cp: build: bump starlette to 1.3.1 and tornado to 6.5.6 to fix container CVEs (4396) into r0.5.0#4397
Open
ko3n1g wants to merge 2 commits into
Open
cp: build: bump starlette to 1.3.1 and tornado to 6.5.6 to fix container CVEs (4396) into r0.5.0#4397ko3n1g wants to merge 2 commits into
build: bump starlette to 1.3.1 and tornado to 6.5.6 to fix container CVEs (4396) into r0.5.0#4397ko3n1g wants to merge 2 commits into
Conversation
…p7-x3pw-xc5r Remediate two High-severity starlette CVEs in the uv-managed /opt/venv install: - GHSA-82w8-qh3p-5jfq (request.form() limit bypass DoS), patched in 1.3.1 - GHSA-wqp7-x3pw-xc5r (StaticFiles UNC SSRF, Windows-only), patched in 1.1.0 starlette is transitive (fastapi, mlflow-skinny, prometheus-fastapi-instrumentator, sphinx-autobuild); neither CVE has a 0.x backport, so the floor is pinned via [tool.uv] override-dependencies, matching the existing CVE-remediation pattern. prometheus-fastapi-instrumentator is bumped 7.0.0 -> 8.0.0 because its 7.x line caps starlette<1.0.0; the 8.x line requires starlette>=1.0.0. fastapi, mlflow-skinny and sphinx-autobuild already permit starlette 1.x. Does not address the system-level (/usr/local/lib dist-packages) starlette/tornado findings, which live in the fw_final image, not this uv-managed environment. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: oliver könig <okoenig@nvidia.com> (cherry picked from commit 1ec1c6a)
…fw_final The fw_final 'Address CVE' block pins packages in the system interpreter (/usr/local/lib/python3.12/dist-packages). Two of those pins are now flagged by the same scan: - starlette==0.49.1 -> 1.3.1 (GHSA-82w8-qh3p-5jfq, GHSA-wqp7-x3pw-xc5r) - tornado==6.5.5 -> 6.5.6 (GHSA-mgf9-4vpg-hj56, AsyncHTTPClient gzip-bomb DoS) This is the system-level counterpart to the uv-managed /opt/venv starlette bump in the previous commit; both installs are flagged separately by the scanner. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: oliver könig <okoenig@nvidia.com> (cherry picked from commit a97dc3f)
ko3n1g
added
area:build
Contributor
Author
|
/ok to test dbbd18d |
Contributor
|
LGTM — clean CVE remediation cherry-pick. Starlette 0.52.1 → 1.3.1, tornado 6.5.5 → 6.5.6, and the companion prometheus-fastapi-instrumentator 7 → 8 override all look correct. Dockerfile pins and uv override-dependencies are consistent. Suggested test cases No perf tests impacted. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry-pick of #4396 into
r0.5.0.Remediates three High-severity container CVEs across both Python installs in the image:
/opt/venv(uv.lock):starlette 0.52.1 → 1.3.1(via[tool.uv] override-dependencies),prometheus-fastapi-instrumentator 7.0.0 → 8.0.0./usr/local/lib/.../dist-packages(docker/Dockerfile.fw_final):starlette 0.49.1 → 1.3.1,tornado 6.5.5 → 6.5.6.CVEs: GHSA-82w8-qh3p-5jfq, GHSA-wqp7-x3pw-xc5r (starlette), GHSA-mgf9-4vpg-hj56 (tornado).
Clean cherry-pick —
uv lockre-validated against ther0.5.0pyproject.toml(no resolution drift, 347 packages).