Register | Log in

keras

Choose email to subscribe with

general

source: keras (main)
version: 2.3.1+dfsg-3
maintainer: Debian Science Maintainers (archive) (DMD)
uploaders: Stephen Sinclair [DMD]
arch: all
std-ver: 4.5.0
VCS: Git (Browse)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.3.1+dfsg-3

versioned links

2.3.1+dfsg-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-keras

package is gone

This package is not in any development repository. This probably means that the package has been removed (or has been renamed). Thus the information here is of little interest ... the package is going to disappear unless someone takes it over and reintroduces it.

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:00:54
Last run: 2024-11-30T17:30:48.000Z
Previous status: unknown

testing: fail (log)
The tests ran in 0:00:57
Last run: 2023-02-26T17:12:49.000Z
Previous status: unknown

stable: pass (log)
The tests ran in 0:00:54
Last run: 2023-05-23T07:16:00.000Z
Previous status: unknown

Created: 2023-01-23 Last update: 2025-11-05 09:32

6 security issues in bullseye high

There are 6 open security issues in bullseye.

3 important issues:

CVE-2025-12058: The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF). This vulnerability stems from the way the StringLookup layer is handled during model loading from a specially crafted .keras archive. The constructor for the StringLookup layer accepts a vocabulary argument that can specify a local file path or a remote file path. * Arbitrary Local File Read: An attacker can create a malicious .keras file that embeds a local path in the StringLookup layer's configuration. When the model is loaded, Keras will attempt to read the content of the specified local file and incorporate it into the model state (e.g., retrievable via get_vocabulary()), allowing an attacker to read arbitrary local files on the hosting system. * Server-Side Request Forgery (SSRF): Keras utilizes tf.io.gfile for file operations. Since tf.io.gfile supports remote filesystem handlers (such as GCS and HDFS) and HTTP/HTTPS protocols, the same mechanism can be leveraged to fetch content from arbitrary network endpoints on the server's behalf, resulting in an SSRF condition. The security issue is that the feature allowing external path loading was not properly restricted by the safe_mode=True flag, which was intended to prevent such unintended data access.
CVE-2025-12060: The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter="data" feature. A remote attacker can craft a malicious tar archive containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder. This vulnerability is linked to the underlying Python tarfile weakness, identified as CVE-2025-4517. Note that upgrading Python to one of the versions that fix CVE-2025-4517 (e.g. Python 3.13.4) is not enough. One additionally needs to upgrade Keras to a version with the fix (Keras 3.12).
CVE-2025-49655: Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.

3 issues postponed or untriaged:

CVE-2024-3660: (postponed; to be fixed through a stable update) A arbitrary code injection vulnerability in TensorFlow's Keras framework (<2.13) allows attackers to execute arbitrary code with the same permissions as the application using a model that allow arbitrary code irrespective of the application.
CVE-2025-9906: (postponed; to be fixed through a stable update) The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .keras model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special config.json (a file within the .keras archive) that will invoke keras.config.enable_unsafe_deserialization() to disable safe mode. Once safe mode is disable, one can use the Lambda layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the keras.config.enable_unsafe_deserialization() needs to appear first in the archive and the Lambda with arbitrary code needs to be second.
CVE-2024-55459: (postponed; to be fixed through a stable update) An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function.

Created: 2025-10-17 Last update: 2025-10-31 06:30

RFP: There is a request to reintroduce this package. normal

The WNPP database contains an RFP (Request For Package). This probably means that somebody would like to see this package reintroduced into unstable by a volunteer. Please see bug number #1096196 for more information.

Created: 2025-02-17 Last update: 2025-02-17 14:31

news

[2024-11-11] Removed 2.3.1+dfsg2-1 from unstable (Debian FTP Masters)
[2023-03-06] keras REMOVED from testing (Debian testing watch)
[2022-09-25] keras 2.3.1+dfsg2-1 MIGRATED to testing (Debian testing watch)
[2022-09-22] Accepted keras 2.3.1+dfsg2-1 (source) into unstable (Stephen Sinclair) (signed by: bage@debian.org)
[2022-04-15] keras REMOVED from testing (Debian testing watch)
[2020-07-15] keras 2.3.1+dfsg-3 MIGRATED to testing (Debian testing watch)
[2020-07-12] Accepted keras 2.3.1+dfsg-3 (source) into unstable (Stephen Sinclair) (signed by: Bart Martens)
[2020-07-02] keras 2.3.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2020-06-29] Accepted keras 2.3.1+dfsg-2 (source) into unstable (Stephen Sinclair) (signed by: Bart Martens)
[2020-04-17] keras 2.3.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-04-14] Accepted keras 2.3.1+dfsg-1 (source) into unstable (Stephen Sinclair) (signed by: Anton Gladky)
[2020-04-09] keras REMOVED from testing (Debian testing watch)
[2019-01-20] keras 2.2.4-1 MIGRATED to testing (Debian testing watch)
[2019-01-18] Accepted keras 2.2.4-1 (source all) into unstable (Daniel Stender)
[2018-05-21] keras REMOVED from testing (Debian testing watch)
[2018-04-02] keras 2.1.5-2 MIGRATED to testing (Debian testing watch)
[2018-03-27] Accepted keras 2.1.5-2 (source all) into unstable (Daniel Stender)
[2018-03-25] keras 2.1.5-1 MIGRATED to testing (Debian testing watch)
[2018-03-19] Accepted keras 2.1.5-1 (source all) into unstable (Daniel Stender)
[2018-01-02] keras 2.1.1-1 MIGRATED to testing (Debian testing watch)
[2017-12-27] Accepted keras 2.1.1-1 (source all) into unstable, unstable (Daniel Stender)
[2017-11-07] keras 1.0.7-2 MIGRATED to testing (Debian testing watch)
[2017-11-01] Accepted keras 1.0.7-2 (source all) into unstable (Daniel Stender)
[2016-08-18] Accepted keras 1.0.7-1 (source all) into experimental, experimental (Daniel Stender)

bugs [bug history graph]

all: 0

links

homepage
buildd: logs
popcon
edit tags
security tracker
debci

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing