From 6a8f800b8aaf97a506dd9f3118ec0289bceda3bb Mon Sep 17 00:00:00 2001
From: Hannah <52463461+hannah-tillman@users.noreply.github.com>
Date: Thu, 31 Oct 2024 11:41:45 -0500
Subject: [PATCH] GH-16442: 3.46.0.6 Release Notes [nocheck] (#16443)
* ht/initial draft (18)
- excludes 16440 & 16357
* ht/added security vulnerabilites
* ht/5310 > 3510 fix
---
Changes.md | 32 ++++++++++++++++++++++++++++++++
SECURITY.md | 19 +++++++++++++++++++
2 files changed, 51 insertions(+)
diff --git a/Changes.md b/Changes.md
index 333619f7f537..434b99a5495b 100644
--- a/Changes.md
+++ b/Changes.md
@@ -2,6 +2,38 @@
## H2O
+### 3.46.0.6 - 11/1/2024
+
+Download at: http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/6/index.html
+
+#### Bug
+- [[#16397]](https://github.com/h2oai/h2o-3/issues/16397) - Removed Sun license from the jps jar.
+- [[#16382]](https://github.com/h2oai/h2o-3/issues/16382) - Fixed issues with constrained GLM.
+- [[#16360]](https://github.com/h2oai/h2o-3/issues/16360) - Fixed H2O-3 R package for Windows not allowing the opening of one file by multiple processes.
+- [[#16333]](https://github.com/h2oai/h2o-3/issues/16333) - Fixed pyplot warning from `learning_curve_plot` call.
+
+#### Improvement
+- [[#15180]](https://github.com/h2oai/h2o-3/issues/15180) - Enabled users to adjust parquet imported timezone.
+
+#### New Feature
+- [[#16361]](https://github.com/h2oai/h2o-3/issues/16361) - Enabled ability to display full PIDs in logs with `sys.ai.h2o.log.max.pid.length` call.
+- [[#8487]](https://github.com/h2oai/h2o-3/issues/8487) - Implemented HGLM Gaussian as its own independent toolbox.
+
+#### Docs
+- [[#16413]](https://github.com/h2oai/h2o-3/issues/16413) - Added the HGLM algorithm page and removed HGLM as a parameter.
+- [[#16412]](https://github.com/h2oai/h2o-3/issues/16412) - Added `numpy` requirements to welcome page.
+- [[#16384]](https://github.com/h2oai/h2o-3/issues/16384) - Fixed broken links throughout the user guide.
+- [[#16338]](https://github.com/h2oai/h2o-3/issues/16338) - Clarified the `group_by` documentation by expanding the examples.
+- [[#16208]](https://github.com/h2oai/h2o-3/issues/16208) - Added documentation on constrained GLM.
+- [[#16182]](https://github.com/h2oai/h2o-3/issues/16182) - Updated the Welcome page to adhere to style guide requirements and broke it up into multiple smaller getting started pages.
+- [[#15983]](https://github.com/h2oai/h2o-3/issues/15983) - Added examples to Python documentation for Rulefit.
+
+#### Security
+- [[#16425]](https://github.com/h2oai/h2o-3/issues/16425) - Addressed CVE-2024-8862 by adding JDBC parameter validation.
+- [[#16416]](https://github.com/h2oai/h2o-3/issues/16416) - Addressed CVE-2024-47561 by upgrading avro:avro library from 1.11.3 to 1.11.4.
+- [[#16391]](https://github.com/h2oai/h2o-3/issues/16391) - Addressed sonatype-2024-3350 by using compatible versions of Apache commons-collections packages.
+- [[#16351]](https://github.com/h2oai/h2o-3/issues/16351) - Addressed CVE-2024-5979 which caused AstRunTool to crash H2O-3 if bad inputs were provided by not calling `System.exit` from `water.tools`.
+
### 3.46.0.5 - 8/28/2024
Download at: http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/5/index.html
diff --git a/SECURITY.md b/SECURITY.md
index e07d658c25ca..e124b37bfd4b 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,3 +4,22 @@
Please report (suspected) security vulnerabilities to support@h2o.ai. You will receive a response from us within 48 hours.
If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.
+
+## Known Vulnerabilities
+We located these vulnerabilites from our security scans. The following list shows the vulnerabilities and the libraries they were found in:
+
+- CVE-2024-9143: `libcrypto3`, `libssl3`
+- CVE-2021-22569: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)`
+- CVE-2021-22570: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)`
+- CVE-2022-3509: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)`
+- CVE-2022-3510: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)`
+- CVE-2024-7254: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)`
+- CVE-2022-3171: `com.google.protobuf:protobuf-java (main-3.46.0.jar)`, `com.google.protobuf:protobuf-java (main.jar)`
+- CVE-2024-23454: `org.apache.hadoop:hadoop-common (main-3.46.0.jar)`, `org.apache.hadoop:hadoop-common (main.jar)`
+- CVE-2024-6763: `org.eclipse.jetty:jetty-http (main-3.46.0.jar)`, `org.eclipse.jetty:jetty-http (main.jar)`
+- CVE-2024-8184: `org.eclipse.jetty:jetty-http (main-3.46.0.jar)`, `org.eclipse.jetty:jetty-http (main.jar)`
+- CVE-2024-9823: `org.eclipse.jetty:jetty-http (main-3.46.0.jar)`, `org.eclipse.jetty:jetty-http (main.jar)`
+- CVE-2024-23454: `org.apache.hadoop:hadoop-common (steam-3.46.0.jar)`, `org.apache.hadoop:hadoop-common (steam.jar)`
+- CVE-2024-6763: `org.eclipse.jetty:jetty-http (steam-3.46.0.jar)`, `org.eclipse.jetty:jetty-http (steam.jar)`
+- CVE-2024-8184: `org.eclipse.jetty:jetty-http (steam-3.46.0.jar)`, `org.eclipse.jetty:jetty-http (steam.jar)`
+