-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerabilities with H2O v3.40 #16357
Comments
CVE-2023-6016 - Fixed. We are in communication with the reporter. #16341
It does not make sense. We are fixing the vulnerabilities with each release. Newer release -> less known vulnerabilities. |
@valenad1 The customer mentioned that when they are asked to upgrade the version, Upgrading to a new version requires onboarding all the users to the newer version of the notebook using the configuration of older version v3.40.. Will this happen if they upgrade to newer version? |
You mean the clients? That is true, you have to have clients on the same version as h2o backend. Otherwise you have to specify strict_version_check to False. |
Reopening, we will fix 3.40.0.1 and provide custom build to the customer |
H2O version, Operating System and Environment
H2O-3.40
Actual behavior
Our security team has identified following four CVEs with current version of H2O SparklingWater (3.40.x) notebooks.
CVE-2023-6016
CVE-2023-35116
CVE-2023-6038
CVE-2023-6569
Expected behavior
the customer is concerned about the above CVEs and is not willing to upgrade/change to new version.
The text was updated successfully, but these errors were encountered: