Versioning of CVE patches


I’m using TF 2.7.2 and was wondering if the recently published CVEs (CVE-2022-36001) are fixed in 2.7.2? As far as I understood they are fixed first in 2.7.4. The github security entry is not complety obvious to me: Segfault in `QuantizedInstanceNorm` · Advisory · tensorflow/tensorflow · GitHub
It says patched versions are: 2.7.2, 2.8.1, 2.9.1, 2.10.0. While 2.10.0 is patched and doesn’t contain the vulnerability, the other versions are not patched when looking at the code on github corresponding to the tags. Also the release notes only mention the CVE in 2.7.4, 2.8.3 and 2.9.2

Other projects like nodeBB only mention the fixed release version under “Patched versions” which makes a clear split between affected and unaffected versions (e.g. Account takeover via cryptographically weak PRNG in `utils.generateUUID` · Advisory · NodeBB/NodeBB · GitHub).

So is there a release of 2.7.2 with the cherry-picked fix or are the secure releases only: >= 2.7.4, < 2.8 | >= 2.8.3, < 2.9 | >= 2.9.2 ?

Thank you for reporting the issue. Usually any patch fix is done and it will be included in the latest version of that release branch. So, during 2.10.0 release 2.7.4 was the latest release version for 2.7 and we cannot patch it to the previous version.

We will fix this documentation issue.

The issue was fixed. Please refer to the snapshot below

Thank you!