr in RaggedTensorToSparse

... (truncated)

• 8222c1c Merge pull request #51381 from tensorflow/mm-fix-r2.5-build
• d584260 Disable broken/flaky test
• f6c6ce3 Merge pull request #51367 from tensorflow-jenkins/version-numbers-2.5.1-17468
• 3ca7812 Update version numbers to 2.5.1
• 4fdf683 Merge pull request #51361 from tensorflow/mm-update-relnotes-on-r2.5
• 05fc01a Put CVE numbers for fixes in parentheses
• bee1dc4 Update release notes for the new patch release
• 47beb4c Merge pull request #50597 from kruglov-dmitry/v2.5.0-sync-abseil-cmake-bazel
• 6f39597 Merge pull request #49383 from ashahab/abin-load-segfault-r2.5
• 0539b34 Merge pull request #48979 from liufengdb/r2.5-cherrypick
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from pillow's releases.

8.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html

Changes

• Security fixes for 8.2.0 #5377 [@​hugovk]
• Move getxmp() to JpegImageFile #5376 [@​radarhere]
• Added getxmp() method #5144 [@​UrielMaD]
• Compile LibTIFF with CMake on Windows #5359 [@​nulano]
• Add ImageShow support for GraphicsMagick #5349 [@​latosha-maltba]
• Tiff crash fixes in TiffDecode.c #5372 [@​wiredfool]
• Remove redundant check (addition to #5364) #5366 [@​kkopachev]
• Do not load transparent pixels from subsequent GIF frames #5333 [@​radarhere]
• Use LZW encoding when saving GIF images #5291 [@​raygard]
• Set all transparent colors to be equal in quantize() #5282 [@​radarhere]
• Allow PixelAccess to use Python int when parsing x and y #5206 [@​radarhere]
• Removed Image._MODEINFO #5316 [@​radarhere]
• Add preserve_tone option to autocontrast #5350 [@​elejke]
• Only import numpy when necessary #5323 [@​radarhere]
• Fixed linear_gradient and radial_gradient I and F modes #5274 [@​radarhere]
• Add support for reading TIFFs with PlanarConfiguration=2 #5364 [@​wiredfool]
• More OSS-Fuzz support #5328 [@​wiredfool]
• Do not premultiply alpha when resizing with Image.NEAREST resampling #5304 [@​nulano]
• Use quantization method attributes #5353 [@​radarhere]
• Dynamically link FriBiDi instead of Raqm #5062 [@​nulano]
• Removed build_distance_tables return value #5363 [@​radarhere]
• Allow fewer PNG palette entries than the bit depth maximum when saving #5330 [@​radarhere]
• Use duration from info dictionary when saving WebP #5338 [@​radarhere]
• Improved efficiency when creating GIF disposal images #5326 [@​radarhere]
• Stop flattening EXIF IFD into getexif() #4947 [@​radarhere]
• Replaced tiff_deflate with tiff_adobe_deflate compression when saving TIFF images #5343 [@​radarhere]
• Save ICC profile from TIFF encoderinfo #5321 [@​radarhere]
• Moved RGB fix inside ImageQt class #5268 [@​radarhere]
• Fix -Wformat error in TiffDecode #5305 [@​lukegb]
• Allow alpha_composite destination to be negative #5313 [@​radarhere]
• Ensure file is closed if it is opened by ImageQt.ImageQt #5260 [@​radarhere]
• Added ImageDraw rounded_rectangle method #5208 [@​radarhere]
• Added IPythonViewer #5289 [@​radarhere]
• Only draw each rectangle outline pixel once #5183 [@​radarhere]
• Use mmap instead of built-in Win32 mapper #5224 [@​radarhere]
• Handle PCX images with an odd stride #5214 [@​radarhere]
• Only read different sizes for "Large Thumbnail" MPO frames #5168 [@​radarhere]

Dependencies

• Updated harfbuzz to 2.8.0 #5334 [@​radarhere]

Deprecations

... (truncated)

Sourced from pillow's changelog.

8.2.0 (2021-04-01)

• Added getxmp() method #5144 [UrielMaD, radarhere]

• Add ImageShow support for GraphicsMagick #5349 [latosha-maltba, radarhere]

• Do not load transparent pixels from subsequent GIF frames #5333 [zewt, radarhere]

• Use LZW encoding when saving GIF images #5291 [raygard]

• Set all transparent colors to be equal in quantize() #5282 [radarhere]

• Allow PixelAccess to use Python int when parsing x and y #5206 [radarhere]

• Removed Image._MODEINFO #5316 [radarhere]

• Add preserve_tone option to autocontrast #5350 [elejke, radarhere]

• Fixed linear_gradient and radial_gradient I and F modes #5274 [radarhere]

• Add support for reading TIFFs with PlanarConfiguration=2 #5364 [kkopachev, wiredfool, nulano]

• Deprecated categories #5351 [radarhere]

• Do not premultiply alpha when resizing with Image.NEAREST resampling #5304 [nulano]

• Dynamically link FriBiDi instead of Raqm #5062 [nulano]

• Allow fewer PNG palette entries than the bit depth maximum when saving #5330 [radarhere]

• Use duration from info dictionary when saving WebP #5338 [radarhere]

• Stop flattening EXIF IFD into getexif() #4947 [radarhere, kkopachev]

... (truncated)

• e0e353c 8.2.0 version bump
• ee635be Merge pull request #5377 from hugovk/security-and-release-notes
• 694c84f Fix typo [ci skip]
• 8febdad Review, typos and lint
• fea4196 Reorder, roughly alphabetic
• 496245a Fix BLP DOS -- CVE-2021-28678
• 22e9bee Fix DOS in PSDImagePlugin -- CVE-2021-28675
• ba65f0b Fix Memory DOS in ImageFont
• bb6c11f Fix FLI DOS -- CVE-2021-28676
• 5a5e6db Fix EPS DOS on _open -- CVE-2021-28677
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from tensorflow's releases.

TensorFlow 2.5.0

Release 2.5.0

Major Features and Improvements

• Support for Python3.9 has been added.
• tf.data:
  • tf.data service now supports strict round-robin reads, which is useful for synchronous training workloads where example sizes vary. With strict round robin reads, users can guarantee that consumers get similar-sized examples in the same step.
  • tf.data service now supports optional compression. Previously data would always be compressed, but now you can disable compression by passing compression=None to tf.data.experimental.service.distribute(...).
  • tf.data.Dataset.batch() now supports num_parallel_calls and deterministic arguments. num_parallel_calls is used to indicate that multiple input batches should be computed in parallel. With num_parallel_calls set, deterministic is used to indicate that outputs can be obtained in the non-deterministic order.
  • Options returned by tf.data.Dataset.options() are no longer mutable.
  • tf.data input pipelines can now be executed in debug mode, which disables any asynchrony, parallelism, or non-determinism and forces Python execution (as opposed to trace-compiled graph execution) of user-defined functions passed into transformations such as map. The debug mode can be enabled through tf.data.experimental.enable_debug_mode().
• tf.lite
  • Enabled the new MLIR-based quantization backend by default
    • The new backend is used for 8 bits full integer post-training quantization
    • The new backend removes the redundant rescales and fixes some bugs (shared weight/bias, extremely small scales, etc)
    • Set experimental_new_quantizer in tf.lite.TFLiteConverter to False to disable this change
• tf.keras
  • tf.keras.metrics.AUC now support logit predictions.
  • Enabled a new supported input type in Model.fit, tf.keras.utils.experimental.DatasetCreator, which takes a callable, dataset_fn. DatasetCreator is intended to work across all tf.distribute strategies, and is the only input type supported for Parameter Server strategy.
• tf.distribute
  • tf.distribute.experimental.ParameterServerStrategy now supports training with Keras Model.fit when used with DatasetCreator.
  • Creating tf.random.Generator under tf.distribute.Strategy scopes is now allowed (except for tf.distribute.experimental.CentralStorageStrategy and tf.distribute.experimental.ParameterServerStrategy). Different replicas will get different random-number streams.
• TPU embedding support
  • Added profile_data_directory to EmbeddingConfigSpec in _tpu_estimator_embedding.py. This allows embedding lookup statistics gathered at runtime to be used in embedding layer partitioning decisions.
• PluggableDevice
  • Third-party devices can now connect to TensorFlow as plug-ins through StreamExecutor C API. and PluggableDevice interface.
    • Add custom ops and kernels through kernel and op registration C API.
    • Register custom graph optimization passes with graph optimization C API.
• oneAPI Deep Neural Network Library (oneDNN) CPU performance optimizations from Intel-optimized TensorFlow are now available in the official x86-64 Linux and Windows builds.
  • They are off by default. Enable them by setting the environment variable TF_ENABLE_ONEDNN_OPTS=1.
  • We do not recommend using them in GPU systems, as they have not been sufficiently tested with GPUs yet.
• TensorFlow pip packages are now built with CUDA11.2 and cuDNN 8.1.0

Breaking Changes

• The TF_CPP_MIN_VLOG_LEVEL environment variable has been renamed to to TF_CPP_MAX_VLOG_LEVEL which correctly describes its effect.

Bug Fixes and Other Changes

• tf.keras:
  • Preprocessing layers API consistency changes:
    • StringLookup added output_mode, sparse, and pad_to_max_tokens arguments with same semantics as TextVectorization.
    • IntegerLookup added output_mode, sparse, and pad_to_max_tokens arguments with same semantics as TextVectorization. Renamed max_values, oov_value and mask_value to max_tokens, oov_token and mask_token to align with StringLookup and TextVectorization.
    • TextVectorization default for pad_to_max_tokens switched to False.
    • CategoryEncoding no longer supports adapt, IntegerLookup now supports equivalent functionality. max_tokens argument renamed to num_tokens.
    • Discretization added num_bins argument for learning bins boundaries through calling adapt on a dataset. Renamed bins argument to bin_boundaries for specifying bins without adapt.
  • Improvements to model saving/loading:
    • model.load_weights now accepts paths to saved models.

... (truncated)

Sourced from tensorflow's changelog.

Release 2.5.0

Breaking Changes

• The TF_CPP_MIN_VLOG_LEVEL environment variable has been renamed to to TF_CPP_MAX_VLOG_LEVEL which correctly describes its effect.

Known Caveats

Major Features and Improvements

• TPU embedding support

  • Added profile_data_directory to EmbeddingConfigSpec in _tpu_estimator_embedding.py. This allows embedding lookup statistics gathered at runtime to be used in embedding layer partitioning decisions.

• tf.keras.metrics.AUC now support logit predictions.

• Creating tf.random.Generator under tf.distribute.Strategy scopes is now allowed (except for tf.distribute.experimental.CentralStorageStrategy and tf.distribute.experimental.ParameterServerStrategy). Different replicas will get different random-number streams.

• tf.data:

  • tf.data service now supports strict round-robin reads, which is useful for synchronous training workloads where example sizes vary. With strict round robin reads, users can guarantee that consumers get similar-sized examples in the same step.
  • tf.data service now supports optional compression. Previously data would always be compressed, but now you can disable compression by passing compression=None to tf.data.experimental.service.distribute(...).
  • tf.data.Dataset.batch() now supports num_parallel_calls and deterministic arguments. num_parallel_calls is used to indicate that multiple input batches should be computed in parallel. With num_parallel_calls set, deterministic is used to indicate that outputs can be obtained in the non-deterministic order.
  • Options returned by tf.data.Dataset.options() are no longer mutable.
  • tf.data input pipelines can now be executed in debug mode, which disables any asynchrony, parallelism, or non-determinism and forces Python execution (as opposed to trace-compiled graph execution) of user-defined functions passed into transformations such as map. The debug mode can be enabled through tf.data.experimental.enable_debug_mode().

• tf.lite

  • Enabled the new MLIR-based quantization backend by default
    • The new backend is used for 8 bits full integer post-training quantization
    • The new backend removes the redundant rescales and fixes some bugs (shared weight/bias, extremely small scales, etc)

... (truncated)

• a4dfb8d Merge pull request #49124 from tensorflow/mm-cherrypick-tf-data-segfault-fix-...
• 2107b1d Merge pull request #49116 from tensorflow-jenkins/version-numbers-2.5.0-17609
• 16b8139 Update snapshot_dataset_op.cc
• 86a0d86 Merge pull request #49126 from geetachavan1/cherrypicks_X9ZNY
• 9436ae6 Merge pull request #49128 from geetachavan1/cherrypicks_D73J5
• 6b2bf99 Validate that a and b are proper sparse tensors
• c03ad1a Ensure validation sticks in banded_triangular_solve_op
• 12a6ead Merge pull request #49120 from geetachavan1/cherrypicks_KJ5M9
• b67f5b8 Merge pull request #49118 from geetachavan1/cherrypicks_BIDTR
• a13c0ad [tf.data][cherrypick] Fix snapshot segfault when using repeat and prefecth
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from pillow's releases.

8.1.1

https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

8.1.0

https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html

Changes

• Fix TIFF OOB Write error #5175 [@​radarhere]
• Fix for Buffer Read Overrun in PCX Decoding #5174 [@​radarhere]
• Fix for SGI Decode buffer overrun #5173 [@​radarhere]
• Fix OOB Read when saving GIF of xsize=1 #5149 [@​wiredfool]
• Add support for PySide6 #5161 [@​hugovk]
• Moved QApplication into one test #5167 [@​radarhere]
• Use disposal settings from previous frame in APNG #5126 [@​radarhere]
• Revert "skip wheels on 3.10-dev due to wheel#354" #5163 [@​radarhere]
• Better _binary module use #5156 [@​radarhere]
• Added exception explaining that repr_png saves to PNG #5139 [@​radarhere]
• Use previous disposal method in GIF load_end #5125 [@​radarhere]
• Do not catch a ValueError only to raise another #5090 [@​radarhere]
• Allow putpalette to accept 1024 integers to include alpha values #5089 [@​radarhere]
• Fix OOB Read when writing TIFF with custom Metadata #5148 [@​wiredfool]
• Removed unused variable #5140 [@​radarhere]
• Fix dereferencing of potential null pointers #5111 [@​cgohlke]
• Fixed warnings assigning to "unsigned char *" from "char *" #5127 [@​radarhere]
• Add append_images support for ICO #4568 [@​ziplantil]
• Fixed comparison warnings #5122 [@​radarhere]
• Block TIFFTAG_SUBIFD #5120 [@​radarhere]
• Fix dereferencing potential null pointer #5108 [@​cgohlke]
• Replaced PyErr_NoMemory with ImagingError_MemoryError #5113 [@​radarhere]
• Remove duplicate code #5109 [@​cgohlke]
• Moved warning to end of execution #4965 [@​radarhere]
• Removed unused fromstring and tostring C methods #5026 [@​radarhere]
• init() if one of the formats is unrecognised #5037 [@​radarhere]

Dependencies

• Updated libtiff to 4.2.0 #5153 [@​radarhere]
• Updated openjpeg to 2.4.0 #5151 [@​radarhere]
• Updated harfbuzz to 2.7.4 #5138 [@​radarhere]
• Updated harfbuzz to 2.7.3 #5128 [@​radarhere]
• Updated libraqm to 0.7.1 #5070 [@​radarhere]
• Updated libimagequant to 2.13.1 #5065 [@​radarhere]
• Update FriBiDi to 1.0.10 #5064 [@​nulano]
• Updated libraqm to 0.7.1 #5063 [@​radarhere]
• Updated libjpeg-turbo to 2.0.6 #5044 [@​radarhere]

Deprecations

... (truncated)

Sourced from pillow's changelog.

8.1.1 (2021-03-01)

• Use more specific regex chars to prevent ReDoS. CVE-2021-25292 [hugovk]

• Fix OOB Read in TiffDecode.c, and check the tile validity before reading. CVE-2021-25291 [wiredfool]

• Fix negative size read in TiffDecode.c. CVE-2021-25290 [wiredfool]

• Fix OOB read in SgiRleDecode.c. CVE-2021-25293 [wiredfool]

• Incorrect error code checking in TiffDecode.c. CVE-2021-25289 [wiredfool]

• PyModule_AddObject fix for Python 3.10 #5194 [radarhere]

8.1.0 (2021-01-02)

• Fix TIFF OOB Write error. CVE-2020-35654 #5175 [wiredfool]

• Fix for Read Overflow in PCX Decoding. CVE-2020-35653 #5174 [wiredfool, radarhere]

• Fix for SGI Decode buffer overrun. CVE-2020-35655 #5173 [wiredfool, radarhere]

• Fix OOB Read when saving GIF of xsize=1 #5149 [wiredfool]

• Makefile updates #5159 [wiredfool, radarhere]

• Add support for PySide6 #5161 [hugovk]

• Use disposal settings from previous frame in APNG #5126 [radarhere]

• Added exception explaining that repr_png saves to PNG #5139 [radarhere]

• Use previous disposal method in GIF load_end #5125 [radarhere]

... (truncated)

• 741d874 8.1.1 version bump
• 179cd1c Added 8.1.1 release notes to index
• 7d29665 Update CHANGES.rst [ci skip]
• d25036f Credits
• 973a4c3 Release notes for 8.1.1
• 521dab9 Use more specific regex chars to prevent ReDoS
• 8b8076b Fix for CVE-2021-25291
• e25be1e Fix negative size read in TiffDecode.c
• f891baa Fix OOB read in SgiRleDecode.c
• cbfdde7 Incorrect error code checking in TiffDecode.c
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from tensorflow's releases.

TensorFlow 2.3.1

Release 2.3.1

Bug Fixes and Other Changes

• Fixes an undefined behavior causing a segfault in tf.raw_ops.Switch (CVE-2020-15190)
• Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)
• Fixes two vulnerabilities in SparseFillEmptyRowsGrad (CVE-2020-15194, CVE-2020-15195)
• Fixes several vulnerabilities in RaggedCountSparseOutput and SparseCountSparseOutput operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201)
• Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)
• Fixes a format string vulnerability in tf.strings.as_string (CVE-2020-15203)
• Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)
• Fixes data leak and potential ASLR violation from tf.raw_ops.StringNGrams (CVE-2020-15205)
• Fixes segfaults caused by incomplete SavedModel validation (CVE-2020-15206)
• Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)
• Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)
• Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)
• Fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214)
• Updates sqlite3 to 3.33.00 to handle CVE-2020-15358.
• Fixes deprecated usage of collections API
• Removes scipy dependency from setup.py since TensorFlow does not need it to install the pip package

TensorFlow 2.3.0

Release 2.3.0

Major Features and Improvements

• tf.data adds two new mechanisms to solve input pipeline bottlenecks and save resources:
  • snapshot
  • tf.data service.

In addition checkout the detailed guide for analyzing input pipeline performance with TF Profiler.

• tf.distribute.TPUStrategy is now a stable API and no longer considered experimental for TensorFlow. (earlier tf.distribute.experimental.TPUStrategy).

• TF Profiler introduces two new tools: a memory profiler to visualize your model’s memory usage over time and a python tracer which allows you to trace python function calls in your model. Usability improvements include better diagnostic messages and profile options to customize the host and device trace verbosity level.

• Introduces experimental support for Keras Preprocessing Layers API (tf.keras.layers.experimental.preprocessing.*) to handle data preprocessing operations, with support for composite tensor inputs. Please see below for additional details on these layers.

• TFLite now properly supports dynamic shapes during conversion and inference. We’ve also added opt-in support on Android and iOS for XNNPACK, a highly optimized set of CPU kernels, as well as opt-in support for executing quantized models on the GPU.

• Libtensorflow packages are available in GCS starting this release. We have also started to release a nightly version of these packages.

• The experimental Python API tf.debugging.experimental.enable_dump_debug_info() now allows you to instrument a TensorFlow program and dump debugging information to a directory on the file system. The directory can be read and visualized by a new interactive dashboard in TensorBoard 2.3 called Debugger V2, which reveals the details of the TensorFlow program including graph structures, history of op executions at the Python (eager) and intra-graph levels, the runtime dtype, shape, and numerical composistion of tensors, as well as their code locations.

Breaking Changes

• Increases the minimum bazel version required to build TF to 3.1.0.
• tf.data
  • Makes the following (breaking) changes to the tf.data.
  • C++ API: - IteratorBase::RestoreInternal, IteratorBase::SaveInternal, and DatasetBase::CheckExternalState become pure-virtual and subclasses are now expected to provide an implementation.
  • The deprecated DatasetBase::IsStateful method is removed in favor of DatasetBase::CheckExternalState.
  • Deprecated overrides of DatasetBase::MakeIterator and MakeIteratorFromInputElement are removed.

... (truncated)

Sourced from tensorflow's changelog.

Release 2.3.1

Bug Fixes and Other Changes

• Fixes an undefined behavior causing a segfault in tf.raw_ops.Switch (CVE-2020-15190)
• Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)
• Fixes two vulnerabilities in SparseFillEmptyRowsGrad (CVE-2020-15194, CVE-2020-15195)
• Fixes several vulnerabilities in RaggedCountSparseOutput and SparseCountSparseOutput operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201)
• Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)
• Fixes a format string vulnerability in tf.strings.as_string (CVE-2020-15203)
• Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)
• Fixes data leak and potential ASLR violation from tf.raw_ops.StringNGrams (CVE-2020-15205)
• Fixes segfaults caused by incomplete SavedModel validation (CVE-2020-15206)
• Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)
• Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)
• Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)
• Fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214)
• Updates sqlite3 to 3.33.00 to handle CVE-2020-15358.
• Fixes deprecated usage of collections API
• Removes scipy dependency from setup.py since TensorFlow does not need it to install the pip package

Release 2.2.1

... (truncated)

• fcc4b96 Merge pull request #43446 from tensorflow-jenkins/version-numbers-2.3.1-16251
• 4cf2230 Update version numbers to 2.3.1
• eee8224 Merge pull request #43441 from tensorflow-jenkins/relnotes-2.3.1-24672
• 0d41b1d Update RELEASE.md
• d99bd63 Insert release notes place-fill
• d71d3ce Merge pull request #43414 from tensorflow/mihaimaruseac-patch-1-1
• 9c91596 Fix missing import
• f9f12f6 Merge pull request #43391 from tensorflow/mihaimaruseac-patch-4
• 3ed271b Solve leftover from merge conflict
• 9cf3773 Merge pull request #43358 from tensorflow/mm-patch-r2.3
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from pillow's releases.

9.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/9.3.0.html

Changes

• Initialize libtiff buffer when saving #6699 [@​radarhere]
• Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [@​wiredfool]
• Inline fname2char to fix memory leak #6329 [@​nulano]
• Fix memory leaks related to text features #6330 [@​nulano]
• Use double quotes for version check on old CPython on Windows #6695 [@​hugovk]
• GHA: replace deprecated set-output command with GITHUB_OUTPUT file #6697 [@​nulano]
• Remove backup implementation of Round for Windows platforms #6693 [@​cgohlke]
• Upload fribidi.dll to GitHub Actions #6532 [@​nulano]
• Fixed set_variation_by_name offset #6445 [@​radarhere]
• Windows build improvements #6562 [@​nulano]
• Fix malloc in _imagingft.c:font_setvaraxes #6690 [@​cgohlke]
• Only use ASCII characters in C source file #6691 [@​cgohlke]
• Release Python GIL when converting images using matrix operations #6418 [@​hmaarrfk]
• Added ExifTags enums #6630 [@​radarhere]
• Do not modify previous frame when calculating delta in PNG #6683 [@​radarhere]
• Added support for reading BMP images with RLE4 compression #6674 [@​npjg]
• Decode JPEG compressed BLP1 data in original mode #6678 [@​radarhere]
• pylint warnings #6659 [@​marksmayo]
• Added GPS TIFF tag info #6661 [@​radarhere]
• Added conversion between RGB/RGBA/RGBX and LAB #6647 [@​radarhere]
• Do not attempt normalization if mode is already normal #6644 [@​radarhere]
• Fixed seeking to an L frame in a GIF #6576 [@​radarhere]
• Consider all frames when selecting mode for PNG save_all #6610 [@​radarhere]
• Don't reassign crc on ChunkStream close #6627 [@​radarhere]
• Raise a warning if NumPy failed to raise an error during conversion #6594 [@​radarhere]
• Only read a maximum of 100 bytes at a time in IMT header #6623 [@​radarhere]
• Show all frames in ImageShow #6611 [@​radarhere]
• Allow FLI palette chunk to not be first #6626 [@​radarhere]
• If first GIF frame has transparency for RGB_ALWAYS loading strategy, use RGBA mode #6592 [@​radarhere]
• Round box position to integer when pasting embedded color #6517 [@​radarhere]
• Removed EXIF prefix when saving WebP #6582 [@​radarhere]
• Pad IM palette to 768 bytes when saving #6579 [@​radarhere]
• Added DDS BC6H reading #6449 [@​ShadelessFox]
• Added support for opening WhiteIsZero 16-bit integer TIFF images #6642 [@​JayWiz]
• Raise an error when allocating translucent color to RGB palette #6654 [@​jsbueno]
• Moved mode check outside of loops #6650 [@​radarhere]
• Added reading of TIFF child images #6569 [@​radarhere]
• Improved ImageOps palette handling #6596 [@​PososikTeam]
• Defer parsing of palette into colors #6567 [@​radarhere]
• Apply transparency to P images in ImageTk.PhotoImage #6559 [@​radarhere]
• Use rounding in ImageOps contain() and pad() #6522 [@​bibinhashley]
• Fixed GIF remapping to palette with duplicate entries #6548 [@​radarhere]
• Allow remap_palette() to return an image with less than 256 palette entries #6543 [@​radarhere]
• Corrected BMP and TGA palette size when saving #6500 [@​radarhere]

... (truncated)

Sourced from pillow's changelog.

9.3.0 (2022-10-29)

• Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [wiredfool]

• Initialize libtiff buffer when saving #6699 [radarhere]

• Inline fname2char to fix memory leak #6329 [nulano]

• Fix memory leaks related to text features #6330 [nulano]

• Use double quotes for version check on old CPython on Windows #6695 [hugovk]

• Remove backup implementation of Round for Windows platforms #6693 [cgohlke]

• Fixed set_variation_by_name offset #6445 [radarhere]

• Fix malloc in _imagingft.c:font_setvaraxes #6690 [cgohlke]

• Release Python GIL when converting images using matrix operations #6418 [hmaarrfk]

• Added ExifTags enums #6630 [radarhere]

• Do not modify previous frame when calculating delta in PNG #6683 [radarhere]

• Added support for reading BMP images with RLE4 compression #6674 [npjg, radarhere]

• Decode JPEG compressed BLP1 data in original mode #6678 [radarhere]

• Added GPS TIFF tag info #6661 [radarhere]

• Added conversion between RGB/RGBA/RGBX and LAB #6647 [radarhere]

• Do not attempt normalization if mode is already normal #6644 [radarhere]

... (truncated)

• d594f4c Update CHANGES.rst [ci skip]
• 909dc64 9.3.0 version bump
• 1a51ce7 Merge pull request #6699 from hugovk/security-libtiff_buffer
• 2444cdd Merge pull request #6700 from hugovk/security-samples_per_pixel-sec
• 744f455 Added release notes
• 0846bfa Add to release notes
• 799a6a0 Fix linting
• 00b25fd Hide UserWarning in logs
• 05b175e Tighter test case
• 13f2c5a Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from tensorflow's releases.

TensorFlow 2.9.3

Release 2.9.3

This release introduces several vulnerability fixes:

• Fixes an overflow in tf.keras.losses.poisson (CVE-2022-41887)
• Fixes a heap OOB failure in ThreadUnsafeUnigramCandidateSampler caused by missing validation (CVE-2022-41880)
• Fixes a segfault in ndarray_tensor_bridge (CVE-2022-41884)
• Fixes an overflow in FusedResizeAndPadConv2D (CVE-2022-41885)
• Fixes a overflow in ImageProjectiveTransformV2 (CVE-2022-41886)
• Fixes an FPE in tf.image.generate_bounding_box_proposals on GPU (CVE-2022-41888)
• Fixes a segfault in pywrap_tfe_src caused by invalid attributes (CVE-2022-41889)
• Fixes a CHECK fail in BCast (CVE-2022-41890)
• Fixes a segfault in TensorListConcat (CVE-2022-41891)
• Fixes a CHECK_EQ fail in TensorListResize (CVE-2022-41893)
• Fixes an overflow in CONV_3D_TRANSPOSE on TFLite (CVE-2022-41894)
• Fixes a heap OOB in MirrorPadGrad (CVE-2022-41895)
• Fixes a crash in Mfcc (CVE-2022-41896)
• Fixes a heap OOB in FractionalMaxPoolGrad (CVE-2022-41897)
• Fixes a CHECK fail in SparseFillEmptyRowsGrad (CVE-2022-41898)
• Fixes a CHECK fail in SdcaOptimizer (CVE-2022-41899)
• Fixes a heap OOB in FractionalAvgPool and FractionalMaxPool(CVE-2022-41900)
• Fixes a CHECK_EQ in SparseMatrixNNZ (CVE-2022-41901)
• Fixes an OOB write in grappler (CVE-2022-41902)
• Fixes a overflow in ResizeNearestNeighborGrad (CVE-2022-41907)
• Fixes a CHECK fail in PyFunc (CVE-2022-41908)
• Fixes a segfault in CompositeTensorVariantToComponents (CVE-2022-41909)
• Fixes a invalid char to bool conversion in printing a tensor (CVE-2022-41911)
• Fixes a heap overflow in QuantizeAndDequantizeV2 (CVE-2022-41910)
• Fixes a CHECK failure in SobolSample via missing validation (CVE-2022-35935)
• Fixes a CHECK fail in TensorListScatter and TensorListScatterV2 in eager mode (CVE-2022-35935)

TensorFlow 2.9.2

Release 2.9.2

This releases introduces several vulnerability fixes:

• Fixes a CHECK failure in tf.reshape caused by overflows (CVE-2022-35934)
• Fixes a CHECK failure in SobolSample caused by missing validation (CVE-2022-35935)
• Fixes an OOB read in Gather_nd op in TF Lite (CVE-2022-35937)
• Fixes a CHECK failure in TensorListReserve caused by missing validation (CVE-2022-35960)
• Fixes an OOB write in Scatter_nd op in TF Lite (CVE-2022-35939)
• Fixes an integer overflow in RaggedRangeOp (CVE-2022-35940)
• Fixes a CHECK failure in AvgPoolOp (CVE-2022-35941)
• Fixes a CHECK failures in UnbatchGradOp (CVE-2022-35952)
• Fixes a segfault TFLite converter on per-channel quantized transposed convolutions (CVE-2022-36027)
• Fixes a CHECK failures in AvgPool3DGrad (CVE-2022-35959)
• Fixes a CHECK failures in FractionalAvgPoolGrad (CVE-2022-35963)
• Fixes a segfault in BlockLSTMGradV2 (CVE-2022-35964)
• Fixes a segfault in LowerBound and UpperBound (CVE-2022-35965)

... (truncated)

Sourced from tensorflow's changelog.

Release 2.9.3

This release introduces several vulnerability fixes:

• Fixes an overflow in tf.keras.losses.poisson (CVE-2022-41887)
• Fixes a heap OOB failure in ThreadUnsafeUnigramCandidateSampler caused by missing validation (CVE-2022-41880)
• Fixes a segfault in ndarray_tensor_bridge (CVE-2022-41884)
• Fixes an overflow in FusedResizeAndPadConv2D (CVE-2022-41885)
• Fixes a overflow in ImageProjectiveTransformV2 (CVE-2022-41886)
• Fixes an FPE in tf.image.generate_bounding_box_proposals on GPU (CVE-2022-41888)
• Fixes a segfault in pywrap_tfe_src caused by invalid attributes (CVE-2022-41889)
• Fixes a CHECK fail in BCast (CVE-2022-41890)
• Fixes a segfault in TensorListConcat (CVE-2022-41891)
• Fixes a CHECK_EQ fail in TensorListResize (CVE-2022-41893)
• Fixes an overflow in CONV_3D_TRANSPOSE on TFLite (CVE-2022-41894)
• Fixes a heap OOB in MirrorPadGrad (CVE-2022-41895)
• Fixes a crash in Mfcc (CVE-2022-41896)
• Fixes a heap OOB in FractionalMaxPoolGrad (CVE-2022-41897)
• Fixes a CHECK fail in SparseFillEmptyRowsGrad (CVE-2022-41898)
• Fixes a CHECK fail in SdcaOptimizer (CVE-2022-41899)
• Fixes a heap OOB in FractionalAvgPool and FractionalMaxPool(CVE-2022-41900)
• Fixes a CHECK_EQ in SparseMatrixNNZ (CVE-2022-41901)
• Fixes an OOB write in grappler (CVE-2022-41902)
• Fixes a overflow in ResizeNearestNeighborGrad (CVE-2022-41907)
• Fixes a CHECK fail in PyFunc (CVE-2022-41908)
• Fixes a segfault in CompositeTensorVariantToComponents (CVE-2022-41909)
• Fixes a invalid char to bool conversion in printing a tensor (CVE-2022-41911)
• Fixes a heap overflow in QuantizeAndDequantizeV2 (CVE-2022-41910)
• Fixes a CHECK failure in SobolSample via missing validation (CVE-2022-35935)
• Fixes a CHECK fail in TensorListScatter and TensorListScatterV2 in eager mode (CVE-2022-35935)

Release 2.8.4

This release introduces several vulnerability fixes:

• Fixes a heap OOB failure in ThreadUnsafeUnigramCandidateSampler caused by missing validation (CVE-2022-41880)
• Fixes a segfault in ndarray_tensor_bridge (CVE-2022-41884)
• Fixes an overflow in FusedResizeAndPadConv2D (CVE-2022-41885)
• Fixes a overflow in ImageProjectiveTransformV2 (CVE-2022-41886)
• Fixes an FPE in tf.image.generate_bounding_box_proposals on GPU (CVE-2022-41888)
• Fixes a segfault in pywrap_tfe_src caused by invalid attributes (CVE-2022-41889)
• Fixes a CHECK fail in BCast (CVE-2022-41890)
• Fixes a segfault in TensorListConcat (CVE-2022-41891)
• Fixes a CHECK_EQ fail in TensorListResize (CVE-2022-41893)
• Fixes an overflow in CONV_3D_TRANSPOSE on TFLite (CVE-2022-41894)
• Fixes a heap OOB in MirrorPadGrad (CVE-2022-41895)
• Fixes a crash in Mfcc (CVE-2022-41896)
• Fixes a heap OOB in FractionalMaxPoolGrad (CVE-2022-41897)
• Fixes a CHECK fail in SparseFillEmptyRowsGrad (CVE-2022-41898)
• Fixes a CHECK fail in SdcaOptimizer (CVE-2022-41899)

... (truncated)

• a5ed5f3 Merge pull request #58584 from tensorflow/vinila21-patch-2
• 258f9a1 Update py_func.cc
• cd27cfb Merge pull request #58580 from tensorflow-jenkins/version-numbers-2.9.3-24474
• 3e75385 Update version numbers to 2.9.3
• bc72c39 Merge pull request #58482 from tensorflow-jenkins/relnotes-2.9.3-25695
• 3506c90 Update RELEASE.md
• 8dcb48e Update RELEASE.md
• 4f34ec8 Merge pull request #58576 from pak-laura/c2.99f03a9d3bafe902c1e6beb105b2f2417...
• 6fc67e4 Replace CHECK with returning an InternalError on failing to create python tuple
• 5dbe90a Merge pull request #58570 from tensorflow/r2.9-7b174a0f2e4
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from numpy's releases.

v1.22.0

NumPy 1.22.0 Release Notes

NumPy 1.22.0 is a big release featuring the work of 153 contributors spread over 609 pull requests. There have been many improvements, highlights are:

• Annotations of the main namespace are essentially complete. Upstream is a moving target, so there will likely be further improvements, but the major work is done. This is probably the most user visible enhancement in this release.
• A preliminary version of the proposed Array-API is provided. This is a step in creating a standard collection of functions that can be used across application such as CuPy and JAX.
• NumPy now has a DLPack backend. DLPack provides a common interchange format for array (tensor) data.
• New methods for quantile, percentile, and related functions. The new methods provide a complete set of the methods commonly found in the literature.
• A new configurable allocator for use by downstream projects.

These are in addition to the ongoing work to provide SIMD support for commonly used functions, improvements to F2PY, and better documentation.

The Python versions supported in this release are 3.8-3.10, Python 3.7 has been dropped. Note that 32 bit wheels are only provided for Python 3.8 and 3.9 on Windows, all other wheels are 64 bits on account of Ubuntu, Fedora, and other Linux distributions dropping 32 bit support. All 64 bit wheels are also linked with 64 bit integer OpenBLAS, which should fix the occasional problems encountered by folks using truly huge arrays.

Expired deprecations

Deprecated numeric style dtype strings have been removed

Using the strings "Bytes0", "Datetime64", "Str0", "Uint32", and "Uint64" as a dtype will now raise a TypeError.

(gh-19539)

Expired deprecations for loads, ndfromtxt, and mafromtxt in npyio

numpy.loads was deprecated in v1.15, with the recommendation that users use pickle.loads instead. ndfromtxt and mafromtxt were both deprecated in v1.17 - users should use numpy.genfromtxt instead with the appropriate value for the usemask parameter.

(gh-19615)

... (truncated)

• 4adc87d Merge pull request #20685 from charris/prepare-for-1.22.0-release
• fd66547 REL: Prepare for the NumPy 1.22.0 release.
• 125304b wip
• c283859 Merge pull request #20682 from charris/backport-20416
• 5399c03 Merge pull request #20681 from charris/backport-20954
• f9c45f8 Merge pull request #20680 from charris/backport-20663
• 794b36f Update armccompiler.py
• d93b14e Update test_public_api.py
• 7662c07 Update init.py
• 311ab52 Update armccompiler.py
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from opencv-python's releases.

4.2.0.32

• opencv-python: https://pypi.org/project/opencv-python/
• opencv-contrib-python: https://pypi.org/project/opencv-contrib-python/
• opencv-python-headless: https://pypi.org/project/opencv-python-headless/
• opencv-contrib-python-headless: https://pypi.org/project/opencv-contrib-python-headless/

OpenCV version 4.2.0.

Changes:

• macOS environment updated from xcode8.3 to xcode 9.4
• macOS uses now Qt 5 instead of Qt 4
• Nasm version updated to Docker containers
• multibuild updated

Fixes:

• don't use deprecated brew tap-pin, instead refer to the full package name when installing #267
• replace get_config_var() with get_config_vars() in setup.py #274
• add workaround for DLL errors in Windows Server #264

4.1.2.30

• opencv-python: https://pypi.org/project/opencv-python/
• opencv-contrib-python: https://pypi.org/project/opencv-contrib-python/
• opencv-python-headless: https://pypi.org/project/opencv-python-headless/
• opencv-contrib-python-headless: https://pypi.org/project/opencv-contrib-python-headless/

OpenCV version 4.1.2.

Changes:

• Python 3.8 builds added to the build matrix
• Support for Python 3.4 builds dropped (Python 3.4 is in EOL)
• multibuild updated
• minor build logic changes
• Docker images rebuilt

Notes:

Please note that Python 2.7 enters into EOL phase in January 2020. opencv-python Python 2.7 wheels won't be provided after that.

• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.