Bump min torch to 1.13.1 to mitigate CVE-2022-45907 unsafe usage of eval #8296
Conversation
jamesobutler
force-pushed
the
bump-torch-minimum
branch
3 times, most recently
from
f406fed to
cfac884
Compare
jamesobutler
changed the title
|
Thanks @jamesobutler for the contribution! The PR overall looks good to me. @ericspod and @Nic-Ma, do you have any concern on this pr. For vulnerability reasons, we should indeed drop the pre-1.13.1 version of pytorch, do you have any concerns, because the PR will introduce some compatibility issues and remove some support for earlier versions. If you guys have no problems, I'll help further refine this PR as well as the updated Blossom CI (GPU testing happens over there). |
Thanks as well @jamesobutler. I think we should discuss internally what this implies because it's dropping support for a number of Pytorch versions. We should be refining what our policy is about when to drop versions, we do this for Python in that we drop non-supported versions but there's no sunset period defined by Pytorch for theirs (as far as I know). Honestly we could probably drop all of Pytorch 1.* and very few users would be impacted. Let's keep working on this either way. |
@ericspod Reviewing the PyTorch release history, the last time maintainers released a patch release out-of-order was when they released version 1.8.2 on August 17th 2021 which was after version 1.9.0 which was released June 15th 2021. This was part of the "PyTorch Enterprise Support Program". However that program only lasted about a 1.5 years as on November 10th 2022 they ended it. See this blog post https://pytorch.org/blog/pytorch-enterprise-support-update/. So therefore PyTorch versions become unmaintained whenever a new major/minor release version comes out. They do not have LTS support or issue patch releases for multiple minor versions.
I issued this PR to bump the torch version to mitigate "Critical" scored vulnerability issues and see how the https://security.snyk.io/package/pip/torch Other unrelated considerations to keep in mind if bumping minimum torch version beyond |
|
Hi @aylward, during our development meeting, we discussed the PR to bump the minimum Torch version to 1.13.1 in order to mitigate the critical vulnerabilities identified in PyTorch. We are all in agreement regarding this change, but we would still like to hear your thoughts on the matter. Thank you! |
|
@KumoLiu Any updates on this PR to help proceed with the integration? |
Definitely ok to bump! That version was released in Dec, 2022, and fixed vulnerabilities as you noted. |
|
/build |
|
@KumoLiu Why is blossom-ci showing as failed? Is it because certain steps were skipped in https://github.com/Project-MONAI/MONAI/actions/runs/13111088891? Was the authorization step skipped because this branch is in my fork? |
Hi @jamesobutler, no, it's not related. The issue is due to the mismatched Cuda version. |
|
Hi @jamesobutler thanks for the contribution again, we are still looking into this and want to develop a formal policy for dependency support. In the meantime we've done a major refactor of tests which now are causing conflicts with this PR. If you could please sort the conflicts out (I can't through Github), we can try the tests again as @KumoLiu mentioned and go from there. |
See GHSA-47fc-vmwq-366v for more details. - https://nvd.nist.gov/vuln/detail/CVE-2022-45907 - https://security.snyk.io/vuln/SNYK-PYTHON-TORCH-3149871 Signed-off-by: James Butler <[email protected]>
jamesobutler
force-pushed
the
bump-torch-minimum
branch
from
80b8757 to
62dbec8
Compare
|
@ericspod I've rebased this branch to put on top of latest While fixing merge conflicts I observed that you @ericspod added an upper limit to PyTorch in the requirements.txt in 8dcb9dc, but did not do so in the Line 45 in af9e8f9 Line 1 in af9e8f9 |
Good catch on that thanks, the limit is temporary and should go away soon once we figure out a few issues with 2.6 compatibility. If you wanted to add the constraint to this PR, we can merge this first and then move on to improving compatibility. |
|
Since you have said it is temporary I'll hold off making any upper pin changes. Just something I saw while updating the min torch version in the same code line. |
|
@KumoLiu Are you able to trigger the blossom-ci? |
Signed-off-by: YunLiu <[email protected]>
|
/build |
…able numpy 2 compatibility (#8368) This is a follow-up to the comments made in #8296 (comment). ### Description This bumps the minimum required `torch` version from 1.13.1 to 2.2.0 in the first commit. See GHSA-5pcm-hx3q-hm94 and GHSA-pg7h-5qx3-wjr3 for more details regarding the "High" severity scoring. - https://nvd.nist.gov/vuln/detail/CVE-2024-31580 - https://nvd.nist.gov/vuln/detail/CVE-2024-31583 Additionally, PyTorch added support for numpy 2 starting with PyTorch 2.3.0. The second commit in this PR allows for numpy 1 or numpy 2 to be used with torch>=2.3.0. I have included this commit in this PR as upgrading to torch 2.2 means you might as well update to 2.3 to get the numpy 2 compatibility. A special case is being handled on Windows as PyTorch Windows binaries had compatibilities issues with numpy 2 that were fixed in torch 2.4.1 (see pytorch/pytorch#131668 (comment)). Maintainers will need to update the required status checks for the [`dev`](https://github.com/Project-MONAI/MONAI/tree/dev) branch to: - Remove min-dep-pytorch (2.0.1) ### Types of changes <!--- Put an `x` in all the boxes that apply, and remove the not applicable items --> - [X] Breaking change (fix or new feature that would cause existing functionality to change). - [ ] Integration tests passed locally by running `./runtests.sh -f -u --net --coverage`. - [ ] Quick tests passed locally by running `./runtests.sh --quick --unittests --disttests`. --------- Signed-off-by: James Butler <[email protected]>
…val (Project-MONAI#8296) ### Description This bumps the minimum required `torch` version from 1.9.0 to 1.13.1. See GHSA-47fc-vmwq-366v for more details such as the highest severity scoring of "Critical". - https://nvd.nist.gov/vuln/detail/CVE-2022-45907 - https://security.snyk.io/vuln/SNYK-PYTHON-TORCH-3149871 Maintainers will need to update the required status checks for the [`dev`](https://github.com/Project-MONAI/MONAI/tree/dev) branch to: - Remove min-dep-pytorch (1.10.2) - Remove min-dep-pytorch (1.11.0) - Remove min-dep-pytorch (1.12.1) - Remove min-dep-pytorch (1.13) - Add min-dep-pytorch (1.13.1) cc: @KumoLiu ### Types of changes <!--- Put an `x` in all the boxes that apply, and remove the not applicable items --> - [x] Breaking change (fix or new feature that would cause existing functionality to change). (drop of older `torch` versions) - [ ] Integration tests passed locally by running `./runtests.sh -f -u --net --coverage`. - [ ] Quick tests passed locally by running `./runtests.sh --quick --unittests --disttests`. --------- Signed-off-by: James Butler <[email protected]> Signed-off-by: YunLiu <[email protected]> Co-authored-by: YunLiu <[email protected]> Signed-off-by: Can-Zhao <[email protected]>
…able numpy 2 compatibility (Project-MONAI#8368) This is a follow-up to the comments made in Project-MONAI#8296 (comment). ### Description This bumps the minimum required `torch` version from 1.13.1 to 2.2.0 in the first commit. See GHSA-5pcm-hx3q-hm94 and GHSA-pg7h-5qx3-wjr3 for more details regarding the "High" severity scoring. - https://nvd.nist.gov/vuln/detail/CVE-2024-31580 - https://nvd.nist.gov/vuln/detail/CVE-2024-31583 Additionally, PyTorch added support for numpy 2 starting with PyTorch 2.3.0. The second commit in this PR allows for numpy 1 or numpy 2 to be used with torch>=2.3.0. I have included this commit in this PR as upgrading to torch 2.2 means you might as well update to 2.3 to get the numpy 2 compatibility. A special case is being handled on Windows as PyTorch Windows binaries had compatibilities issues with numpy 2 that were fixed in torch 2.4.1 (see pytorch/pytorch#131668 (comment)). Maintainers will need to update the required status checks for the [`dev`](https://github.com/Project-MONAI/MONAI/tree/dev) branch to: - Remove min-dep-pytorch (2.0.1) ### Types of changes <!--- Put an `x` in all the boxes that apply, and remove the not applicable items --> - [X] Breaking change (fix or new feature that would cause existing functionality to change). - [ ] Integration tests passed locally by running `./runtests.sh -f -u --net --coverage`. - [ ] Quick tests passed locally by running `./runtests.sh --quick --unittests --disttests`. --------- Signed-off-by: James Butler <[email protected]> Signed-off-by: Can-Zhao <[email protected]>
Description
This bumps the minimum required
torchversion from 1.9.0 to 1.13.1.See GHSA-47fc-vmwq-366v for more details such as the highest severity scoring of "Critical".
Maintainers will need to update the required status checks for the
devbranch to:cc: @KumoLiu
Types of changes
torchversions)./runtests.sh -f -u --net --coverage../runtests.sh --quick --unittests --disttests.