dependabot[bot] opened a new pull request, #25974: URL: https://github.com/apache/beam/pull/25974
Bumps [tensorflow](https://github.com/tensorflow/tensorflow) from 2.9.3 to 2.11.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tensorflow/tensorflow/releases";>tensorflow's releases</a>.</em></p> <blockquote> <h2>TensorFlow 2.11.1</h2> <h1>Release 2.11.1</h1> <p><strong>Note</strong>: TensorFlow 2.10 was the last TensorFlow release that supported GPU on native-Windows. Starting with TensorFlow 2.11, you will need to install TensorFlow in WSL2, or install tensorflow-cpu and, optionally, try the TensorFlow-DirectML-Plugin.</p> <ul> <li>Security vulnerability fixes will no longer be patched to this Tensorflow version. The latest Tensorflow version includes the security vulnerability fixes. You can update to the latest version (recommended) or patch security vulnerabilities yourself <a href="https://github.com/tensorflow/tensorflow#patching-guidelines";>steps</a>. You can refer to the <a href="https://github.com/tensorflow/tensorflow/releases";>release notes</a> of the latest Tensorflow version for a list of newly fixed vulnerabilities. If you have any questions, please create a GitHub issue to let us know.</li> </ul> <p>This release also introduces several vulnerability fixes:</p> <ul> <li>Fixes an FPE in TFLite in conv kernel <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27579";>CVE-2023-27579</a></li> <li>Fixes a double free in Fractional(Max/Avg)Pool <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25801";>CVE-2023-25801</a></li> <li>Fixes a null dereference on ParallelConcat with XLA <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25676";>CVE-2023-25676</a></li> <li>Fixes a segfault in Bincount with XLA <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25675";>CVE-2023-25675</a></li> <li>Fixes an NPE in RandomShuffle with XLA enable <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25674";>CVE-2023-25674</a></li> <li>Fixes an FPE in TensorListSplit with XLA <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25673";>CVE-2023-25673</a></li> <li>Fixes segmentation fault in tfg-translate <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25671";>CVE-2023-25671</a></li> <li>Fixes an NPE in QuantizedMatMulWithBiasAndDequantize <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25670";>CVE-2023-25670</a></li> <li>Fixes an FPE in AvgPoolGrad with XLA <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25669";>CVE-2023-25669</a></li> <li>Fixes a heap out-of-buffer read vulnerability in the QuantizeAndDequantize operation <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25668";>CVE-2023-25668</a></li> <li>Fixes a segfault when opening multiframe gif <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25667";>CVE-2023-25667</a></li> <li>Fixes an NPE in SparseSparseMaximum <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25665";>CVE-2023-25665</a></li> <li>Fixes an FPE in AudioSpectrogram <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25666";>CVE-2023-25666</a></li> <li>Fixes a heap-buffer-overflow in AvgPoolGrad <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25664";>CVE-2023-25664</a></li> <li>Fixes a NPE in TensorArrayConcatV2 <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25663";>CVE-2023-25663</a></li> <li>Fixes a Integer overflow in EditDistance <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25662";>CVE-2023-25662</a></li> <li>Fixes a Seg fault in <code>tf.raw_ops.Print</code> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25660";>CVE-2023-25660</a></li> <li>Fixes a OOB read in DynamicStitch <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25659";>CVE-2023-25659</a></li> <li>Fixes a OOB Read in GRUBlockCellGrad <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25658";>CVE-2023-25658</a></li> </ul> <h2>TensorFlow 2.11.0</h2> <h1>Release 2.11.0</h1> <h2>Breaking Changes</h2> <ul> <li> <p>The <code>tf.keras.optimizers.Optimizer</code> base class now points to the new Keras optimizer, while the old optimizers have been moved to the <code>tf.keras.optimizers.legacy</code> namespace.</p> <p>If you find your workflow failing due to this change, you may be facing one of the following issues:</p> <ul> <li><strong>Checkpoint loading failure.</strong> The new optimizer handles optimizer state differently from the old optimizer, which simplifies the logic of checkpoint saving/loading, but at the cost of breaking checkpoint backward compatibility in some cases. If you want to keep using an old checkpoint, please change your optimizer to <code>tf.keras.optimizer.legacy.XXX</code> (e.g. <code>tf.keras.optimizer.legacy.Adam</code>).</li> <li><strong>TF1 compatibility.</strong> The new optimizer, <code>tf.keras.optimizers.Optimizer</code>, does not support TF1 any more, so please use the legacy optimizer <code>tf.keras.optimizer.legacy.XXX</code>. We highly recommend <a href="https://www.tensorflow.org/guide/migrate";>migrating your workflow to TF2</a> for stable support and new features.</li> <li><strong>Old optimizer API not found.</strong> The new optimizer, <code>tf.keras.optimizers.Optimizer</code>, has a different set of public APIs from the old optimizer. These API changes are mostly related to getting rid of slot variables and TF1 support. Please check the API documentation to find alternatives to the missing API. If you must call the deprecated API, please change your optimizer to the legacy optimizer.</li> <li><strong>Learning rate schedule access.</strong> When using a <code>tf.keras.optimizers.schedules.LearningRateSchedule</code>, the new optimizer's <code>learning_rate</code> property returns the current learning rate value instead of a <code>LearningRateSchedule</code> object as before. If you need to access the <code>LearningRateSchedule</code> object, please use <code>optimizer._learning_rate</code>.</li> <li><strong>If you implemented a custom optimizer based on the old optimizer.</strong> Please set your optimizer to subclass <code>tf.keras.optimizer.legacy.XXX</code>. If you want to migrate to the new optimizer and find it does not support your optimizer, please file an issue in the <a href="https://github.com/keras-team/keras/issues";>Keras GitHub repo</a>.</li> <li><strong>Errors, such as <code>Cannot recognize variable...</code>.</strong> The new optimizer requires all optimizer variables to be created at the first <code>apply_gradients()</code> or <code>minimize()</code> call. If your workflow calls the optimizer to update different parts of the model in multiple stages, please call <code>optimizer.build(model.trainable_variables)</code> before the training loop.</li> <li><strong>Timeout or performance loss.</strong> We don't anticipate this to happen, but if you see such issues, please use the legacy optimizer, and file an issue in the Keras GitHub repo.</li> </ul> <p>The old Keras optimizer will never be deleted, but will not see any new feature additions. New optimizers (for example, <code>tf.keras.optimizers.Adafactor</code>) will only be implemented based on the new <code>tf.keras.optimizers.Optimizer</code> base class.</p> </li> <li> <p><code>tensorflow/python/keras</code> code is a legacy copy of Keras since the TensorFlow v2.7 release, and will be deleted in the v2.12 release. Please remove any import of <code>tensorflow.python.keras</code> and use the public API with <code>from tensorflow import keras</code> or <code>import tensorflow as tf; tf.keras</code>.</p> </li> </ul> <h2>Major Features and Improvements</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tensorflow/tensorflow/blob/master/RELEASE.md";>tensorflow's changelog</a>.</em></p> <blockquote> <h1>Release 2.11.1</h1> <p><strong>Note</strong>: TensorFlow 2.10 was the last TensorFlow release that supported GPU on native-Windows. Starting with TensorFlow 2.11, you will need to install TensorFlow in WSL2, or install tensorflow-cpu and, optionally, try the TensorFlow-DirectML-Plugin.</p> <ul> <li>Security vulnerability fixes will no longer be patched to this Tensorflow version. The latest Tensorflow version includes the security vulnerability fixes. You can update to the latest version (recommended) or patch security vulnerabilities yourself <a href="https://github.com/tensorflow/tensorflow#patching-guidelines";>steps</a>. You can refer to the <a href="https://github.com/tensorflow/tensorflow/releases";>release notes</a> of the latest Tensorflow version for a list of newly fixed vulnerabilities. If you have any questions, please create a GitHub issue to let us know.</li> </ul> <p>This release also introduces several vulnerability fixes:</p> <ul> <li>Fixes an FPE in TFLite in conv kernel <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27579";>CVE-2023-27579</a></li> <li>Fixes a double free in Fractional(Max/Avg)Pool <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25801";>CVE-2023-25801</a></li> <li>Fixes a null dereference on ParallelConcat with XLA <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25676";>CVE-2023-25676</a></li> <li>Fixes a segfault in Bincount with XLA <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25675";>CVE-2023-25675</a></li> <li>Fixes an NPE in RandomShuffle with XLA enable <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25674";>CVE-2023-25674</a></li> <li>Fixes an FPE in TensorListSplit with XLA <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25673";>CVE-2023-25673</a></li> <li>Fixes segmentation fault in tfg-translate <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25671";>CVE-2023-25671</a></li> <li>Fixes an NPE in QuantizedMatMulWithBiasAndDequantize <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25670";>CVE-2023-25670</a></li> <li>Fixes an FPE in AvgPoolGrad with XLA <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25669";>CVE-2023-25669</a></li> <li>Fixes a heap out-of-buffer read vulnerability in the QuantizeAndDequantize operation <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25668";>CVE-2023-25668</a></li> <li>Fixes a segfault when opening multiframe gif <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25667";>CVE-2023-25667</a></li> <li>Fixes an NPE in SparseSparseMaximum <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25665";>CVE-2023-25665</a></li> <li>Fixes an FPE in AudioSpectrogram <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25666";>CVE-2023-25666</a></li> <li>Fixes a heap-buffer-overflow in AvgPoolGrad <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25664";>CVE-2023-25664</a></li> <li>Fixes a NPE in TensorArrayConcatV2 <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25663";>CVE-2023-25663</a></li> <li>Fixes a Integer overflow in EditDistance <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25662";>CVE-2023-25662</a></li> <li>Fixes a Seg fault in <code>tf.raw_ops.Print</code> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25660";>CVE-2023-25660</a></li> <li>Fixes a OOB read in DynamicStitch <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25659";>CVE-2023-25659</a></li> <li>Fixes a OOB Read in GRUBlockCellGrad <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25658";>CVE-2023-25658</a></li> </ul> <h1>Release 2.11.0</h1> <h2>Breaking Changes</h2> <ul> <li> <p><code>tf.keras.optimizers.Optimizer</code> now points to the new Keras optimizer, and old optimizers have moved to the <code>tf.keras.optimizers.legacy</code> namespace. If you find your workflow failing due to this change, you may be facing one of the following issues:</p> <ul> <li><strong>Checkpoint loading failure.</strong> The new optimizer handles optimizer state differently from the old optimizer, which simplies the logic of checkpoint saving/loading, but at the cost of breaking checkpoint backward compatibility in some cases. If you want to keep using an old checkpoint, please change your optimizer to <code>tf.keras.optimizers.legacy.XXX</code> (e.g. <code>tf.keras.optimizers.legacy.Adam</code>).</li> <li><strong>TF1 compatibility.</strong> The new optimizer does not support TF1 any more, so please use the legacy optimizer <code>tf.keras.optimizer.legacy.XXX</code>. We highly recommend to migrate your workflow to TF2 for stable support and new features.</li> <li><strong>API not found.</strong> The new optimizer has a different set of public APIs from the old optimizer. These API changes are mostly related to getting rid of slot variables and TF1 support. Please check the API</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/tensorflow/tensorflow/commit/a3e2c692c18649329c4210cf8df2487d2028e267";><code>a3e2c69</code></a> Merge pull request <a href="https://redirect.github.com/tensorflow/tensorflow/issues/60016";>#60016</a> from tensorflow/fix-relnotes</li> <li><a href="https://github.com/tensorflow/tensorflow/commit/13b85dcf966d0c94b2e5c21291be039db2dec7b9";><code>13b85dc</code></a> Fix release notes</li> <li><a href="https://github.com/tensorflow/tensorflow/commit/48b18dbf1301f24be9f2f41189d318ce5398540a";><code>48b18db</code></a> Merge pull request <a href="https://redirect.github.com/tensorflow/tensorflow/issues/60014";>#60014</a> from tensorflow/disable-test-that-ooms</li> <li><a href="https://github.com/tensorflow/tensorflow/commit/eea48f50d6982879909bf8e0d0151bbce3f9bf4a";><code>eea48f5</code></a> Disable a test that results in OOM+segfault</li> <li><a href="https://github.com/tensorflow/tensorflow/commit/a63258434247784605986cfc2b43cb3be846cf8a";><code>a632584</code></a> Merge pull request <a href="https://redirect.github.com/tensorflow/tensorflow/issues/60000";>#60000</a> from tensorflow/venkat-patch-3</li> <li><a href="https://github.com/tensorflow/tensorflow/commit/93dea7a67df44bde557e580dfdcde5ba0a7a344d";><code>93dea7a</code></a> Update RELEASE.md</li> <li><a href="https://github.com/tensorflow/tensorflow/commit/a2ba9f16f0154bf93f21132878b154238d89fad6";><code>a2ba9f1</code></a> Updating Release.md with Legal Language for Release Notes</li> <li><a href="https://github.com/tensorflow/tensorflow/commit/fae41c76bdc760454b3e5c1d3af9b8d5a5c6c548";><code>fae41c7</code></a> Merge pull request <a href="https://redirect.github.com/tensorflow/tensorflow/issues/59998";>#59998</a> from tensorflow/fix-bad-cherrypick-again</li> <li><a href="https://github.com/tensorflow/tensorflow/commit/2757416dcd4a2d00ea36512c2ffd347030c1196b";><code>2757416</code></a> Fix bad cherrypick</li> <li><a href="https://github.com/tensorflow/tensorflow/commit/c78616f4b00125c8a563e10ce6b76bea8070bdd0";><code>c78616f</code></a> Merge pull request <a href="https://redirect.github.com/tensorflow/tensorflow/issues/59992";>#59992</a> from tensorflow/fix-2.11-build</li> <li>Additional commits viewable in <a href="https://github.com/tensorflow/tensorflow/compare/v2.9.3...v2.11.1";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/beam/network/alerts). </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
