Commit ecea17d
committed
[auto-ray-cve-patch] allowlist 3 forced-class HIGH CVEs blocking ray auto-release
Ray 2.55.1 auto-release ecr-vulnerability-scan gate was blocked by 3
non-allowlisted HIGH CVEs across all sagemaker/ec2 cpu/gpu variants. All
three are forced-allowlist classes (no in-image bump available):
- CVE-2026-57516: ray 2.55.1->2.56.0 (WebDataset RCE). ray[serve] is an
exact autorelease-managed pin (core contract); needs a Ray version bump.
- CVE-2026-54277: aiohttp 3.13.5->3.14.1. Vendored in ray thirdparty_files;
matches 8 existing aiohttp allowlist entries.
- RUSTSEC-2026-0195: quick-xml 0.39.2->0.41.0. Vendored in the uv binary;
fix not shipped in any stable uv release (latest 0.11.26 still 0.39.2).
Signed-off-by: Jyothirmai Kottu <jkottu@amazon.com>1 parent 135141a commit ecea17d
1 file changed
Lines changed: 15 additions & 0 deletions
Lines changed: 15 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
78 | 78 | | |
79 | 79 | | |
80 | 80 | | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
81 | 96 | | |
82 | 97 | | |
0 commit comments