Skip to content

Commit

Permalink
GH-16442: 3.46.0.6 Release Notes [nocheck] (#16443)
Browse files Browse the repository at this point in the history
* ht/initial draft (18)

- excludes 16440 & 16357

* ht/added security vulnerabilites

* ht/5310 > 3510 fix
  • Loading branch information
hannah-tillman authored Oct 31, 2024
1 parent 421def8 commit 6a8f800
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 0 deletions.
32 changes: 32 additions & 0 deletions Changes.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,38 @@

## H2O

### 3.46.0.6 - 11/1/2024

Download at: <a href='http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/6/index.html'>http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/6/index.html</a>

#### Bug
- [[#16397]](https://github.com/h2oai/h2o-3/issues/16397) - Removed Sun license from the jps jar.
- [[#16382]](https://github.com/h2oai/h2o-3/issues/16382) - Fixed issues with constrained GLM.
- [[#16360]](https://github.com/h2oai/h2o-3/issues/16360) - Fixed H2O-3 R package for Windows not allowing the opening of one file by multiple processes.
- [[#16333]](https://github.com/h2oai/h2o-3/issues/16333) - Fixed pyplot warning from `learning_curve_plot` call.

#### Improvement
- [[#15180]](https://github.com/h2oai/h2o-3/issues/15180) - Enabled users to adjust parquet imported timezone.

#### New Feature
- [[#16361]](https://github.com/h2oai/h2o-3/issues/16361) - Enabled ability to display full PIDs in logs with `sys.ai.h2o.log.max.pid.length` call.
- [[#8487]](https://github.com/h2oai/h2o-3/issues/8487) - Implemented HGLM Gaussian as its own independent toolbox.

#### Docs
- [[#16413]](https://github.com/h2oai/h2o-3/issues/16413) - Added the HGLM algorithm page and removed HGLM as a parameter.
- [[#16412]](https://github.com/h2oai/h2o-3/issues/16412) - Added `numpy` requirements to welcome page.
- [[#16384]](https://github.com/h2oai/h2o-3/issues/16384) - Fixed broken links throughout the user guide.
- [[#16338]](https://github.com/h2oai/h2o-3/issues/16338) - Clarified the `group_by` documentation by expanding the examples.
- [[#16208]](https://github.com/h2oai/h2o-3/issues/16208) - Added documentation on constrained GLM.
- [[#16182]](https://github.com/h2oai/h2o-3/issues/16182) - Updated the Welcome page to adhere to style guide requirements and broke it up into multiple smaller getting started pages.
- [[#15983]](https://github.com/h2oai/h2o-3/issues/15983) - Added examples to Python documentation for Rulefit.

#### Security
- [[#16425]](https://github.com/h2oai/h2o-3/issues/16425) - Addressed CVE-2024-8862 by adding JDBC parameter validation.
- [[#16416]](https://github.com/h2oai/h2o-3/issues/16416) - Addressed CVE-2024-47561 by upgrading avro:avro library from 1.11.3 to 1.11.4.
- [[#16391]](https://github.com/h2oai/h2o-3/issues/16391) - Addressed sonatype-2024-3350 by using compatible versions of Apache commons-collections packages.
- [[#16351]](https://github.com/h2oai/h2o-3/issues/16351) - Addressed CVE-2024-5979 which caused AstRunTool to crash H2O-3 if bad inputs were provided by not calling `System.exit` from `water.tools`.

### 3.46.0.5 - 8/28/2024

Download at: <a href='http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/5/index.html'>http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/5/index.html</a>
Expand Down
19 changes: 19 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,22 @@

Please report (suspected) security vulnerabilities to [email protected]. You will receive a response from us within 48 hours.
If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.

## Known Vulnerabilities
We located these vulnerabilites from our security scans. The following list shows the vulnerabilities and the libraries they were found in:

- CVE-2024-9143: `libcrypto3`, `libssl3`
- CVE-2021-22569: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)`
- CVE-2021-22570: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)`
- CVE-2022-3509: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)`
- CVE-2022-3510: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)`
- CVE-2024-7254: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)`
- CVE-2022-3171: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)`
- CVE-2024-23454: `org.apache.hadoop:hadoop-common (main-3.46.0.jar)`, `org.apache.hadoop:hadoop-common (main.jar)`
- CVE-2024-6763: `org.eclipse.jetty:jetty-http (main-3.46.0.jar)`, `org.eclipse.jetty:jetty-http (main.jar)`
- CVE-2024-8184: `org.eclipse.jetty:jetty-http (main-3.46.0.jar)`, `org.eclipse.jetty:jetty-http (main.jar)`
- CVE-2024-9823: `org.eclipse.jetty:jetty-http (main-3.46.0.jar)`, `org.eclipse.jetty:jetty-http (main.jar)`
- CVE-2024-23454: `org.apache.hadoop:hadoop-common (steam-3.46.0.jar)`, `org.apache.hadoop:hadoop-common (steam.jar)`
- CVE-2024-6763: `org.eclipse.jetty:jetty-http (steam-3.46.0.jar)`, `org.eclipse.jetty:jetty-http (steam.jar)`
- CVE-2024-8184: `org.eclipse.jetty:jetty-http (steam-3.46.0.jar)`, `org.eclipse.jetty:jetty-http (steam.jar)`

0 comments on commit 6a8f800

Please sign in to comment.