MGASA-2024-0228 - Updated python-scikit-learn packages fix security vulnerability

Publication date: 20 Jun 2024
URL: https://advisories.mageia.org/MGASA-2024-0228.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2024-5206

A sensitive data leakage vulnerability was identified in scikit-learn's
TfidfVectorizer, specifically in versions up to and including
1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises
from the unexpected storage of all tokens present in the training data
within the `stop_words_` attribute, rather than only storing the subset
of tokens required for the TF-IDF technique to function. This behavior
leads to the potential leakage of sensitive information, as the
`stop_words_` attribute could contain tokens that were meant to be
discarded and not stored, such as passwords or keys. The impact of this
vulnerability varies based on the nature of the data being processed by
the vectorizer.

References:
- https://bugs.mageia.org/show_bug.cgi?id=33307
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/RRNRD64XAZJHFLB6MHKCGUBBVTIA3E7V/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5206

SRPMS:
- 9/core/python-scikit-learn-1.1.2-2.1.mga9

Mageia 2024-0228: python-scikit-learn Security Advisory Updates

A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0

Summary

A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words_` attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the `stop_words_` attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer.

References

- https://bugs.mageia.org/show_bug.cgi?id=33307

- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/RRNRD64XAZJHFLB6MHKCGUBBVTIA3E7V/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5206

Resolution

MGASA-2024-0228 - Updated python-scikit-learn packages fix security vulnerability

SRPMS

- 9/core/python-scikit-learn-1.1.2-2.1.mga9

Severity
Publication date: 20 Jun 2024
URL: https://advisories.mageia.org/MGASA-2024-0228.html
Type: security
CVE: CVE-2024-5206

Related News

34.Key AbstractDigital Esm H170
2 - 4 min read
Security threats continue developing rapidly, with attackers finding new vulnerabilities daily. Recent findings from researchers at Uptycs indicate
32.Lock Code Circular Esm H170
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its
1.Penguin Landscape Esm H170
2 - 3 min read
On Independence Day, there is a deep recognition of digital autonomy amidst the colorful fireworks displays and patriotic revelry. At LinuxSecurity,
20.Lock AbstractDigital Circular Esm H170
2 - 3 min read
Google has released fixes for a high-severity Chromium security flaw ( CVE-2024-5274 ) impacting its widely used Chrome browser and other
11.Locks IsometricPattern Esm H170
2 - 4 min read
Linux Mint is a user-friendly GNU/Linux desktop distribution built upon Ubuntu and Debian for maximum reliability while offering an aesthetically
32.Lock Code Circular Esm H170
2 - 4 min read
In an era where cybersecurity threats loom larger than ever, the discovery of a Remote Code Execution (RCE) vulnerability in OpenSSH by Qualys’
27.Tablet Connections Blocks Lock Esm H170
2 - 4 min read
Debian recently unveiled a significant update to its stable distribution, Debian 12.6 (codename "bookworm"). While not an entirely new release, this
8.Locks HexConnections CodeGlobe Esm H170
2 - 4 min read
Canonical has made headlines with its groundbreaking long-term support (LTS) service offering to extend far beyond Ubuntu deb packages, promising 12

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved