CVE-2021-37661 - log back

CVE-2021-37661 created at 13 Aug 2021 07:57:59
Severity
+ High
Remote
+ Local
Type
+ Denial of service
Description
+ In TensorFlow before version 2.6.0 an attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments. The implementation does not validate that num_streams only contains non-negative numbers. In turn, this results in using this value to allocate memory. However, reserve receives an unsigned integer so there is an implicit conversion from a negative value to a large positive unsigned. This results in a crash from the standard library.
References
+ https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gf88-j2mg-cc82
+ https://github.com/tensorflow/tensorflow/commit/8a84f7a2b5a2b27ecf88d25bad9ac777cd2f7992
Notes