Patch PyTorch 2.9 training images (#5620)

jinyan-li1 · web-flow · commit 3396a94c1b23 · 2026-02-02T10:49:51.000-08:00
* Patch PyTorch 2.9 training images
diff --git a/pytorch/training/docker/2.9/py3/Dockerfile.cpu b/pytorch/training/docker/2.9/py3/Dockerfile.cpu
@@ -186,14 +186,16 @@ RUN pip install --no-cache-dir \
     "idna>=3.7" \
     "tqdm>=4.66.3" \
     "requests>=2.32.0" \
-    "setuptools>=70.0.0" \
+    "setuptools>=80.10.1" \
     "urllib3>=2.5.0" \
     "awscli" \
     opencv-python==4.11.0.86 \
     mpi4py \
     jinja2>=3.1.6 \
     tornado>=6.5.1 \
-    "filelock>=3.20.1"
+    "filelock>=3.20.1" \
+    pytz \
+    tzdata
 
 # Install PyTorch
 RUN pip install --no-cache-dir -U torch==${PYTORCH_VERSION} \
@@ -283,7 +285,7 @@ WORKDIR /
 # Install SM packages
 RUN pip install --no-cache-dir -U \
     smclarify \
-    "sagemaker==2.254.1" \
+    "sagemaker>=2.254.1,<3" \
     sagemaker-experiments \
     sagemaker-pytorch-training \
     sagemaker-training
diff --git a/pytorch/training/docker/2.9/py3/Dockerfile.sagemaker.cpu.py_scan_allowlist.json b/pytorch/training/docker/2.9/py3/Dockerfile.sagemaker.cpu.py_scan_allowlist.json
@@ -0,0 +1,3 @@
+{
+  "85151": "[pkg: protobuf] advisory='Affected versions of the protobuf package are vulnerable to Denial of Service (DoS) due to missing recursion depth accounting that allows the max_recursion_depth limit to be bypassed. The google.protobuf.json_format.ParseDict() parser fails to increment or enforce max_recursion_depth when traversing nested google.protobuf.Any messages in its internal Any-handling logic, allowing attacker-controlled JSON to recurse far deeper than intended.', reason_to_ignore='N/A', spec='<=6.33.4'"
+}
diff --git a/pytorch/training/docker/2.9/py3/cu130/Dockerfile.gpu b/pytorch/training/docker/2.9/py3/cu130/Dockerfile.gpu
@@ -105,14 +105,16 @@ RUN pip install --no-cache-dir \
     "idna>=3.7" \
     "tqdm>=4.66.3" \
     "requests>=2.32.0" \
-    "setuptools>=70.0.0" \
+    "setuptools>=80.10.1" \
     "urllib3>=2.5.0" \
     ninja \
     opencv-python==4.11.0.86 \
     mpi4py \
     jinja2>=3.1.6 \
     tornado>=6.5.1 \
-    "filelock>=3.20.1"
+    "filelock>=3.20.1" \
+    pytz \
+    tzdata
 
 # Install PyTorch
 RUN pip install --no-cache-dir -U torch==${PYTORCH_VERSION} \
@@ -250,7 +252,7 @@ WORKDIR /
 # Install SM packages
 RUN pip install --no-cache-dir -U \
     smclarify \
-    "sagemaker==2.254.1" \
+    "sagemaker>=2.254.1,<3" \
     sagemaker-experiments \
     sagemaker-pytorch-training \
     sagemaker-training
diff --git a/pytorch/training/docker/2.9/py3/cu130/Dockerfile.sagemaker.gpu.py_scan_allowlist.json b/pytorch/training/docker/2.9/py3/cu130/Dockerfile.sagemaker.gpu.py_scan_allowlist.json
@@ -0,0 +1,3 @@
+{
+  "85151": "[pkg: protobuf] advisory='Affected versions of the protobuf package are vulnerable to Denial of Service (DoS) due to missing recursion depth accounting that allows the max_recursion_depth limit to be bypassed. The google.protobuf.json_format.ParseDict() parser fails to increment or enforce max_recursion_depth when traversing nested google.protobuf.Any messages in its internal Any-handling logic, allowing attacker-controlled JSON to recurse far deeper than intended.', reason_to_ignore='N/A', spec='<=6.33.4'"
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+{`
	`2`	+ "85151": "[pkg: protobuf] advisory='Affected versions of the protobuf package are vulnerable to Denial of Service (DoS) due to missing recursion depth accounting that allows the max_recursion_depth limit to be bypassed. The google.protobuf.json_format.ParseDict() parser fails to increment or enforce max_recursion_depth when traversing nested google.protobuf.Any messages in its internal Any-handling logic, allowing attacker-controlled JSON to recurse far deeper than intended.', reason_to_ignore='N/A', spec='<=6.33.4'"
	`3`	`+}`