From 6a8f800b8aaf97a506dd9f3118ec0289bceda3bb Mon Sep 17 00:00:00 2001 From: Hannah <52463461+hannah-tillman@users.noreply.github.com> Date: Thu, 31 Oct 2024 11:41:45 -0500 Subject: [PATCH] GH-16442: 3.46.0.6 Release Notes [nocheck] (#16443) * ht/initial draft (18) - excludes 16440 & 16357 * ht/added security vulnerabilites * ht/5310 > 3510 fix --- Changes.md | 32 ++++++++++++++++++++++++++++++++ SECURITY.md | 19 +++++++++++++++++++ 2 files changed, 51 insertions(+) diff --git a/Changes.md b/Changes.md index 333619f7f537..434b99a5495b 100644 --- a/Changes.md +++ b/Changes.md @@ -2,6 +2,38 @@ ## H2O +### 3.46.0.6 - 11/1/2024 + +Download at: http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/6/index.html + +#### Bug +- [[#16397]](https://github.com/h2oai/h2o-3/issues/16397) - Removed Sun license from the jps jar. +- [[#16382]](https://github.com/h2oai/h2o-3/issues/16382) - Fixed issues with constrained GLM. +- [[#16360]](https://github.com/h2oai/h2o-3/issues/16360) - Fixed H2O-3 R package for Windows not allowing the opening of one file by multiple processes. +- [[#16333]](https://github.com/h2oai/h2o-3/issues/16333) - Fixed pyplot warning from `learning_curve_plot` call. + +#### Improvement +- [[#15180]](https://github.com/h2oai/h2o-3/issues/15180) - Enabled users to adjust parquet imported timezone. + +#### New Feature +- [[#16361]](https://github.com/h2oai/h2o-3/issues/16361) - Enabled ability to display full PIDs in logs with `sys.ai.h2o.log.max.pid.length` call. +- [[#8487]](https://github.com/h2oai/h2o-3/issues/8487) - Implemented HGLM Gaussian as its own independent toolbox. + +#### Docs +- [[#16413]](https://github.com/h2oai/h2o-3/issues/16413) - Added the HGLM algorithm page and removed HGLM as a parameter. +- [[#16412]](https://github.com/h2oai/h2o-3/issues/16412) - Added `numpy` requirements to welcome page. +- [[#16384]](https://github.com/h2oai/h2o-3/issues/16384) - Fixed broken links throughout the user guide. +- [[#16338]](https://github.com/h2oai/h2o-3/issues/16338) - Clarified the `group_by` documentation by expanding the examples. +- [[#16208]](https://github.com/h2oai/h2o-3/issues/16208) - Added documentation on constrained GLM. +- [[#16182]](https://github.com/h2oai/h2o-3/issues/16182) - Updated the Welcome page to adhere to style guide requirements and broke it up into multiple smaller getting started pages. +- [[#15983]](https://github.com/h2oai/h2o-3/issues/15983) - Added examples to Python documentation for Rulefit. + +#### Security +- [[#16425]](https://github.com/h2oai/h2o-3/issues/16425) - Addressed CVE-2024-8862 by adding JDBC parameter validation. +- [[#16416]](https://github.com/h2oai/h2o-3/issues/16416) - Addressed CVE-2024-47561 by upgrading avro:avro library from 1.11.3 to 1.11.4. +- [[#16391]](https://github.com/h2oai/h2o-3/issues/16391) - Addressed sonatype-2024-3350 by using compatible versions of Apache commons-collections packages. +- [[#16351]](https://github.com/h2oai/h2o-3/issues/16351) - Addressed CVE-2024-5979 which caused AstRunTool to crash H2O-3 if bad inputs were provided by not calling `System.exit` from `water.tools`. + ### 3.46.0.5 - 8/28/2024 Download at: http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/5/index.html diff --git a/SECURITY.md b/SECURITY.md index e07d658c25ca..e124b37bfd4b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,3 +4,22 @@ Please report (suspected) security vulnerabilities to support@h2o.ai. You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days. + +## Known Vulnerabilities +We located these vulnerabilites from our security scans. The following list shows the vulnerabilities and the libraries they were found in: + +- CVE-2024-9143: `libcrypto3`, `libssl3` +- CVE-2021-22569: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)` +- CVE-2021-22570: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)` +- CVE-2022-3509: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)` +- CVE-2022-3510: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)` +- CVE-2024-7254: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)` +- CVE-2022-3171: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)` +- CVE-2024-23454: `org.apache.hadoop:hadoop-common (main-3.46.0.jar)`, `org.apache.hadoop:hadoop-common (main.jar)` +- CVE-2024-6763: `org.eclipse.jetty:jetty-http (main-3.46.0.jar)`, `org.eclipse.jetty:jetty-http (main.jar)` +- CVE-2024-8184: `org.eclipse.jetty:jetty-http (main-3.46.0.jar)`, `org.eclipse.jetty:jetty-http (main.jar)` +- CVE-2024-9823: `org.eclipse.jetty:jetty-http (main-3.46.0.jar)`, `org.eclipse.jetty:jetty-http (main.jar)` +- CVE-2024-23454: `org.apache.hadoop:hadoop-common (steam-3.46.0.jar)`, `org.apache.hadoop:hadoop-common (steam.jar)` +- CVE-2024-6763: `org.eclipse.jetty:jetty-http (steam-3.46.0.jar)`, `org.eclipse.jetty:jetty-http (steam.jar)` +- CVE-2024-8184: `org.eclipse.jetty:jetty-http (steam-3.46.0.jar)`, `org.eclipse.jetty:jetty-http (steam.jar)` +