aws
diff --git a/‎available_images.md‎
Lines changed: 2 additions & 0 deletions b/‎available_images.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎data/ignore_ids_safety_scan.json‎
Lines changed: 15 additions & 2 deletions b/‎data/ignore_ids_safety_scan.json‎
Lines changed: 15 additions & 2 deletions
diff --git a/‎huggingface/pytorch/inference/docker/2.1/py3/sdk2.20.0/Dockerfile.neuronx.os_scan_allowlist.json‎
Lines changed: 58 additions & 0 deletions b/‎huggingface/pytorch/inference/docker/2.1/py3/sdk2.20.0/Dockerfile.neuronx.os_scan_allowlist.json‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎huggingface/pytorch/inference/docker/2.6/py3/Dockerfile.cpu‎
Lines changed: 5 additions & 4 deletions b/‎huggingface/pytorch/inference/docker/2.6/py3/Dockerfile.cpu‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎huggingface/pytorch/inference/docker/2.6/py3/cu124/Dockerfile.gpu‎
Lines changed: 8 additions & 6 deletions b/‎huggingface/pytorch/inference/docker/2.6/py3/cu124/Dockerfile.gpu‎
Lines changed: 8 additions & 6 deletions
diff --git a/‎huggingface/pytorch/training/docker/2.1/py3/sdk2.20.0/Dockerfile.neuronx.os_scan_allowlist.json‎
Lines changed: 29 additions & 0 deletions b/‎huggingface/pytorch/training/docker/2.1/py3/sdk2.20.0/Dockerfile.neuronx.os_scan_allowlist.json‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎huggingface/pytorch/training/docker/2.5/py3/cu124/Dockerfile.gpu‎
Lines changed: 1 addition & 1 deletion b/‎huggingface/pytorch/training/docker/2.5/py3/cu124/Dockerfile.gpu‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎release_images_general.yml‎
Lines changed: 16 additions & 2 deletions b/‎release_images_general.yml‎
Lines changed: 16 additions & 2 deletions
diff --git a/‎test/dlc_tests/sanity/test_boottime_container_security.py‎
Lines changed: 5 additions & 4 deletions b/‎test/dlc_tests/sanity/test_boottime_container_security.py‎
Lines changed: 5 additions & 4 deletions
@@ -368,6 +368,8 @@ Note: Starting from Neuron SDK 2.17.0, Dockerfiles for PyTorch Neuron Containers
 |----------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|--------------------|-----------|------------------------------|------------------------|----------------------------------------------------------------------------------------------------------------------|
 | [PyTorch 2.7.0](https://github.com/aws-neuron/deep-learning-containers/blob/2.25.0/docker/pytorch/inference/2.7.0/Dockerfile.neuronx)              | torch-neuronx, transformers-neuronx, neuronx_distributed, neuronx_distributed_inference | Neuron 2.25.0      | inference | trn1,trn2,inf2                    | 3.10 (py310)           | 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-inference-neuronx:2.7.0-neuronx-py310-sdk2.25.0-ubuntu22.04     |
 | [PyTorch 2.7.0](https://github.com/aws-neuron/deep-learning-containers/blob/2.25.0/docker/pytorch/training/2.7.0/Dockerfile.neuronx)              | torch-neuronx, transformers-neuronx, neuronx_distributed, neuronx_distributed_training | Neuron 2.25.0      | training | trn1,trn2,inf2                    | 3.10 (py310)           | 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-training-neuronx:2.7.0-neuronx-py310-sdk2.25.0-ubuntu22.04     |
+| [PyTorch 2.7.0](https://github.com/aws-neuron/deep-learning-containers/blob/2.24.1/docker/pytorch/inference/2.7.0/Dockerfile.neuronx)              | torch-neuronx, transformers-neuronx, neuronx_distributed, neuronx_distributed_inference | Neuron 2.24.1      | inference | trn1,trn2,inf2                    | 3.10 (py310)           | 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-inference-neuronx:2.7.0-neuronx-py310-sdk2.24.1-ubuntu22.04     |
+| [PyTorch 2.7.0](https://github.com/aws-neuron/deep-learning-containers/blob/2.24.1/docker/pytorch/training/2.7.0/Dockerfile.neuronx)              | torch-neuronx, transformers-neuronx, neuronx_distributed, neuronx_distributed_training | Neuron 2.24.1      | training | trn1,trn2,inf2                    | 3.10 (py310)           | 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-training-neuronx:2.7.0-neuronx-py310-sdk2.24.1-ubuntu22.04     |
 | [PyTorch 2.6.0](https://github.com/aws-neuron/deep-learning-containers/blob/2.23.0/docker/pytorch/inference/2.6.0/Dockerfile.neuronx)              | torch-neuronx, transformers-neuronx, neuronx_distributed, neuronx_distributed_inference | Neuron 2.23.0      | inference | trn1,trn2,inf2                    | 3.10 (py310)           | 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-inference-neuronx:2.6.0-neuronx-py310-sdk2.23.0-ubuntu22.04     |
 | [PyTorch 2.6.0](https://github.com/aws-neuron/deep-learning-containers/blob/2.23.0/docker/pytorch/training/2.6.0/Dockerfile.neuronx)              | torch-neuronx, transformers-neuronx, neuronx_distributed, neuronx_distributed_training | Neuron 2.23.0      | training | trn1,trn2,inf2                    | 3.10 (py310)           | 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-training-neuronx:2.6.0-neuronx-py310-sdk2.23.0-ubuntu22.04     |
 | [PyTorch 2.5.1](https://github.com/aws-neuron/deep-learning-containers/blob/2.22.0/docker/pytorch/inference/2.5.1/Dockerfile.neuronx)              | torch-neuronx, transformers-neuronx, neuronx_distributed, neuronx_distributed_inference | Neuron 2.22.0      | inference | trn1,trn2,inf2                    | 3.10 (py310)           | 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-inference-neuronx:2.5.1-neuronx-py310-sdk2.22.0-ubuntu22.04     |
 
@@ -1399,7 +1399,11 @@
                 "77714": "Transformers version upgrade needs to be handled in a separate image",
                 "77149": "Transformers version upgrade needs to be handled in a separate image",
                 "77985": "Transformers version upgrade needs to be handled in a separate image",
-                "77988": "Transformers version upgrade needs to be handled in a separate image"
+                "77988": "Transformers version upgrade needs to be handled in a separate image",
+                "78688": "Transformers version upgrade needs to be handled in a separate image",
+                "78828": "Pytorch version upgrade needs to be handled in a separate image",
+                "79595": "Transformers version upgrade needs to be handled in a separate image",
+                "79596": "Transformers version upgrade needs to be handled in a separate image"
             }
         },
         "inference": {
@@ -1433,7 +1437,16 @@
                 "71601": "Transformers version upgrade needs to be handled in a separate image",
                 "71670": "Pytorch version upgrade needs to be handled in a separate image",
                 "71671": "Pytorch version upgrade needs to be handled in a separate image",
-                "71672": "Pytorch version upgrade needs to be handled in a separate image"
+                "71672": "Pytorch version upgrade needs to be handled in a separate image",
+                "77740": "Affected versions of this package are vulnerable to a potential Denial of Service (DoS) attack due to unbounded recursion when parsing untrusted Protocol Buffers data. The pure-Python implementation fails to enforce recursion depth limits when processing recursive groups, recursive messages, or a series of SGROUP tags, leading to stack overflow conditions that can crash the application by exceeding Python's recursion limit.",
+                "78828": "Affected versions of the PyTorch package are vulnerable to Denial of Service (DoS) due to improper handling in the MKLDNN pooling implementation. The torch.mkldnn_max_pool2d function fails to properly validate input parameters, allowing crafted inputs to trigger resource exhaustion or crashes in the underlying MKLDNN library. An attacker with local access can exploit this vulnerability by passing specially crafted tensor dimensions or parameters to the max pooling function, causing the application to become unresponsive or crash.",
+                "78153": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's token2json() method. This vulnerability affects versions 4.51.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern <s_(.*?)> which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.",
+                "77986": "Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the image_utils.py file. The vulnerability arises from insecure URL validation using the startswith() method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1.",
+                "78688": "Affected versions of the Hugging Face Transformers package are vulnerable to Regular Expression Denial of Service (ReDoS) due to an inefficient regex pattern in weight name conversion. The convert_tf_weight_name_to_pt_weight_name() function uses the regular expression pattern /[^/]___([^/])/, which is susceptible to catastrophic backtracking when processing specially crafted TensorFlow weight names. An attacker can exploit this vulnerability by providing malicious weight names during model conversion between TensorFlow and PyTorch formats, causing excessive CPU consumption and potentially rendering the service unresponsive.",
+                "77744": "urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.",
+                "79077": "Affected versions of the h2 package are vulnerable to HTTP Request Smuggling due to improper validation of illegal characters in HTTP headers. The package allows CRLF characters to be injected into header names and values without proper sanitisation, which can cause request boundary manipulation when HTTP/2 requests are downgraded to HTTP/1.1 by downstream servers.",
+                "79595": "Affected versions of the transformers package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient regular expressions in the EnglishNormalizer.normalize_numbers() method",
+                "79596": "Affected versions of the transformers package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient regular expressions in the MarianTokenizer.remove_language_code() method"
             }
         },
         "inference-neuron": {
 
@@ -1541,6 +1541,64 @@
         "status": "ACTIVE",
         "title": "CVE-2023-52760 - linux-libc-dev",
         "reason_to_ignore": "N/A"
+    },
+    {
+        "description": "In the Linux kernel, the following vulnerability has been resolved: of: module: add buffer overflow check in of_modalias(). In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char).",
+        "vulnerability_id": "CVE-2024-38541",
+        "name": "CVE-2024-38541",
+        "package_name": "linux-libc-dev",
+        "package_details": {
+            "file_path": null,
+            "name": "linux-libc-dev",
+            "package_manager": "OS",
+            "version": "5.4.0",
+            "release": "192.212"
+        },
+        "remediation": {
+            "recommendation": {
+                "text": "None Provided"
+            }
+        },
+        "cvss_v3_score": 7.8,
+        "cvss_v30_score": 0.0,
+        "cvss_v31_score": 7.8,
+        "cvss_v2_score": 0.0,
+        "cvss_v3_severity": "HIGH",
+        "source_url": "https://ubuntu.com/security/CVE-2024-38541",
+        "source": "UBUNTU_CVE",
+        "severity": "CRITICAL",
+        "status": "ACTIVE",
+        "title": "CVE-2024-38541 - linux-libc-dev",
+        "reason_to_ignore": "N/A"
+    },
+    {
+        "description": "A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path=”...”/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program’s crash using libxml or other possible undefined behaviors.",
+        "vulnerability_id": "CVE-2025-49794",
+        "name": "CVE-2025-49794",
+        "package_name": "linux-libc-dev",
+        "package_details": {
+            "file_path": null,
+            "name": "linux-libc-dev",
+            "package_manager": "OS",
+            "version": "5.4.0",
+            "release": "192.212"
+        },
+        "remediation": {
+            "recommendation": {
+                "text": "None Provided"
+            }
+        },
+        "cvss_v3_score": 7.8,
+        "cvss_v30_score": 0.0,
+        "cvss_v31_score": 7.8,
+        "cvss_v2_score": 0.0,
+        "cvss_v3_severity": "HIGH",
+        "source_url": "https://ubuntu.com/security/CVE-2025-49794",
+        "source": "UBUNTU_CVE",
+        "severity": "CRITICAL",
+        "status": "ACTIVE",
+        "title": "CVE-2025-49794 - linux-libc-dev",
+        "reason_to_ignore": "N/A"
     }],
     "postgresql-12": [
         {
 
@@ -139,7 +139,7 @@ RUN pip install --upgrade pip --trusted-host pypi.org --trusted-host files.pytho
 
 # Install Common python packages
 RUN pip install --no-cache-dir --extra-index-url https://download.pytorch.org/whl/cpu -U \
-    opencv-python \
+    "opencv-python==4.11.0.86" \
     "pyopenssl>=24.0.0" \
     "cryptography>=42.0.5" \
     "ipython>=8.10.0,<9.0" \
@@ -231,7 +231,8 @@ ENV HF_HUB_USER_AGENT_ORIGIN="aws:sagemaker:cpu:inference:regular"
 
 # IPEx installation installs the numpy==1.25.1. That causes a pip check failure due to incompatibility with numba.
 # Re-installing numpy after IPEx installation to get the appropriate numpy version and fix pip checks.
-# RUN pip install --no-cache-dir \
+RUN pip install --no-cache-dir \
+  "opencv-python==4.11.0.86"
 #     "numpy<1.25" \
 #     "pyyaml>=5.4"
 
@@ -244,7 +245,7 @@ RUN HOME_DIR=/root \
  && ${HOME_DIR}/oss_compliance/generate_oss_compliance.sh ${HOME_DIR} ${PYTHON} \
  && rm -rf ${HOME_DIR}/oss_compliance*
 
-RUN curl -o /license.txt  https://aws-dlc-licenses.s3.amazonaws.com/pytorch-2.3/license.txt
+RUN curl -o /license.txt  https://aws-dlc-licenses.s3.amazonaws.com/pytorch-2.6/license.txt
 
 ## Cleanup ##
 RUN pip cache purge \
@@ -255,4 +256,4 @@ RUN pip cache purge \
 
 EXPOSE 8080 8081
 ENTRYPOINT ["python", "/usr/local/bin/dockerd-entrypoint.py"]
-CMD ["serve"]
+CMD ["serve"]
@@ -119,6 +119,8 @@ RUN apt-get update \
     tk-dev \
     libffi-dev \
     ffmpeg \
+    libxml2 \
+    linux-libc-dev \
  && apt-get autoremove -y \
  && rm -rf /var/lib/apt/lists/* \
  && apt-get clean
@@ -162,8 +164,6 @@ RUN /opt/conda/bin/conda install -y -c conda-forge \
     "mkl<2024.1.0" \
     mkl-include \
     parso \
-    scipy \
-    numpy \
     pandas \
     pyarrow \
     typing \
@@ -190,7 +190,8 @@ RUN pip install --upgrade pip --no-cache-dir --trusted-host pypi.org --trusted-h
 
 # Install Common python packages
 RUN pip install --no-cache-dir -U \
-    opencv-python \
+    "opencv-python==4.11.0.86" \
+    scipy \
     # "nvgpu" is a dependency of TS but is disabled in SM DLC build,
     # via ENV Variable "TS_DISABLE_SYSTEM_METRICS=true" in the SM section of this file.
     # due to incompatibility with SM hosts 
@@ -265,7 +266,8 @@ RUN pip install --no-cache-dir \
     diffusers==${DIFFUSERS_VERSION} \
     peft==${PEFT_VERSION} \
     accelerate==${ACCELERATE_VERSION} \
-	sagemaker-huggingface-inference-toolkit==${SAGEMAKER_HF_INFERENCE_VERSION}
+    sagemaker-huggingface-inference-toolkit==${SAGEMAKER_HF_INFERENCE_VERSION} \
+    "opencv-python==4.11.0.86"
 
 # hf_transfer will be a built-in feature, remove the env variavle then
 ENV HF_HUB_ENABLE_HF_TRANSFER="1"
@@ -280,7 +282,7 @@ RUN HOME_DIR=/root \
  && ${HOME_DIR}/oss_compliance/generate_oss_compliance.sh ${HOME_DIR} ${PYTHON} \
  && rm -rf ${HOME_DIR}/oss_compliance*
 
-RUN curl -o /license.txt  https://aws-dlc-licenses.s3.amazonaws.com/pytorch-2.3/license.txt
+RUN curl -o /license.txt  https://aws-dlc-licenses.s3.amazonaws.com/pytorch-2.6/license.txt
 
 ## Cleanup ##
 RUN pip cache purge \
@@ -289,4 +291,4 @@ RUN pip cache purge \
 
 EXPOSE 8080 8081
 ENTRYPOINT ["python", "/usr/local/bin/dockerd-entrypoint.py"]
-CMD ["serve"]
+CMD ["serve"]
@@ -845,6 +845,35 @@
       }
     ],
     "linux-libc-dev": [
+      {
+         "description": "In the Linux kernel, the following vulnerability has been resolved: of: module: add buffer overflow check in of_modalias(). In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char).",
+         "vulnerability_id": "CVE-2024-38541",
+         "name": "CVE-2024-38541",
+         "package_name": "linux-libc-dev",
+         "package_details": {
+            "file_path": null,
+            "name": "linux-libc-dev",
+            "package_manager": "OS",
+            "version": "5.4.0",
+            "release": "192.212"
+         },
+         "remediation": {
+            "recommendation": {
+                  "text": "None Provided"
+            }
+         },
+         "cvss_v3_score": 7.8,
+         "cvss_v30_score": 0.0,
+         "cvss_v31_score": 7.8,
+         "cvss_v2_score": 0.0,
+         "cvss_v3_severity": "HIGH",
+         "source_url": "https://ubuntu.com/security/CVE-2024-38541",
+         "source": "UBUNTU_CVE",
+         "severity": "CRITICAL",
+         "status": "ACTIVE",
+         "title": "CVE-2024-38541 - linux-libc-dev",
+         "reason_to_ignore": "N/A"
+      },
       {
          "description":"In the Linux kernel, the following vulnerability has been resolved: greybus: Fix use-after-free bug in gb_interface_release due to race condition. In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object \"intf\". However, if gb_interface_mode_switch_work is scheduled to run after kfree, it may cause use-after-free error as gb_interface_mode_switch_work will use the object \"intf\". The possible execution flow that may lead to the issue is as follows: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (free) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (use) Fix it by canceling the work before kfree.",
          "vulnerability_id":"CVE-2024-39495",
 
@@ -64,7 +64,7 @@ ENV HF_HUB_ENABLE_HF_TRANSFER="1"
 RUN apt-get update \
  # TODO: Remove upgrade statements once packages are updated in base image
  && apt-get -y upgrade --only-upgrade systemd openssl cryptsetup libkrb5-3 linux-libc-dev libsqlite3-0 \
- && apt-get install -y git git-lfs wget tar \
+ && apt-get install -y git git-lfs wget tar libxml2 \
  && wget https://go.dev/dl/go1.24.2.linux-amd64.tar.gz \
  && rm -rf /usr/local/go \
  && tar -C /usr/local -xzf go1.24.2.linux-amd64.tar.gz \
 
@@ -44,14 +44,28 @@ release_images:
       public_registry: True
   4:
     framework: "vllm"
-    version: "0.10.1"
+    version: "0.10.2"
     arch_type: "x86"
     customer_type: "ec2"
     general:
       device_types: [ "gpu" ]
       python_versions: [ "py312" ]
       os_version: "ubuntu22.04"
-      cuda_version: "cu128"
+      cuda_version: "cu129"
+      example: False
+      disable_sm_tag: False
+      force_release: False
+      public_registry: True
+  5:
+    framework: "vllm"
+    version: "0.10.2"
+    arch_type: "arm64"
+    customer_type: "ec2"
+    general:
+      device_types: [ "gpu" ]
+      python_versions: [ "py312" ]
+      os_version: "ubuntu22.04"
+      cuda_version: "cu129"
       example: False
       disable_sm_tag: False
       force_release: False
 
@@ -7,6 +7,10 @@
 @pytest.mark.model("N/A")
 @pytest.mark.canary("Run security test regularly on production images")
 def test_security(image):
+    if "vllm" in image:
+        pytest.skip(
+            "vLLM images do not require pip check as they are managed by vLLM devs. Skipping test."
+        )
     repo_name, image_tag = image.split("/")[-1].split(":")
     container_name = f"{repo_name}-{image_tag}-security"
 
@@ -20,10 +24,7 @@ def test_security(image):
     )
     try:
         docker_exec_cmd = f"docker exec -i {container_name}"
-        if "vllm" in image:
-            run_command = f"python3 /test/bin/security_checks.py"
-        else:
-            run_command = f"python /test/bin/security_checks.py"
+        run_command = f"python /test/bin/security_checks.py"
 
         run(f"{docker_exec_cmd} {run_command} --image_uri {image}", hide=True)
     finally: