RHOAIENG-64109: Upgrade pip to 26.1.2 to fix CVE-2026-8643#921
RHOAIENG-64109: Upgrade pip to 26.1.2 to fix CVE-2026-8643#921jira-autofix[bot] wants to merge 3 commits into
Conversation
Upgrade pip to ~=26.1.2 in the odh-training-rocm62-torch24-py311 Dockerfile to remediate CVE-2026-8643, a path traversal vulnerability in wheel installation that allows arbitrary file overwrite via malicious entry point names. The upgrade is placed before the first pip usage to ensure all subsequent operations use the patched version. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Central YAML (base), Organization UI (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughDockerfile modified to inject a RUN step that upgrades pip to 26.1.2 using Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 9 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (9 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@images/runtime/training/py311-rocm62-torch241/Dockerfile`:
- Around line 22-24: The Dockerfile currently upgrades pip with a non-pinned
spec using the RUN pip install --no-cache-dir --upgrade pip~=26.1.2 instruction;
change this to pin pip exactly to the fixed version by replacing that line with
RUN pip install --no-cache-dir --upgrade pip==26.1.2 so builds are deterministic
and ensure this RUN appears before any package installation steps in the same
Dockerfile.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 72b4a4ac-9d59-4143-aaf7-2ab816c9e554
📒 Files selected for processing (1)
images/runtime/training/py311-rocm62-torch241/Dockerfile
Change pip version constraint from ~=26.1.2 (compatible release) to ==26.1.2 (exact pin) per review feedback, ensuring deterministic builds.
Summary
py311-rocm62-torch241training image Dockerfile to fix CVE-2026-8643 (path traversal via malicious entry point name in pip wheel installation)==26.1.2) for deterministic builds per reviewer feedbackCVE Details
distlibscripts)Test Plan
Summary by CodeRabbit