Hello,
I’m using TF 2.7.2 and was wondering if the recently published CVEs (CVE-2022-36001) are fixed in 2.7.2? As far as I understood they are fixed first in 2.7.4. The github security entry is not complety obvious to me: Segfault in `QuantizedInstanceNorm` · Advisory · tensorflow/tensorflow · GitHub
It says patched versions are: 2.7.2, 2.8.1, 2.9.1, 2.10.0. While 2.10.0 is patched and doesn’t contain the vulnerability, the other versions are not patched when looking at the code on github corresponding to the tags. Also the release notes only mention the CVE in 2.7.4, 2.8.3 and 2.9.2
Other projects like nodeBB only mention the fixed release version under “Patched versions” which makes a clear split between affected and unaffected versions (e.g. Account takeover via cryptographically weak PRNG in `utils.generateUUID` · Advisory · NodeBB/NodeBB · GitHub).
So is there a release of 2.7.2 with the cherry-picked fix or are the secure releases only: >= 2.7.4, < 2.8 | >= 2.8.3, < 2.9 | >= 2.9.2 ?
