Browse Source
!160 update third party cve note
From: @luoyang42 Reviewed-by: @helloway,@helloway,@zh_qh Signed-off-by: @zh_qh,@hellowaypull/160/MERGE
mindspore-ci-bot
Gitee
4 years ago
2 changed files with 39 additions and 4 deletions
Split View
Diff Options
-
+17 -0security/cve-report_en.md
-
+22 -4security/cve-report_zh_cn.md
+ 17
- 0
security/cve-report_en.md
View File
| @@ -5,6 +5,7 @@ MindSpore is a training and inference framework that supports device, edge, and | |||
| As a general-purpose computing framework, MindSpore can run on different chip platforms such as the CPU, GPU, and Ascend. Users provide data or models as the input and obtain training models or inference results. As core assets in the AI field, data and models are necessary for continuous security protection of AI systems. | |||
| We also provide suggestions on secure running of key components: | |||
| + [MindSpore Security Usage Suggestions](https://gitee.com/mindspore/mindspore/blob/master/SECURITY.md) | |||
| + [MindInsight Security Usage Suggestions](https://gitee.com/mindspore/mindinsight/blob/master/SECURITY.md) | |||
| @@ -21,6 +22,7 @@ To ensure security, please use the [PGP public key](https://gitee.com/mindspore/ | |||
| ## MindSpore Community Security Issue Disclosure Process | |||
| After receiving the issues, we will handle the security issues according to the following process: | |||
| + After receiving suspected security issues, the vulnerability management team (VMT) immediately confirms the integrity of reported information and issue severity. | |||
| + Organize community teams to carry out technical analysis, confirm issue details, and provide analysis reports. | |||
| + Confirm the vulnerability and apply for CVE, communicate with the vulnerability reporter about the issue, align the subsequent fixing and release plan, and prepare the security advisory (SA). | |||
| @@ -30,6 +32,7 @@ After receiving the issues, we will handle the security issues according to the | |||
| ## MindSpore Community Vulnerability Management Team (VMT) | |||
| The VMT consists of vulnerability management experts in the community. The team is responsible for coordinating the entire process from vulnerability receiving to disclosure, including: | |||
| + Vulnerability collection: Suspected security vulnerabilities discovered by community members and external researchers can be reported to the VMT through <mindspore-security@mindspore.cn>. | |||
| + Vulnerability tracking and handling: The VMT will record the confirmed vulnerabilities in the MindSpore community, confirm and fix the vulnerabilities, and keep effective communication with the reporter during the process. | |||
| + Responsible disclosure: After vulnerabilities are properly fixed, the VMT will release vulnerability information to the community in the form of SA. | |||
| @@ -37,3 +40,17 @@ The VMT consists of vulnerability management experts in the community. The team | |||
| ## MindSpore Security Advisory (SA) | |||
| None | |||
| ## MindSpore Security Note (SN) | |||
| ### MindSpore 1.2 | |||
| | CVE list | Third party version | Suggestion | | |||
| | ---- | ---- | ---- | | |||
| | [CVE-2019-18348](https://nvd.nist.gov/vuln/detail/CVE-2019-18348), [CVE-2020-8315](https://nvd.nist.gov/vuln/detail/CVE-2020-8315), [CVE-2020-8492](https://nvd.nist.gov/vuln/detail/CVE-2020-8492) | Python 3.7.5 | | | |||
| | [CVE-2019-19911](https://nvd.nist.gov/vuln/detail/CVE-2019-19911), [CVE-2020-5310](https://nvd.nist.gov/vuln/detail/CVE-2020-5310), [CVE-2020-5311](https://nvd.nist.gov/vuln/detail/CVE-2020-5311), [CVE-2020-5312](https://nvd.nist.gov/vuln/detail/CVE-2020-5312), [CVE-2020-5313](https://nvd.nist.gov/vuln/detail/CVE-2020-5313) | Pillow < 6.2.2 | Upgrade to latest Pillow (8.2.0) | | |||
| | [CVE-2020-10177](https://nvd.nist.gov/vuln/detail/CVE-2020-10177), [CVE-2020-10378](https://nvd.nist.gov/vuln/detail/CVE-2020-10378), [CVE-2020-10379](https://nvd.nist.gov/vuln/detail/CVE-2020-10379), [CVE-2020-10994](https://nvd.nist.gov/vuln/detail/CVE-2020-10994), [CVE-2020-11538](https://nvd.nist.gov/vuln/detail/CVE-2020-11538) | Pillow < 7.1.0 | Upgrade to latest Pillow (8.2.0) | | |||
| | [CVE-2020-15999](https://nvd.nist.gov/vuln/detail/CVE-2020-15999) | Pillow < 8.0.1 | Upgrade to latest Pillow (8.2.0) | | |||
| | [CVE-2020-35653](https://nvd.nist.gov/vuln/detail/CVE-2020-35653), [CVE-2020-35654](https://nvd.nist.gov/vuln/detail/CVE-2020-35654), [CVE-2020-35655](https://nvd.nist.gov/vuln/detail/CVE-2020-35655), | Pillow < 8.1.0 | Upgrade to latest Pillow (8.2.0) | | |||
| | [CVE-2021-25289](https://nvd.nist.gov/vuln/detail/CVE-2021-25289), [CVE-2021-25290](https://nvd.nist.gov/vuln/detail/CVE-2021-25290), [CVE-2021-25291](https://nvd.nist.gov/vuln/detail/CVE-2021-25291), [CVE-2021-25292](https://nvd.nist.gov/vuln/detail/CVE-2021-25292), [CVE-2021-25293](https://nvd.nist.gov/vuln/detail/CVE-2021-25293), [CVE-2021-27921](https://nvd.nist.gov/vuln/detail/CVE-2021-27921), [CVE-2021-27922](https://nvd.nist.gov/vuln/detail/CVE-2021-27922), [CVE-2021-27923](https://nvd.nist.gov/vuln/detail/CVE-2021-27923) | Pillow < 8.1.1 | Upgrade to latest Pillow (8.2.0) | | |||
| | [CVE-2021-25287](https://nvd.nist.gov/vuln/detail/CVE-2021-25287), [CVE-2021-25288](https://nvd.nist.gov/vuln/detail/CVE-2021-25288), [CVE-2021-28675](https://nvd.nist.gov/vuln/detail/CVE-2021-28675), [CVE-2021-28676](https://nvd.nist.gov/vuln/detail/CVE-2021-28676), [CVE-2021-28677](https://nvd.nist.gov/vuln/detail/CVE-2021-28677), [CVE-2021-28678](https://nvd.nist.gov/vuln/detail/CVE-2021-28678) | Pillow < 8.2.0 | Upgrade to latest Pillow (8.2.0) | | |||
+ 22
- 4
security/cve-report_zh_cn.md
View File
| @@ -5,8 +5,9 @@ MindSpore作为一个同时支持端/边缘/云场景的训练推理框架,在 | |||
| 作为通用的计算框架,MindSpore可以运行在CPU/GPU/Ascend等不同的芯片平台上,用户提供数据/模型作为输入,并得到训练模型或者推理结果。数据和模型作为AI领域的核心资产,对AI系统持续开展安全防护,是非常必要的。 | |||
| 我们也提供了关键组件的安全运行建议: | |||
| + [MindSpore安全使用建议](https://gitee.com/mindspore/mindspore/blob/master/SECURITY.md) | |||
| + [MindInsight安全使用建议](https://gitee.com/mindspore/mindinsight/blob/master/SECURITY.md) | |||
| + [MindSpore安全使用建议](https://gitee.com/mindspore/mindspore/blob/master/SECURITY.md) | |||
| + [MindInsight安全使用建议](https://gitee.com/mindspore/mindinsight/blob/master/SECURITY.md) | |||
| 为了构建更安全的AI框架,需要您一起来参与。 | |||
| @@ -18,10 +19,10 @@ MindSpore作为一个同时支持端/边缘/云场景的训练推理框架,在 | |||
| + 安全邮箱:<mindspore-security@mindspore.cn> | |||
| ## MindSpore社区安全问题披露流程 | |||
| ## MindSpore社区安全问题披露流程 | |||
| 收到问题后,我们将会按照如下流程处理安全问题: | |||
| + 收到疑似安全问题后,漏洞管理团队(VMT)立即确认上报信息完整性和问题严重性; | |||
| + 组织社区团队开展技术分析,确认问题细节,并给出分析报告; | |||
| + 确认漏洞并申请CVE,与漏洞上报者开展问题沟通,对齐后续修复&发布计划,准备安全公告(SA); | |||
| @@ -31,6 +32,7 @@ MindSpore作为一个同时支持端/边缘/云场景的训练推理框架,在 | |||
| ## MindSpore社区漏洞管理团队(VMT) | |||
| 漏洞管理团队(Vulnerability Management Team)由社区内的漏洞管理专家组成,工作职责为协调漏洞从接收到披露的整个过程,包括: | |||
| + 漏洞收集:社区成员和外部研究者发现的疑似安全漏洞,都可以通过<mindspore-security@mindspore.cn>上报给VMT; | |||
| + 漏洞跟踪处置:VMT会将确认的漏洞录入MindSpore社区,并负责漏洞的确认/修复,期间会与上报者保持有效沟通; | |||
| + 负责任的披露:漏洞得到妥善的修复后,VMT将会以SA的形式将漏洞信息发布到社区。 | |||
| @@ -38,3 +40,19 @@ MindSpore作为一个同时支持端/边缘/云场景的训练推理框架,在 | |||
| ## MindSpore安全公告(SA) | |||
| 无 | |||
| ## MindSpore安全说明(SN) | |||
| 第三方的开源组件部分漏洞需要用户自行修复: | |||
| ### MindSpore 1.2 | |||
| | CVE 列表 | 第三方组件 | 建议 | | |||
| | ---- | ---- | ---- | | |||
| | [CVE-2019-18348](https://nvd.nist.gov/vuln/detail/CVE-2019-18348), [CVE-2020-8315](https://nvd.nist.gov/vuln/detail/CVE-2020-8315), [CVE-2020-8492](https://nvd.nist.gov/vuln/detail/CVE-2020-8492) | Python 3.7.5 | | | |||
| | [CVE-2019-19911](https://nvd.nist.gov/vuln/detail/CVE-2019-19911), [CVE-2020-5310](https://nvd.nist.gov/vuln/detail/CVE-2020-5310), [CVE-2020-5311](https://nvd.nist.gov/vuln/detail/CVE-2020-5311), [CVE-2020-5312](https://nvd.nist.gov/vuln/detail/CVE-2020-5312), [CVE-2020-5313](https://nvd.nist.gov/vuln/detail/CVE-2020-5313) | Pillow < 6.2.2 | 升级至最新的Pillow版本(8.2.0) | | |||
| | [CVE-2020-10177](https://nvd.nist.gov/vuln/detail/CVE-2020-10177), [CVE-2020-10378](https://nvd.nist.gov/vuln/detail/CVE-2020-10378), [CVE-2020-10379](https://nvd.nist.gov/vuln/detail/CVE-2020-10379), [CVE-2020-10994](https://nvd.nist.gov/vuln/detail/CVE-2020-10994), [CVE-2020-11538](https://nvd.nist.gov/vuln/detail/CVE-2020-11538) | Pillow < 7.1.0 | 升级至最新的Pillow版本(8.2.0) | | |||
| | [CVE-2020-15999](https://nvd.nist.gov/vuln/detail/CVE-2020-15999) | Pillow < 8.0.1 | 升级至最新的Pillow版本(8.2.0) | | |||
| | [CVE-2020-35653](https://nvd.nist.gov/vuln/detail/CVE-2020-35653), [CVE-2020-35654](https://nvd.nist.gov/vuln/detail/CVE-2020-35654), [CVE-2020-35655](https://nvd.nist.gov/vuln/detail/CVE-2020-35655), | Pillow < 8.1.0 | 升级至最新的Pillow版本(8.2.0) | | |||
| | [CVE-2021-25289](https://nvd.nist.gov/vuln/detail/CVE-2021-25289), [CVE-2021-25290](https://nvd.nist.gov/vuln/detail/CVE-2021-25290), [CVE-2021-25291](https://nvd.nist.gov/vuln/detail/CVE-2021-25291), [CVE-2021-25292](https://nvd.nist.gov/vuln/detail/CVE-2021-25292), [CVE-2021-25293](https://nvd.nist.gov/vuln/detail/CVE-2021-25293), [CVE-2021-27921](https://nvd.nist.gov/vuln/detail/CVE-2021-27921), [CVE-2021-27922](https://nvd.nist.gov/vuln/detail/CVE-2021-27922), [CVE-2021-27923](https://nvd.nist.gov/vuln/detail/CVE-2021-27923) | Pillow < 8.1.1 | 升级至最新的Pillow版本(8.2.0) | | |||
| | [CVE-2021-25287](https://nvd.nist.gov/vuln/detail/CVE-2021-25287), [CVE-2021-25288](https://nvd.nist.gov/vuln/detail/CVE-2021-25288), [CVE-2021-28675](https://nvd.nist.gov/vuln/detail/CVE-2021-28675), [CVE-2021-28676](https://nvd.nist.gov/vuln/detail/CVE-2021-28676), [CVE-2021-28677](https://nvd.nist.gov/vuln/detail/CVE-2021-28677), [CVE-2021-28678](https://nvd.nist.gov/vuln/detail/CVE-2021-28678) | Pillow < 8.2.0 | 升级至最新的Pillow版本(8.2.0) | | |||