diff --git a/doc/changes/changes_2.1.0.md b/doc/changes/changes_2.1.0.md index 93de0e17..0f6c6bc1 100644 --- a/doc/changes/changes_2.1.0.md +++ b/doc/changes/changes_2.1.0.md @@ -6,7 +6,16 @@ Code name: Exasol SaaS and Python 3.10 This release adds support for parameters for SaaS instances of Exasol database to the configuration page and fixes vulnerability `CVE-2024-23342` by updating dependencies. -Additionally the release updates the operating system from ubuntu 20.04 to 22.04 and Python version to 3.10 in the published images for Docker, AMI, and virtual machines. +This release also updates the operating system from ubuntu 20.04 to 22.04 and Python version to 3.10 in the published images for Docker, AMI, and virtual machines. + +Additionally, this release fixes the following vulnerabilities by updating dependencies: +* Vulnerability CVE-2024-23342 in transitive dependency via `localstack` to `ecdsa` vulnerably to Minerva timing attack on P-256 in `python-ecdsa`. +* Vulnerability CVE-2024-5206 in dependency `scikit-learn` versions below `1.5.0` caused by sensitive data leakage. + +The release ignores the following vulnerabilities +* Ignoring vulnerability CVE-2024-33663 in transitive dependency via `localstack` to `python-jose` `3.3.0` caused by algorithm confusion with OpenSSH ECDSA keys as there is no newer version of `python-jose` available and the dependency only affects tests. +* Ignoring vulnerability CVE-2024-35195 in dependency `requests` in versions below `2.32.0` caused by requests `Session` object not verifying requests after making first request with `verify=False` as `requests` in version `2.32.0` and higher are incompatible with docker-compose. +* Ignoring vulnerability CVE-2024-37891 in transitive dependency via `boto3` to `urllib3` in versions below `2.2.2` caused by proxy-authorization request header not to be stripped during cross-origin redirects as no update of notebook-connector is available, yet. ## AI-Lab-Release @@ -23,6 +32,7 @@ Version: 2.1.0 ## Security * #207: Fixed vulnerability CVE-2024-23342 by updating dependency ecdsa +* #298: Fixed vulnerabilities by updating dependencies ## Bug Fixes @@ -42,5 +52,18 @@ Version: 2.1.0 * #295: Made notebook-tests mandatory for merge * #193: Ignored warnings in notebook tests * #297: Reduced log level for transitive libraries in notebook tests -* #307: Made the notebook tests running in parallel; - moved common steps from test jobs to a composite action +* #307: Made the notebook tests running in parallel; moved common steps from test jobs to a composite action +* #308: Removed redundant dependencies from file `notebook_requirements.txt`. + +## Dependency Updates + +### Jupyter Environment Dependencies + +In File [notebook_requirements.txt](https://github.com/exasol/ai-lab/blob/main/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/notebook_requirements.txt): +* Removed dependency to `uncertainties` +* Updated `scikit-learn:1.0.2` to `1.5.1` +* Updated `matplotlib:3.7.4` to `3.9.2` +* Updated `jupysql:0.10.10` to `0.10.12` +* Relaxed `stopwatch.py:2.0.1` dependency to `2.*` to avoid inconsistencies with ITDE +* Replaced GitHub dependency to `exasol/notebook-connector:main` by pypi dependency `0.2.9` +* Updated `ipywidgets:8.1.1` to `8.1.3` diff --git a/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/jupyter_requirements.txt b/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/jupyter_requirements.txt index df24fc7b..015b370d 100644 --- a/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/jupyter_requirements.txt +++ b/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/jupyter_requirements.txt @@ -1,5 +1,2 @@ jupyterlab==4.1.1 -# enable interactive Javascript widgets in the notebooks -ipywidgets==8.1.1 pexpect==4.8.0 -pyexasol==0.16.1 diff --git a/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/notebook_requirements.txt b/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/notebook_requirements.txt index d2cdebb9..3cadf2c8 100644 --- a/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/notebook_requirements.txt +++ b/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/notebook_requirements.txt @@ -1,10 +1,8 @@ -uncertainties==3.1.7 -scikit-learn==1.0.2 -matplotlib==3.7.4 -jupysql==0.10.10 -sqlalchemy_exasol==4.6.3 -stopwatch.py==2.0.1 -boto3==1.26.163 -exasol-notebook-connector @ git+https://github.com/exasol/notebook-connector.git@main +scikit-learn==1.5.1 # required for notebook sklearn +matplotlib==3.7.4 # required for notebook sklearn +jupysql==0.10.10 # required for multiple notebooks +stopwatch.py==2.* # also required by ITDE +exasol-notebook-connector==0.2.9 pickleshare==0.7.5 # See https://github.com/exasol/ai-lab/issues/291 for details. -ipyfilechooser==0.6.0 \ No newline at end of file +ipyfilechooser==0.6.0 # required for SLC notebooks +ipywidgets==8.1.1 # enable interactive Javascript widgets in the notebooks