diff --git a/dependencies/cve-constraints.txt b/dependencies/cve-constraints.txt index 1180ae1282..620a949812 100644 --- a/dependencies/cve-constraints.txt +++ b/dependencies/cve-constraints.txt @@ -14,4 +14,5 @@ urllib3>=2.6.0 # RHAIENG-2893: CVE-2026-0897 Keras: Denial of Service via crafted HDF5 weight loading file keras>=3.13.1 # RHAIENG-3210: CVE-2026-25990 Pillow: Out-of-bounds Write via Specially Crafted PSD Image -pillow>=12.1.1 \ No newline at end of file +# RHOAIENG-58615: CVE-2026-40192 Pillow: FITS GZIP decompression bomb +pillow>=12.2.0 \ No newline at end of file diff --git a/jupyter/pytorch+llmcompressor/ubi9-python-3.12/pyproject.toml b/jupyter/pytorch+llmcompressor/ubi9-python-3.12/pyproject.toml index abfd2f9d29..b1d4988f9e 100644 --- a/jupyter/pytorch+llmcompressor/ubi9-python-3.12/pyproject.toml +++ b/jupyter/pytorch+llmcompressor/ubi9-python-3.12/pyproject.toml @@ -67,4 +67,6 @@ override-dependencies = [ "urllib3>=2.6.0", # AIPCC-13675: protobuf 6.33.6+ UPB C extension segfaults on s390x "protobuf==6.31.1", + # RHOAIENG-58615: CVE-2026-40192 Pillow FITS GZIP decompression bomb + "pillow>=12.2.0", ] diff --git a/jupyter/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txt b/jupyter/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txt index 7d8a80a340..fcf1fa94de 100644 --- a/jupyter/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txt +++ b/jupyter/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txt @@ -463,9 +463,9 @@ pathvalidate==3.3.1 ; python_full_version >= '3.12' and implementation_name == ' --hash=sha256:6845e0cf9051b31d455a449acda5983114ce2c7085b81337e102c6517b71795d pexpect==4.9.0 ; python_full_version >= '3.12' and implementation_name == 'cpython' and sys_platform == 'linux' \ --hash=sha256:8b376d8ae1d099528b1b0958be10c4489d636dc5e310b7f38c0fbc5d2f66e335 -pillow==12.1.1 ; python_full_version >= '3.12' and implementation_name == 'cpython' and sys_platform == 'linux' \ - --hash=sha256:e34837e0501bda7d589613bd59ff689dde7adc9775cb7441b0ea4bc76a711d68 \ - --hash=sha256:893f8370df4aa50b75e4f7453649d86886f3c45da7b7c9c75122a0b55640af1d +pillow==12.2.0 ; python_full_version >= '3.12' and implementation_name == 'cpython' and sys_platform == 'linux' \ + --hash=sha256:a447355e5ddcb989f812d9ad0e0dee22a031c4f09f1114335dad01f84c03b82a \ + --hash=sha256:57a03b7853ede0c0739f7ba8e54cf97c2ab1ac96e85360c63ab10760c22eeecc pip==26.1 ; python_full_version >= '3.12' and implementation_name == 'cpython' and sys_platform == 'linux' \ --hash=sha256:6d99d736160d98557f1eae8db814c273b9d3ea87a470c97d7dd92f2bf68c0e0d platformdirs==4.9.6 ; python_full_version >= '3.12' and implementation_name == 'cpython' and sys_platform == 'linux' \ diff --git a/jupyter/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml b/jupyter/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml index 8a421c9255..3a4ba79ffe 100644 --- a/jupyter/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml +++ b/jupyter/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml @@ -1392,11 +1392,11 @@ wheels = [{ url = "https://packages.redhat.com/api/pulp-content/public-rhai/rhoa [[packages]] name = "pillow" -version = "12.1.1" +version = "12.2.0" marker = "python_full_version >= '3.12' and implementation_name == 'cpython' and sys_platform == 'linux'" wheels = [ - { url = "https://packages.redhat.com/api/pulp-content/public-rhai/rhoai/3.5-EA1/cuda13.0-ubi9-test/pillow-12.1.1-8-cp312-cp312-linux_aarch64.whl", upload-time = 2026-02-23T20:53:44Z, size = 1369606, hashes = { sha256 = "e34837e0501bda7d589613bd59ff689dde7adc9775cb7441b0ea4bc76a711d68" } }, - { url = "https://packages.redhat.com/api/pulp-content/public-rhai/rhoai/3.5-EA1/cuda13.0-ubi9-test/pillow-12.1.1-8-cp312-cp312-linux_x86_64.whl", upload-time = 2026-02-23T21:17:22Z, size = 1403253, hashes = { sha256 = "893f8370df4aa50b75e4f7453649d86886f3c45da7b7c9c75122a0b55640af1d" } }, + { url = "https://packages.redhat.com/api/pulp-content/public-rhai/rhoai/3.5-EA1/cuda13.0-ubi9-test/pillow-12.2.0-8-cp312-cp312-linux_aarch64.whl", upload-time = 2026-04-01T15:55:25Z, size = 1379355, hashes = { sha256 = "a447355e5ddcb989f812d9ad0e0dee22a031c4f09f1114335dad01f84c03b82a" } }, + { url = "https://packages.redhat.com/api/pulp-content/public-rhai/rhoai/3.5-EA1/cuda13.0-ubi9-test/pillow-12.2.0-8-cp312-cp312-linux_x86_64.whl", upload-time = 2026-04-01T15:56:39Z, size = 1411808, hashes = { sha256 = "57a03b7853ede0c0739f7ba8e54cf97c2ab1ac96e85360c63ab10760c22eeecc" } }, ] [[packages]] diff --git a/runtimes/pytorch+llmcompressor/ubi9-python-3.12/pyproject.toml b/runtimes/pytorch+llmcompressor/ubi9-python-3.12/pyproject.toml index d6167de0c2..7ba09b791d 100644 --- a/runtimes/pytorch+llmcompressor/ubi9-python-3.12/pyproject.toml +++ b/runtimes/pytorch+llmcompressor/ubi9-python-3.12/pyproject.toml @@ -49,4 +49,6 @@ override-dependencies = [ "urllib3>=2.6.0", # AIPCC-13675: protobuf 6.33.6+ UPB C extension segfaults on s390x "protobuf==6.31.1", + # RHOAIENG-58615: CVE-2026-40192 Pillow FITS GZIP decompression bomb + "pillow>=12.2.0", ] diff --git a/runtimes/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txt b/runtimes/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txt index 67681c2753..95eeb68ac1 100644 --- a/runtimes/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txt +++ b/runtimes/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txt @@ -318,9 +318,9 @@ pathvalidate==3.3.1 ; python_full_version >= '3.12' and implementation_name == ' --hash=sha256:6845e0cf9051b31d455a449acda5983114ce2c7085b81337e102c6517b71795d pexpect==4.9.0 ; python_full_version >= '3.12' and implementation_name == 'cpython' and sys_platform == 'linux' \ --hash=sha256:8b376d8ae1d099528b1b0958be10c4489d636dc5e310b7f38c0fbc5d2f66e335 -pillow==12.1.1 ; python_full_version >= '3.12' and implementation_name == 'cpython' and sys_platform == 'linux' \ - --hash=sha256:e34837e0501bda7d589613bd59ff689dde7adc9775cb7441b0ea4bc76a711d68 \ - --hash=sha256:893f8370df4aa50b75e4f7453649d86886f3c45da7b7c9c75122a0b55640af1d +pillow==12.2.0 ; python_full_version >= '3.12' and implementation_name == 'cpython' and sys_platform == 'linux' \ + --hash=sha256:a447355e5ddcb989f812d9ad0e0dee22a031c4f09f1114335dad01f84c03b82a \ + --hash=sha256:57a03b7853ede0c0739f7ba8e54cf97c2ab1ac96e85360c63ab10760c22eeecc pip==26.1 ; python_full_version >= '3.12' and implementation_name == 'cpython' and sys_platform == 'linux' \ --hash=sha256:6d99d736160d98557f1eae8db814c273b9d3ea87a470c97d7dd92f2bf68c0e0d platformdirs==4.9.6 ; python_full_version >= '3.12' and implementation_name == 'cpython' and sys_platform == 'linux' \ diff --git a/runtimes/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml b/runtimes/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml index 17cb44ef6a..12dbdc5caa 100644 --- a/runtimes/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml +++ b/runtimes/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml @@ -959,11 +959,11 @@ wheels = [{ url = "https://packages.redhat.com/api/pulp-content/public-rhai/rhoa [[packages]] name = "pillow" -version = "12.1.1" +version = "12.2.0" marker = "python_full_version >= '3.12' and implementation_name == 'cpython' and sys_platform == 'linux'" wheels = [ - { url = "https://packages.redhat.com/api/pulp-content/public-rhai/rhoai/3.5-EA1/cuda13.0-ubi9-test/pillow-12.1.1-8-cp312-cp312-linux_aarch64.whl", upload-time = 2026-02-23T20:53:44Z, size = 1369606, hashes = { sha256 = "e34837e0501bda7d589613bd59ff689dde7adc9775cb7441b0ea4bc76a711d68" } }, - { url = "https://packages.redhat.com/api/pulp-content/public-rhai/rhoai/3.5-EA1/cuda13.0-ubi9-test/pillow-12.1.1-8-cp312-cp312-linux_x86_64.whl", upload-time = 2026-02-23T21:17:22Z, size = 1403253, hashes = { sha256 = "893f8370df4aa50b75e4f7453649d86886f3c45da7b7c9c75122a0b55640af1d" } }, + { url = "https://packages.redhat.com/api/pulp-content/public-rhai/rhoai/3.5-EA1/cuda13.0-ubi9-test/pillow-12.2.0-8-cp312-cp312-linux_aarch64.whl", upload-time = 2026-04-01T15:55:25Z, size = 1379355, hashes = { sha256 = "a447355e5ddcb989f812d9ad0e0dee22a031c4f09f1114335dad01f84c03b82a" } }, + { url = "https://packages.redhat.com/api/pulp-content/public-rhai/rhoai/3.5-EA1/cuda13.0-ubi9-test/pillow-12.2.0-8-cp312-cp312-linux_x86_64.whl", upload-time = 2026-04-01T15:56:39Z, size = 1411808, hashes = { sha256 = "57a03b7853ede0c0739f7ba8e54cf97c2ab1ac96e85360c63ab10760c22eeecc" } }, ] [[packages]]