fix(cve): CVE-2026-40192 - Pillow#2139
Merged
atheo89 merged 1 commit intored-hat-data-services:rhoai-3.3from Apr 30, 2026
Merged
Conversation
|
@crackcodecamp — This PR is from a fork. Recommended: Push your branch to the main repo for full CI: Then open a new PR from that branch. No push access? A maintainer will cherry-pick and test your changes. See CONTRIBUTING.md for details. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (15)
✅ Files skipped from review due to trivial changes (6)
🚧 Files skipped from review as they are similar to previous changes (4)
📝 WalkthroughWalkthroughUpdated Pillow dependency to 12.2.0 across multiple pylock.toml and one pyproject.toml files; sdist URLs, upload timestamps, sizes, and SHA256 hashes were replaced and wheel artifact lists regenerated to reference Pillow 12.2.0. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 60 minutes.Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@jupyter/rocm/tensorflow/ubi9-python-3.12/pylock.toml`:
- Line 2962: The pinned Pillow entry currently shows version = "12.2.0", which
is vulnerable; update the Pillow dependency in the pylock.toml from 12.2.0 to at
least 12.2.1 (e.g., set the version value to "12.2.1" or higher), then
re-generate/lock dependencies so the lockfile reflects the new safe version;
also scan for any other occurrences of the Pillow version string in this file or
related lockfiles and update them to the same minimum (>=12.2.1).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: bb194428-ee51-4854-8a0c-08429dfadcd7
📒 Files selected for processing (15)
codeserver/ubi9-python-3.12/pylock.tomldependencies/odh-notebooks-meta-llmcompressor-deps/pyproject.tomljupyter/datascience/ubi9-python-3.12/pylock.tomljupyter/pytorch+llmcompressor/ubi9-python-3.12/pylock.tomljupyter/pytorch/ubi9-python-3.12/pylock.tomljupyter/rocm/pytorch/ubi9-python-3.12/pylock.tomljupyter/rocm/tensorflow/ubi9-python-3.12/pylock.tomljupyter/tensorflow/ubi9-python-3.12/pylock.tomljupyter/trustyai/ubi9-python-3.12/pylock.tomlruntimes/datascience/ubi9-python-3.12/pylock.tomlruntimes/pytorch+llmcompressor/ubi9-python-3.12/pylock.tomlruntimes/pytorch/ubi9-python-3.12/pylock.tomlruntimes/rocm-pytorch/ubi9-python-3.12/pylock.tomlruntimes/rocm-tensorflow/ubi9-python-3.12/pylock.tomlruntimes/tensorflow/ubi9-python-3.12/pylock.toml
ambient-code
Bot
deleted the
fix/cve-2026-40192-pillow-rhoai-3.3-attempt-1
branch
Author
|
Hello @jiridanek @dibryant, whenever you will get some time please help review this PR, Thanks! |
Member
|
/unassign jiridanek Out of office this week |
|
/build-konflux |
Author
|
/retest |
- Update Pillow from 12.1.0/11.3.0 to 12.2.0 across all images - Update llmcompressor meta-deps pin from 11.3.0 to 12.2.0 - Addresses FITS GZIP decompression bomb vulnerability (CVSS 8.7 High) - Pillow 12.2.0 limits data read during FITS image decoding Resolves: RHOAIENG-58615, RHOAIENG-58614, RHOAIENG-58613, RHOAIENG-58612 Resolves: RHOAIENG-58610, RHOAIENG-58609, RHOAIENG-58608, RHOAIENG-58607 Resolves: RHOAIENG-58601, RHOAIENG-58600, RHOAIENG-58599, RHOAIENG-58598 Resolves: RHOAIENG-58597, RHOAIENG-58596
crackcodecamp
force-pushed
the
fix/cve-2026-40192-pillow-rhoai-3.3-attempt-1
branch
from
2298ea2 to
0a406f0
Compare
5 tasks
Author
|
Hello @jiridanek @dibryant @atheo89 , whenever you will get some time please help review this PR, Thanks! |
Member
|
/lgtm |
Author
|
@atheo89 Could you please help merge this PR? |
atheo89
approved these changes
Apr 30, 2026
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: atheo89 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
atheo89
merged commit 4c02c94
into
red-hat-data-services:rhoai-3.3
15 of 37 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves: RHOAIENG-58615, RHOAIENG-58614, RHOAIENG-58613, RHOAIENG-58612
Resolves: RHOAIENG-58610, RHOAIENG-58609, RHOAIENG-58608, RHOAIENG-58607
Resolves: RHOAIENG-58601, RHOAIENG-58600, RHOAIENG-58599, RHOAIENG-58598
Resolves: RHOAIENG-58597, RHOAIENG-58596
Summary by CodeRabbit
pillowpackage to version 12.2.0 across multiple environment configurations and development runtimes to ensure consistency and compatibility.