An update for python-scikit-learn is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1745 Final 1.0 1.0 2024-06-21 Initial 2024-06-21 2024-06-21 openEuler SA Tool V1.0 2024-06-21 python-scikit-learn security update An update for python-scikit-learn is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS. A Python module for machine learning built on top of SciPy Security Fix(es): A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words_` attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the `stop_words_` attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer.(CVE-2024-5206) An update for python-scikit-learn is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium python-scikit-learn https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1745 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-5206 https://nvd.nist.gov/vuln/detail/CVE-2024-5206 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP3 openEuler-24.03-LTS python3-scikit-learn-0.20.4-5.oe2003sp4.aarch64.rpm python3-scikit-learn-1.1.1-2.oe2203sp1.aarch64.rpm python3-scikit-learn-1.1.1-2.oe2203sp3.aarch64.rpm python3-scikit-learn-1.4.0-2.oe2403.aarch64.rpm python-scikit-learn-0.20.4-5.oe2003sp4.src.rpm python-scikit-learn-1.1.1-2.oe2203sp1.src.rpm python-scikit-learn-1.1.1-2.oe2203sp3.src.rpm python-scikit-learn-1.4.0-2.oe2403.src.rpm python3-scikit-learn-0.20.4-5.oe2003sp4.x86_64.rpm python3-scikit-learn-1.1.1-2.oe2203sp1.x86_64.rpm python3-scikit-learn-1.1.1-2.oe2203sp3.x86_64.rpm python3-scikit-learn-1.4.0-2.oe2403.x86_64.rpm A sensitive data leakage vulnerability was identified in scikit-learn s TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words_` attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the `stop_words_` attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer. 2024-06-21 CVE-2024-5206 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP3 openEuler-24.03-LTS Medium 5.3 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N python-scikit-learn security update 2024-06-21 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1745