Skip to content

[cve-patch] ray: bump pip 26.0.1->26.1.1, allowlist rustls-webpki#6141

Draft
jinyan-li1 wants to merge 1 commit into
mainfrom
cve-patch/ray-64fdee
Draft

[cve-patch] ray: bump pip 26.0.1->26.1.1, allowlist rustls-webpki#6141
jinyan-li1 wants to merge 1 commit into
mainfrom
cve-patch/ray-64fdee

Conversation

@jinyan-li1
Copy link
Copy Markdown
Contributor

@jinyan-li1 jinyan-li1 commented May 26, 2026

Purpose

Patch CVEs across Ray DLC images.

Images affected

ray:serve-ml-cpu-v1.0.0, ray:serve-ml-cuda-v1.0.0, ray:serve-ml-sagemaker-cpu-v1.0.0, ray:serve-ml-sagemaker-cuda-v1.0.0

CVEs handled

CVE Package Severity Affected images Action
CVE-2026-6357 pip HIGH cpu, cuda, sm-cpu, sm-cuda bump 26.0.1 → 26.1.1 (pyproject.toml + uv.lock)
GHSA-82j2-j2ch-gfr8 rustls-webpki HIGH cpu, cuda, sm-cpu, sm-cuda allowlist (vendored in /usr/local/bin/uv; fix 0.104.0-alpha.7 not yet in any released uv version — latest 0.11.16 still ships rustls-webpki 0.103.13)

Test plan

  • CI security tests pass for cpu and gpu
  • CI sanity tests pass for cpu and gpu
  • CI Ray-specific tests pass

Verified pip==26.1.1 in a cve-patch-test:ray-cpu rebuild on a CPU devbox before pushing.

@jinyan-li1
[cve-patch] ray: bump pip 26.0.1→26.1.1, allowlist GHSA-82j2-j2ch-gfr8
9cb8ba1 
- Bump pip 26.0.1 → 26.1.1 in docker/ray/pyproject.toml + uv.lock to
  resolve CVE-2026-6357 (HIGH).
- Allowlist GHSA-82j2-j2ch-gfr8 (rustls-webpki vendored in /usr/local/bin/uv;
  fix 0.104.0-alpha.7 not yet in any released uv version).

Verified pip==26.1.1 in cve-patch-test:ray-cpu build on devbox.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

authorized

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jinyan-li1