Hacker News new | past | comments | ask | show | jobs | submit login

https://github.com/tensorflow/tensorflow/releases/tag/v2.5.0 (Linked from Apple's article)

Wow, that list of CVEs is 110 lines.




And it was released almost a month ago with the CVEs saying "these fixes will be backported to previous branches that are still supported" but releases for those branches haven't happened yet, so if you're on an older version and just want to get the security fixes you have a problem.


the majority of these are "an attacker can craft a model that causes problems."

Are people actually using tensorflow to run untrusted models?


Yes, eg ml developers and researchers test published or informally shared models.


Also, most ml apps don't treat model files with arbitrary-code-execution level precautions.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: