RHOAIENG-66017: CVE-2026-34993 rhoai/odh-th06-cpu-torch210-py312-rhel9: AIOHTTP: Arbitrary code execution via untrusted input to CookieJar.load() [rhoai-3.4]#897
Conversation
📝 WalkthroughWalkthroughAdds Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 9 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (9 passed)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Add aiohttp~=3.14.0 constraint to th06-cpu-torch210-py312 pyproject.toml to fix CVE-2026-34993, an arbitrary code execution vulnerability via untrusted input to CookieJar.load(). aiohttp 3.14.0 is not yet available in the AIPCC PyPI index for cpu-ubi9. requirements.txt will need regeneration once the AIPCC team publishes the patched version. The constraint is added now to prevent regeneration with a vulnerable version. ## Summary - Add `aiohttp~=3.14.0` to pyproject.toml for th06-cpu-torch210-py312 - requirements.txt still pins 3.13.5 until AIPCC index is updated ## Test plan - [ ] Verify aiohttp 3.14.0 is available in AIPCC cpu-ubi9 index - [ ] Regenerate requirements.txt with `uv pip compile` - [ ] Rebuild image and verify it starts correctly
4d7f2c2 to
d708e30
Compare
Revert documentation changes that were outside the scope of the CVE-2026-34993 fix. Only the pyproject.toml constraint change is needed for this ticket.
|
@jira-autofix[bot]: The following test has Succeeded: OCI Artifact Browser URLInspecting Test Artifacts ManuallyTo inspect your test artifacts manually, follow these steps:
mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/opendatahub/odh-ci-artifacts:odh-pr-test-distributed-workloads-68vr4 |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@images/universal/training/th06-cpu-torch210-py312/pyproject.toml`:
- Line 52: The aiohttp version bump in pyproject.toml is not reflected in the
image build because Dockerfile installs from requirements.txt, which still pins
the older aiohttp release. Regenerate requirements.txt so it matches the new
aiohttp~=3.14.0 constraint, or change the build flow to install from
pyproject.toml instead. Make sure the updated lockfile stays in sync with the
dependency declaration used by the th06-cpu-torch210-py312 training image.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 1ef70dcd-5dcb-42ba-bbd9-70815e51241f
📒 Files selected for processing (1)
images/universal/training/th06-cpu-torch210-py312/pyproject.toml
| "py-cpuinfo>=9.0.0", | ||
| "rich>=13.9.4", | ||
| "aiofiles==25.1.0", | ||
| "aiohttp~=3.14.0", |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Show the two manifests =="
sed -n '45,60p' images/universal/training/th06-cpu-torch210-py312/pyproject.toml
sed -n '18,32p' images/universal/training/th06-cpu-torch210-py312/requirements.txt
echo
echo "== Find build/install paths for this image =="
fd -HI 'Dockerfile|Containerfile|*.Dockerfile|*.containerfile' .
rg -n -C3 'th06-cpu-torch210-py312|requirements\.txt|pyproject\.toml|uv pip compile|pip install|uv sync|poetry install' .
echo
echo "== Find any docs or scripts that regenerate requirements =="
rg -n -C2 'uv pip compile|pip-compile|requirements\.txt' images/universal/training/th06-cpu-torch210-py312 .Repository: opendatahub-io/distributed-workloads
Length of output: 1264
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Locate files for this image =="
fd -HI 'th06-cpu-torch210-py312|requirements\.txt|pyproject\.toml|Dockerfile|Containerfile|\.Dockerfile|\.containerfile' images/universal/training
echo
echo "== Inspect relevant directory tree =="
find images/universal/training/th06-cpu-torch210-py312 -maxdepth 2 -type f | sort
echo
echo "== Search for install/build references in the image directory and nearby configs =="
rg -n -C3 'th06-cpu-torch210-py312|requirements\.txt|pyproject\.toml|pip install|uv sync|uv pip compile|poetry install|pip-compile|conda|mamba' images/universal/training .github . 2>/dev/null || trueRepository: opendatahub-io/distributed-workloads
Length of output: 50393
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Locate files for this image =="
fd -HI 'th06-cpu-torch210-py312|requirements\.txt|pyproject\.toml|Dockerfile|Containerfile|\.Dockerfile|\.containerfile' images/universal/training
echo
echo "== Inspect relevant directory tree =="
find images/universal/training/th06-cpu-torch210-py312 -maxdepth 2 -type f | sort
echo
echo "== Search for install/build references in the image directory and nearby configs =="
rg -n -C3 'th06-cpu-torch210-py312|requirements\.txt|pyproject\.toml|pip install|uv sync|uv pip compile|poetry install|pip-compile|conda|mamba' images/universal/training .github . 2>/dev/null || trueRepository: opendatahub-io/distributed-workloads
Length of output: 50395
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Target image files =="
find images/universal/training/th06-cpu-torch210-py312 -maxdepth 1 -type f | sort
echo
echo "== Dockerfile install path =="
sed -n '1,120p' images/universal/training/th06-cpu-torch210-py312/Dockerfile
echo
echo "== pyproject excerpt =="
sed -n '1,120p' images/universal/training/th06-cpu-torch210-py312/pyproject.toml
echo
echo "== requirements excerpt around aiohttp =="
rg -n -C2 '^aiohttp==|aiohttp~=|requirements\.txt|uv pip compile|pip install' images/universal/training/th06-cpu-torch210-py312
echo
echo "== README guidance for this image family =="
sed -n '108,116p' images/universal/training/README.md
sed -n '196,205p' images/universal/training/README.mdRepository: opendatahub-io/distributed-workloads
Length of output: 14111
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Target image files =="
find images/universal/training/th06-cpu-torch210-py312 -maxdepth 1 -type f | sort
echo
echo "== Dockerfile install path =="
sed -n '1,120p' images/universal/training/th06-cpu-torch210-py312/Dockerfile
echo
echo "== pyproject excerpt =="
sed -n '1,120p' images/universal/training/th06-cpu-torch210-py312/pyproject.toml
echo
echo "== requirements excerpt around aiohttp =="
rg -n -C2 '^aiohttp==|aiohttp~=|requirements\.txt|uv pip compile|pip install' images/universal/training/th06-cpu-torch210-py312
echo
echo "== README guidance for this image family =="
sed -n '108,116p' images/universal/training/README.md
sed -n '196,205p' images/universal/training/README.mdRepository: opendatahub-io/distributed-workloads
Length of output: 14111
Regenerate requirements.txt with the aiohttp bump images/universal/training/th06-cpu-torch210-py312/Dockerfile installs from images/universal/training/th06-cpu-torch210-py312/requirements.txt, and that lockfile still pins aiohttp==3.13.5. The pyproject.toml change to aiohttp~=3.14.0 does not reach the image build, so CVE-2026-34993 stays in the shipped artifact and the split lockfile violates CWE-829. Update the lockfile in the same change or switch the build to install from pyproject.toml.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@images/universal/training/th06-cpu-torch210-py312/pyproject.toml` at line 52,
The aiohttp version bump in pyproject.toml is not reflected in the image build
because Dockerfile installs from requirements.txt, which still pins the older
aiohttp release. Regenerate requirements.txt so it matches the new
aiohttp~=3.14.0 constraint, or change the build flow to install from
pyproject.toml instead. Make sure the updated lockfile stays in sync with the
dependency declaration used by the th06-cpu-torch210-py312 training image.
Source: Path instructions
Summary
aiohttp~=3.14.0topyproject.tomlfor th06-cpu-torch210-py312 to fix CVE-2026-34993 (arbitrary code execution via untrusted input to CookieJar.load())requirements.txtstill pinsaiohttp==3.13.5until AIPCC index is updated and requirements are regeneratedTest plan
uv pip compileSummary by CodeRabbit