onnx - Debian Package Tracker

general

source: onnx (main)
version: 1.20.0-4
maintainer: Debian Deep Learning Team (archive) (DMD)
uploaders: Mo Zhou [DMD]
arch: all any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.7.0+dfsg-3
oldstable: 1.12.0-2
stable: 1.17.0-3
testing: 1.20.0-4
unstable: 1.20.0-4

versioned links

1.7.0+dfsg-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.12.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.17.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.20.0-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libonnx-dev
libonnx-testdata
libonnx1l
python3-onnx

action needed

A new upstream version is available: 1.21.0 high

A new upstream version 1.21.0 is available, you should consider packaging it.

Created: 2025-11-26 Last update: 2026-04-03 06:31

4 security issues in trixie high

There are 4 open security issues in trixie.

3 important issues:

CVE-2026-34445: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.
CVE-2026-34446: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.
CVE-2026-34447: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.

1 issue left for the package maintainer to handle:

CVE-2026-28500: (needs triaging) Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-03-18 Last update: 2026-04-02 08:00

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2026-28500: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.
CVE-2026-34445: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.
CVE-2026-34446: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.
CVE-2026-34447: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.

Created: 2026-03-18 Last update: 2026-04-02 08:00

4 security issues in forky high

There are 4 open security issues in forky.

4 important issues:

CVE-2026-28500: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.
CVE-2026-34445: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.
CVE-2026-34446: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.
CVE-2026-34447: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.

Created: 2026-03-18 Last update: 2026-04-02 08:00

5 security issues in bookworm high

There are 5 open security issues in bookworm.

3 important issues:

CVE-2026-34445: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.
CVE-2026-34446: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.
CVE-2026-34447: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.

2 issues left for the package maintainer to handle:

CVE-2024-7776: (needs triaging) A vulnerability in the `download_model` function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability can be exploited by an attacker to overwrite files in the user's directory, potentially leading to remote command execution.
CVE-2026-28500: (needs triaging) Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-06-07 Last update: 2026-04-02 08:00

5 security issues in bullseye high

There are 5 open security issues in bullseye.

3 important issues:

CVE-2026-34445: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.
CVE-2026-34446: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.
CVE-2026-34447: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.

2 issues postponed or untriaged:

CVE-2024-7776: (postponed; to be fixed through a stable update) A vulnerability in the `download_model` function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability can be exploited by an attacker to overwrite files in the user's directory, potentially leading to remote command execution.
CVE-2026-28500: (postponed; to be fixed through a stable update) Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.

Created: 2026-04-02 Last update: 2026-04-02 08:00

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 51997ac1e997cbf9e70af32164937469f5097b5d
Author: Dylan Aïssi <dylan.aissi@collabora.com>
Date:   Sun Jan 18 21:36:06 2026 +0100

    Add new autopkgtest creating a dummy neural network with pytorch
    
    This is the first step of onnxruntime autopkgtests which is currently
    failing.
    
    Signed-off-by: Dylan Aïssi <dylan.aissi@collabora.com>

Created: 2026-03-18 Last update: 2026-03-26 23:30

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-03-16 Last update: 2026-03-16 13:01

debian/patches: 3 patches to forward upstream low

Among the 3 debian patches available in version 1.20.0-4 of the package, we noticed the following issues:

3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-03-16 08:03

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-03-31 15:01

testing migrations

This package will soon be part of the auto-protobuf transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2026-03-18] onnx 1.20.0-4 MIGRATED to testing (Debian testing watch)
[2026-03-15] Accepted onnx 1.20.0-4 (source) into unstable (Dylan Aïssi)
[2026-03-11] Accepted onnx 1.20.0-3 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Dylan Aïssi)
[2026-01-12] Accepted onnx 1.20.0-1 (source) into unstable (Shengqi Chen)
[2026-01-09] Accepted onnx 1.20.0-1~exp1 (source) into experimental (Shengqi Chen)
[2025-10-23] Accepted onnx 1.19.1-1~exp1 (source) into experimental (Shengqi Chen)
[2025-02-02] onnx 1.17.0-3 MIGRATED to testing (Debian testing watch)
[2025-01-30] Accepted onnx 1.17.0-3 (source) into unstable (Mo Zhou)
[2025-01-23] Accepted onnx 1.17.0-2 (source) into unstable (Mo Zhou)
[2025-01-20] Accepted onnx 1.17.0-1 (source) into experimental (Mo Zhou)
[2024-10-18] onnx 1.16.2-1 MIGRATED to testing (Debian testing watch)
[2024-09-27] Accepted onnx 1.16.2-1 (source) into unstable (Mo Zhou)
[2024-07-14] Accepted onnx 1.16.1-1 (source) into experimental (Mo Zhou)
[2024-05-03] onnx 1.14.1-2.1 MIGRATED to testing (Debian testing watch)
[2024-03-16] onnx REMOVED from testing (Debian testing watch)
[2024-02-29] Accepted onnx 1.14.1-2.1 (source) into unstable (Benjamin Drung)
[2024-02-03] Accepted onnx 1.14.1-2.1~exp1 (source) into experimental (Lucas Kanashiro)
[2024-01-15] onnx 1.14.1-2 MIGRATED to testing (Debian testing watch)
[2024-01-01] Accepted onnx 1.14.1-2 (source) into unstable (Mo Zhou)
[2023-12-30] Accepted onnx 1.14.1-1 (source) into experimental (Mo Zhou)
[2023-09-13] onnx 1.13.1-3 MIGRATED to testing (Debian testing watch)
[2023-09-11] Accepted onnx 1.13.1-3 (source) into unstable (Mo Zhou)
[2023-09-10] Accepted onnx 1.13.1-2 (source) into unstable (Mo Zhou)
[2023-08-20] Accepted onnx 1.13.1-1 (source) into unstable (Mo Zhou)
[2022-07-13] onnx 1.12.0-2 MIGRATED to testing (Debian testing watch)
[2022-07-08] Accepted onnx 1.12.0-2 (source) into unstable (Mo Zhou)
[2022-07-08] onnx 1.12.0-1 MIGRATED to testing (Debian testing watch)
[2022-06-26] Accepted onnx 1.12.0-1 (source) into unstable (Mo Zhou)
[2022-06-24] Accepted onnx 1.12.0-1~exp1 (source) into experimental (Mo Zhou)
[2022-06-15] onnx REMOVED from testing (Debian testing watch)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 3)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.20.0-1