Commit d818339
[Auto-Update] vllm 0.25.1 (#6400)
* [Auto-Update] vllm 0.25.1
* security(vllm): allowlist CVE-2026-24747 (stale torch pin in benchmarks reqs)
Finding is torch 2.9.1 pinned in the upstream base image's
benchmarks/requirements.txt, not the installed package (torch 2.11.0,
>= 2.10.0 fix). The weights_only unpickler RCE needs a malicious
checkpoint load; the benchmark reqs file is inert metadata. Ubuntu-only
(amzn2023/omni build from source and don't ship this file).
---------
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Kevin Wang <kwanggg@amazon.com>1 parent 5b0423f commit d818339
4 files changed
Lines changed: 10 additions & 5 deletions
File tree
- .github/config/image/vllm
- docker/vllm
- test/security/data/ecr_scan_allowlist/vllm
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
3 | 3 | | |
4 | 4 | | |
5 | 5 | | |
6 | | - | |
| 6 | + | |
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
| |||
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
16 | | - | |
| 16 | + | |
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
3 | 3 | | |
4 | 4 | | |
5 | 5 | | |
6 | | - | |
| 6 | + | |
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
| |||
14 | 14 | | |
15 | 15 | | |
16 | 16 | | |
17 | | - | |
| 17 | + | |
18 | 18 | | |
19 | 19 | | |
20 | 20 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | | - | |
| 3 | + | |
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| |||
Lines changed: 5 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
2 | 7 | | |
3 | 8 | | |
4 | 9 | | |
| |||
0 commit comments