Skip to content

Commit 8700668

Browse files
aws-deep-learning-containers-ci[bot]github-actions[bot]Eren-Jeager123
authored
[Auto-Update] sglang 0.5.15 (#6382)
* [Auto-Update] sglang 0.5.15 * security(sglang): allowlist CVE-2026-39822 (go/stdlib in mooncake), dedupe CVE-2026-39822: go/stdlib 1.25.9 in mooncake libetcd_wrapper.so, needs Go 1.26.5, not patchable without upstream mooncake rebuild. Same class as existing mooncake entries. Also remove a duplicate CVE-2026-27145 entry. --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Kevin Wang <kwanggg@amazon.com>
1 parent 32051e2 commit 8700668

4 files changed

Lines changed: 10 additions & 10 deletions

File tree

.github/config/image/sglang/ec2-ubuntu.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ image:
33
description: "SGLang for EC2 instances (Ubuntu, upstream base image)"
44
metadata:
55
framework: "sglang"
6-
framework_version: "0.5.14"
6+
framework_version: "0.5.15"
77
os_version: "ubuntu24.04"
88
customer_type: "ec2"
99
arch_type: "x86"
@@ -13,7 +13,7 @@ metadata:
1313
build:
1414
dockerfile: "docker/sglang/Dockerfile"
1515
target: "sglang-ec2"
16-
base_image: "lmsysorg/sglang:v0.5.14"
16+
base_image: "lmsysorg/sglang:v0.5.15"
1717
python_version: "3.12"
1818
cuda_version: "13.0.3"
1919
efa_version: "1.48.0"

.github/config/image/sglang/sagemaker-ubuntu.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ image:
33
description: "SGLang for SageMaker (Ubuntu, upstream base image)"
44
metadata:
55
framework: "sglang"
6-
framework_version: "0.5.14"
6+
framework_version: "0.5.15"
77
os_version: "ubuntu24.04"
88
customer_type: "sagemaker"
99
platform: "sagemaker"
@@ -14,7 +14,7 @@ metadata:
1414
build:
1515
dockerfile: "docker/sglang/Dockerfile"
1616
target: "sglang-sagemaker"
17-
base_image: "lmsysorg/sglang:v0.5.14"
17+
base_image: "lmsysorg/sglang:v0.5.15"
1818
python_version: "3.12"
1919
cuda_version: "13.0.3"
2020
efa_version: "1.48.0"

docker/sglang/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Declare the argument as default to use as input
22
# base image: https://hub.docker.com/r/lmsysorg/sglang/tags
3-
ARG BASE_IMAGE=lmsysorg/sglang:v0.5.14
3+
ARG BASE_IMAGE=lmsysorg/sglang:v0.5.15
44

55
# Use input argument as base image
66
FROM $BASE_IMAGE AS base

test/security/data/ecr_scan_allowlist/sglang/framework_allowlist.json

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,11 @@
3434
"reason": "go/stdlib 1.25.9 embedded in mooncake libetcd_wrapper.so, MIME header parsing CPU exhaustion, cannot patch without upstream mooncake rebuild with Go 1.26.4+",
3535
"review_by": "2026-09-10"
3636
},
37+
{
38+
"vulnerability_id": "CVE-2026-39822",
39+
"reason": "go/stdlib 1.25.9 embedded in mooncake libetcd_wrapper.so, cannot patch without upstream mooncake rebuild with Go 1.26.5+",
40+
"review_by": "2026-09-10"
41+
},
3742
{
3843
"vulnerability_id": "RUSTSEC-2026-0195",
3944
"reason": "quick-xml 0.39.2 is bundled inside the uv binary at /usr/local/bin/uv (uv is statically compiled Rust). Advisory is a denial-of-service in NsReader's namespace resolution during Start/Empty XML event handling; the vulnerable code path is only reachable when uv parses attacker-controlled XML (e.g. a hostile PyPI mirror index). uv is retained in the image for customer-side venv management; the standard PyPI flow uses JSON/HTML endpoints and never exercises the XML path. No uv release containing the patched quick-xml>=0.41.0 has been published upstream yet; will swap to a pinned fixed version and drop this entry when upstream ships.",
@@ -53,10 +58,5 @@
5358
"vulnerability_id": "GHSA-36hh-v3qg-5jq4",
5459
"reason": "pyo3 0.23.5 in upstream sglang sglang-grpc Cargo.lock, cannot patch without upstream sglang rebuild",
5560
"review_by": "2026-09-10"
56-
},
57-
{
58-
"vulnerability_id": "CVE-2026-27145",
59-
"reason": "go/stdlib 1.25.9 embedded in mooncake libetcd_wrapper.so, x509 VerifyHostname CPU exhaustion, cannot patch without upstream mooncake rebuild with Go 1.26.4+",
60-
"review_by": "2026-09-10"
6161
}
6262
]

0 commit comments

Comments
 (0)