Your message dated Sun, 12 Oct 2025 21:47:00 +0000
with message-id <[email protected]>
and subject line Bug#1074234: fixed in scikit-learn 1.7.2+dfsg-1
has caused the Debian Bug report #1074234,
regarding scikit-learn: CVE-2024-5206
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1074234: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074234
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: scikit-learn
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for scikit-learn.
CVE-2024-5206[0]:
| A sensitive data leakage vulnerability was identified in scikit-
| learn's TfidfVectorizer, specifically in versions up to and
| including 1.4.1.post1, which was fixed in version 1.5.0. The
| vulnerability arises from the unexpected storage of all tokens
| present in the training data within the `stop_words_` attribute,
| rather than only storing the subset of tokens required for the TF-
| IDF technique to function. This behavior leads to the potential
| leakage of sensitive information, as the `stop_words_` attribute
| could contain tokens that were meant to be discarded and not stored,
| such as passwords or keys. The impact of this vulnerability varies
| based on the nature of the data being processed by the vectorizer.
https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c
https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8
(1.5.0rc1)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-5206
https://www.cve.org/CVERecord?id=CVE-2024-5206
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: scikit-learn
Source-Version: 1.7.2+dfsg-1
Done: Timo Röhling <[email protected]>
We believe that the bug you reported is fixed in the latest version of
scikit-learn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Röhling <[email protected]> (supplier of updated scikit-learn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 12 Oct 2025 23:07:39 +0200
Source: scikit-learn
Architecture: source
Version: 1.7.2+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Science Maintainers
<[email protected]>
Changed-By: Timo Röhling <[email protected]>
Closes: 1074234 1088346 1088593 1109955
Changes:
scikit-learn (1.7.2+dfsg-1) experimental; urgency=medium
.
* Team upload.
* Migrate debian/watch to version 5 format
* New upstream version 1.7.2+dfsg
- Fix FTBFS with SciPy 1.16 (Closes: #1109955)
- Fix CVE-2024-5206: Potential data leakage from TF-IDF vectorizer
(Closes: #1074234)
* Update Debian patches
* Update d/copyright
* Wrap and sort Debian package files
* Update build dependencies
- Stop using twitter-bootstrap (Closes: #1088346, #1088593)
* Clean up d/rules
* Migrate to autopkgtest-pkg-pybuild
Checksums-Sha1:
c6cbdab6d77cf1e798f0ad55bba55e685152b417 3675 scikit-learn_1.7.2+dfsg-1.dsc
34539f2ea6504a31372b79f2eb9b1b6886653dc3 5812892
scikit-learn_1.7.2+dfsg.orig.tar.xz
11a61d787edb5003992ff375eeffea19c852331d 25752
scikit-learn_1.7.2+dfsg-1.debian.tar.xz
Checksums-Sha256:
3a65b925c05fb07f7877663f924344a958c194db192977d0369b5c24e6a8dc4f 3675
scikit-learn_1.7.2+dfsg-1.dsc
da140d7fe171f24dea82cf2162fd9f0d712844a4e08e66ce4b1333fc6dca6cff 5812892
scikit-learn_1.7.2+dfsg.orig.tar.xz
73dc60d5ed2d76f475e18513f4795042a93aa453c9a65e9bc270cb443a790975 25752
scikit-learn_1.7.2+dfsg-1.debian.tar.xz
Files:
7c6cff147c6868dcc8b7a9bd4607c6bb 3675 python optional
scikit-learn_1.7.2+dfsg-1.dsc
4f195ee2876fe517c00e8ea9d3b66bf7 5812892 python optional
scikit-learn_1.7.2+dfsg.orig.tar.xz
46b3d61613ac141970993db994fcd15f 25752 python optional
scikit-learn_1.7.2+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEmwPruYMA35fCsSO/zIxr3RQD9MoFAmjsGbkUHHJvZWhsaW5n
QGRlYmlhbi5vcmcACgkQzIxr3RQD9Mr91A/+PaKLp5qcaGIXYLLAPuCI5B7G5JiE
e1CnQ80+m239NrbhDTAshTBB9d/cK89TdqXpR7f+xIdf6z9BdpjGuaoZ+Jjki6IH
3weJLt71OjN/eM2pKFA1bQSzzpvPwiuvGakPkEQxTIoAma8GAxyKTzWTmSmOvTZf
0bLvAyCEfQELs/C/yR+wOkM0YmBGUSBT/UaHDaChbY4xEOAn4eMzXrwocbd8taP8
Dsiuy/dcsLaGH0SQGjkIc6FBg75ZsvqmKPs6J50Do7eroVYx399MORVhYvSh+cS8
tbEsDkY2pTbysx0I40974xMD7qp+GgSqymUXbBUIFKcWGEJhJnwvyYENDWsUX3WJ
/nO8B5FXvar5woKjOGeqKnGHJBkkl/lEJz3Ac0AC9cCFk/XdZ/Y0Ka+48L1zDMCN
cPrjEy8rH//Oq4PC9Kl6G54cTF7c1aO8RcNEvDCPGW710o1heVjLgt7r25RzljAI
x6P1WwXm5nzvBjF6UL+E1Lj3sz+8dnJQ42Of6ABMlbRnUJpKJ9VdABHrrjRYaK0k
s6imjN+K1zF5Jas9ctLLmc2s9FR4swzldQGLZueqVmL16Ako5cQvuGovoUc4usvN
BaaV77pNKfH7nd/DwvsiKxtz9ugMl2iIv4GU48qXiSuqpWRmL3wslpw6rc9SeqDH
lFfy7H4MnNzM+To=
=Izb6
-----END PGP SIGNATURE-----
pgpdRGcWohqg8.pgp
Description: PGP signature
--- End Message ---
--
debian-science-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
