onnx - Debian Package Tracker

general

source: onnx (main)
version: 1.20.0-5
maintainer: Debian Deep Learning Team (archive) (DMD)
uploaders: Mo Zhou [DMD]
arch: all any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.7.0+dfsg-3
oldstable: 1.12.0-2
stable: 1.17.0-3
testing: 1.20.0-4
unstable: 1.20.0-5

versioned links

1.7.0+dfsg-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.12.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.17.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.20.0-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.20.0-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libonnx-dev
libonnx-testdata
libonnx1l
python3-onnx

action needed

A new upstream version is available: 1.21.0 high

A new upstream version 1.21.0 is available, you should consider packaging it.

Created: 2025-11-26 Last update: 2026-06-13 02:00

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2026-27489: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0.
CVE-2026-28500: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.
CVE-2026-34445: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.
CVE-2026-34446: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.
CVE-2026-34447: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.

Created: 2026-03-18 Last update: 2026-06-12 12:00

5 security issues in forky high

There are 5 open security issues in forky.

5 important issues:

CVE-2026-27489: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0.
CVE-2026-28500: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.
CVE-2026-34445: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.
CVE-2026-34446: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.
CVE-2026-34447: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.

Created: 2026-03-18 Last update: 2026-06-12 12:00

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-12 Last update: 2026-06-12 14:30

6 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit f2424a51b360e62b8a1dca86ed227df439a8f2e9
Author: Alexandre Detiste <tchet@debian.org>
Date:   Fri Jun 12 08:20:45 2026 +0200

    release

commit 3dd3a4b09bf99fb38fece96402c22a98c54eff0e
Author: Alexandre Detiste <tchet@debian.org>
Date:   Fri Jun 12 08:08:11 2026 +0200

    add debian/upstream/metadata

commit 42a6f8be2df9d87c715cff22952dc6b288a60f86
Author: Alexandre Detiste <tchet@debian.org>
Date:   Fri Jun 12 07:07:32 2026 +0100

    Update standards version to 4.7.4, no changes needed.
    
    Upgrade checklist verified:
     4.7.3 → 4.7.4:
      * Package is not in non-free-firmware
    
    Changes-By: lintian-brush
    Fixes: lintian: source: out-of-date-standards-version 4.7.3 (released 2025-12-23) (current is 4.7.4.1)
    See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html

commit 85ba4ece1774eeba44ac766d0438f14fcae974d1
Author: Alexandre Detiste <tchet@debian.org>
Date:   Fri Jun 12 08:07:17 2026 +0200

    use dh-sequence-python3

commit 53c00799bef1a497f6e8c9e5ca91df09b0018b00
Author: Alexandre Detiste <alexandre.detiste@gmail.com>
Date:   Wed Jun 10 00:09:49 2026 +0200

    mark python3-pytest-runner build-dep as <!nocheck>

commit 51997ac1e997cbf9e70af32164937469f5097b5d
Author: Dylan Aïssi <dylan.aissi@collabora.com>
Date:   Sun Jan 18 21:36:06 2026 +0100

    Add new autopkgtest creating a dummy neural network with pytorch
    
    This is the first step of onnxruntime autopkgtests which is currently
    failing.
    
    Signed-off-by: Dylan Aïssi <dylan.aissi@collabora.com>

Created: 2026-03-18 Last update: 2026-06-12 09:00

debian/patches: 3 patches to forward upstream low

Among the 3 debian patches available in version 1.20.0-5 of the package, we noticed the following issues:

3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-06-12 15:48

5 low-priority security issues in trixie low

There are 5 open security issues in trixie.

5 issues left for the package maintainer to handle:

CVE-2026-27489: (needs triaging) Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0.
CVE-2026-28500: (needs triaging) Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.
CVE-2026-34445: (needs triaging) Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.
CVE-2026-34446: (needs triaging) Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.
CVE-2026-34447: (needs triaging) Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-03-18 Last update: 2026-06-12 12:00

6 low-priority security issues in bookworm low

There are 6 open security issues in bookworm.

6 issues left for the package maintainer to handle:

CVE-2024-7776: (needs triaging) A vulnerability in the `download_model` function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability can be exploited by an attacker to overwrite files in the user's directory, potentially leading to remote command execution.
CVE-2026-27489: (needs triaging) Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0.
CVE-2026-28500: (needs triaging) Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.
CVE-2026-34445: (needs triaging) Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.
CVE-2026-34446: (needs triaging) Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.
CVE-2026-34447: (needs triaging) Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-06-07 Last update: 2026-06-12 12:00

testing migrations

This package will soon be part of the auto-protobuf transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for onnx (1.20.0-4 to 1.20.0-5): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Too young, only 1 of 2 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/o/onnx.html
- ∙ ∙ Autopkgtest for onnx/1.20.0-5: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ Required age reduced by 3 days because of autopkgtest
- Not considered

news

[rss feed]

[2026-06-12] Accepted onnx 1.20.0-5 (source) into unstable (Alexandre Detiste)
[2026-03-18] onnx 1.20.0-4 MIGRATED to testing (Debian testing watch)
[2026-03-15] Accepted onnx 1.20.0-4 (source) into unstable (Dylan Aïssi)
[2026-03-11] Accepted onnx 1.20.0-3 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Dylan Aïssi)
[2026-01-12] Accepted onnx 1.20.0-1 (source) into unstable (Shengqi Chen)
[2026-01-09] Accepted onnx 1.20.0-1~exp1 (source) into experimental (Shengqi Chen)
[2025-10-23] Accepted onnx 1.19.1-1~exp1 (source) into experimental (Shengqi Chen)
[2025-02-02] onnx 1.17.0-3 MIGRATED to testing (Debian testing watch)
[2025-01-30] Accepted onnx 1.17.0-3 (source) into unstable (Mo Zhou)
[2025-01-23] Accepted onnx 1.17.0-2 (source) into unstable (Mo Zhou)
[2025-01-20] Accepted onnx 1.17.0-1 (source) into experimental (Mo Zhou)
[2024-10-18] onnx 1.16.2-1 MIGRATED to testing (Debian testing watch)
[2024-09-27] Accepted onnx 1.16.2-1 (source) into unstable (Mo Zhou)
[2024-07-14] Accepted onnx 1.16.1-1 (source) into experimental (Mo Zhou)
[2024-05-03] onnx 1.14.1-2.1 MIGRATED to testing (Debian testing watch)
[2024-03-16] onnx REMOVED from testing (Debian testing watch)
[2024-02-29] Accepted onnx 1.14.1-2.1 (source) into unstable (Benjamin Drung)
[2024-02-03] Accepted onnx 1.14.1-2.1~exp1 (source) into experimental (Lucas Kanashiro)
[2024-01-15] onnx 1.14.1-2 MIGRATED to testing (Debian testing watch)
[2024-01-01] Accepted onnx 1.14.1-2 (source) into unstable (Mo Zhou)
[2023-12-30] Accepted onnx 1.14.1-1 (source) into experimental (Mo Zhou)
[2023-09-13] onnx 1.13.1-3 MIGRATED to testing (Debian testing watch)
[2023-09-11] Accepted onnx 1.13.1-3 (source) into unstable (Mo Zhou)
[2023-09-10] Accepted onnx 1.13.1-2 (source) into unstable (Mo Zhou)
[2023-08-20] Accepted onnx 1.13.1-1 (source) into unstable (Mo Zhou)
[2022-07-13] onnx 1.12.0-2 MIGRATED to testing (Debian testing watch)
[2022-07-08] Accepted onnx 1.12.0-2 (source) into unstable (Mo Zhou)
[2022-07-08] onnx 1.12.0-1 MIGRATED to testing (Debian testing watch)
[2022-06-26] Accepted onnx 1.12.0-1 (source) into unstable (Mo Zhou)
[2022-06-24] Accepted onnx 1.12.0-1~exp1 (source) into experimental (Mo Zhou)

bugs [bug history graph]

all: 5
RC: 0
I&N: 5
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.20.0-1