RHOAIENG-65935: CVE-2026-34993 rhoai/odh-training-rocm62-torch24-py311-rhel9: AIOHTTP: Arbitrary code execution via untrusted input to CookieJar.load() [rhoai-2.25]

[jira-autofix]

Summary

• Tighten aiohttp dependency specifier from >=3.14.0 to ~=3.14.0 in the py311-rocm62-torch241 training image Pipfile
• Update Pipfile.lock hash to reflect the specifier change (no package version changes)

Details

CVE-2026-34993 requires aiohttp >= 3.14.0. The fix was already in place via RHOAIENG-66020. This change narrows the version constraint from >=3.14.0 (unbounded) to ~=3.14.0 (compatible-release, restricts to 3.14.x patch versions) per repo conventions, preventing unintended major-version upgrades.

Test plan

• Verified specifier is consistent with other training images (py312-cuda128-torch290, py312-rocm64-torch290, py312-rocm64-torch280)
• CI pipeline passes
• CodeRabbit review passed with no actionable findings

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the aiohttp dependency constraint in the py311-rocm62-torch241 training container Pipfile from >=3.14.0 (lower-bound, allowing 3.14.0+) to ~=3.14.0 (compatible-release, restricting to 3.14.x patch versions). The change narrows the version range while maintaining the minimum version intent.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly addresses the main change: tightening the aiohttp version constraint to mitigate CVE-2026-34993, which is the primary objective of this pull request.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@images/runtime/training/py311-rocm62-torch241/Pipfile`:
- Line 41: Update the aiohttp version constraint to allow future minor-version
security patches within major version 3 by replacing the restrictive "~=3.14.0"
specifier with a range like ">=3.14.0,<4.0.0" in the Pipfile entry for aiohttp
so lockfiles still provide exact pins while the manifest permits automatic minor
updates; locate the aiohttp entry and change the constraint accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3e4260b4-d2a8-4af2-a329-57befb5dca62

📥 Commits

Reviewing files that changed from the base of the PR and between 173dded and c479a75.

⛔ Files ignored due to path filters (1)

• images/runtime/training/py311-rocm62-torch241/Pipfile.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• images/runtime/training/py311-rocm62-torch241/Pipfile

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@images/runtime/training/py311-rocm62-torch251/Pipfile`:
- Line 15: The patch upgrades transformers to v5 but leaves a call to
unwrapped_model.save_pretrained(...) that still passes the removed
safe_serialization kwarg; remove safe_serialization from the save_pretrained
invocation in examples/ray-finetune-llm-deepspeed/ray_finetune_llm_deepspeed.py
(locate the call to unwrapped_model.save_pretrained and update it to only pass
is_main_process, save_function, and state_dict via accelerator APIs) so
checkpoint saving uses the new default safetensors behavior and avoids a
TypeError.

In `@images/universal/training/th06-rocm64-torch291-py312/pyproject.toml`:
- Line 71: Update the dependency entry for "unsloth~=2026.4.5" in pyproject.toml
to include a brief justification that the bump is security-relevant: mention the
hardening against OS command injection (removal of shell=True), terminal/python
sandbox and sandbox/command-escape fixes, and tightened trust_remote_code
restrictions which mitigate remote code execution for untrusted model repos;
also add a short note recommending pinning to an exact version for reproducible
training if you must avoid further 2026.4.x updates. Ensure this explanatory
text is placed adjacent to the "unsloth~=2026.4.5" entry so reviewers and
maintainers can see the threat-model context.
- Line 35: The change upgrades "transformers~=5.5.0" in pyproject.toml which is
a breaking risk because PEFT 0.18.1 can crash with transformers 5.5.x; add a
compatibility validation: create a CI/workload smoke-test job that installs the
exact pinned versions of peft, trl, instructlab-training, and unsloth and runs a
minimal training+forward pass for the model families exercised by this image
(include a Gemma-4 minimal forward/train scenario) to detect runtime crashes; if
the smoke tests fail, update pyproject.toml to constrain/pin transformers and/or
peft to the known-good combination and ensure the CI job re-runs the smoke test
to validate the pin.

In `@images/universal/training/th06-rocm64-torch291-py312/requirements.txt`:
- Around line 315-316: The requirements pin for nest-asyncio==1.6.0 (noted "via
unsloth") may be unmaintained and incompatible with Python 3.12; instead of
treating this as a CWE/security fix, verify whether nest-asyncio is actually
required transitively by unsloth and either remove the explicit pin, replace it
with a maintained fork (e.g., nest-asyncio2) or pin a version verified to work
on Python 3.12, update the requirements entry accordingly, and run the
test/build matrix on Python 3.12 to confirm no loop_factory TypeError; also add
a short comment next to the requirement documenting why the chosen action was
taken.
- Line 211: The requirements pin for huggingface-hub is vulnerable
(AIKIDO-2026-10911); update the entry for huggingface-hub in requirements.txt
from the pinned 1.10.2 to a safe range such as huggingface-hub>=1.16.0 (or a
newer 1.x) to include the fix, then run tests and validate any breaking changes
in v1 (especially snapshot_download and token/auth/proxy behavior) per the v1
migration notes to ensure no runtime regressions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b7c794fe-204a-4160-acd3-5da0d9ec19ea

📥 Commits

Reviewing files that changed from the base of the PR and between c479a75 and 76dd185.

⛔ Files ignored due to path filters (2)

• images/runtime/training/py311-rocm62-torch241/Pipfile.lock is excluded by !**/*.lock
• images/runtime/training/py311-rocm62-torch251/Pipfile.lock is excluded by !**/*.lock

📒 Files selected for processing (4)

• images/runtime/training/py311-rocm62-torch241/Pipfile
• images/runtime/training/py311-rocm62-torch251/Pipfile
• images/universal/training/th06-rocm64-torch291-py312/pyproject.toml
• images/universal/training/th06-rocm64-torch291-py312/requirements.txt

✅ Files skipped from review due to trivial changes (1)

• images/runtime/training/py311-rocm62-torch241/Pipfile

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sutaakar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [sutaakar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment