fix(cve): CVE-2026-30922 - update pyasn1 to 0.6.3 [rhoai-2.25]

[swattamw2024]

CVE Details

Field	Value
CVE ID	CVE-2026-30922
GHSA	GHSA-jr27-m4p2-rc6r
Severity	Medium
Title	pyasn1 Vulnerable to Denial of Service via Unbounded Recursion
Affected	pyasn1 ≤ 0.6.2
Fixed in	0.6.3

Fix Summary

Updated pyasn1 from 0.6.1 to 0.6.3 across all 13 workbench and pipeline runtime images in the rhoai-2.25 branch. pyasn1 is a pure-Python ASN.1 library used for cryptographic operations and X.509 certificate parsing.

Changes

dependencies/cve-constraints.txt

• Added: pyasn1>=0.6.3 (with RHOAIENG-54242 and CVE reference)

13 pylock.toml files (all workbench + pipeline runtime images):

• Updated pyasn1: 0.6.1 → 0.6.3
• New wheel sha256: a80184d120f0864a52a073acc6fc642847d0be408e7c7252f31390c0f4eadcde
• New sdist sha256: 697a8ecd6d98891189184ca1fa05d1bb00e2f84b5977c481452050549c8a72cf

Files updated:

• jupyter/trustyai/ubi9-python-3.12/pylock.toml
• jupyter/datascience/ubi9-python-3.12/pylock.toml
• jupyter/pytorch/ubi9-python-3.12/pylock.toml
• jupyter/tensorflow/ubi9-python-3.12/pylock.toml
• jupyter/rocm/pytorch/ubi9-python-3.12/pylock.toml
• jupyter/rocm/tensorflow/ubi9-python-3.12/pylock.toml
• jupyter/pytorch+llmcompressor/ubi9-python-3.12/pylock.toml
• runtimes/datascience/ubi9-python-3.12/pylock.toml
• runtimes/pytorch/ubi9-python-3.12/pylock.toml
• runtimes/tensorflow/ubi9-python-3.12/pylock.toml
• runtimes/rocm-pytorch/ubi9-python-3.12/pylock.toml
• runtimes/rocm-tensorflow/ubi9-python-3.12/pylock.toml
• codeserver/ubi9-python-3.12/pylock.toml

Test Results

⚠️ Tests could not be run — hermetic Konflux/cachi2 builds require a full CI environment. Checksums verified against PyPI (files.pythonhosted.org). Post-fix grep confirmed no pyasn1 ≤ 0.6.2 remains in any lock file.

Breaking Changes

None. pyasn1 0.6.3 is backward-compatible with 0.6.1.

Verification Steps

• Confirm Konflux build pipeline succeeds for affected images
• Run pip show pyasn1 inside built container to confirm 0.6.3
• Run pip-audit to verify CVE-2026-30922 no longer flagged

Risk Assessment

Low — pure-Python package, single universal wheel, minor patch release, all 13 images updated consistently.

Jira References

RHOAIENG-54242
RHOAIENG-54241
RHOAIENG-54240
RHOAIENG-54239
RHOAIENG-54238
RHOAIENG-54237
RHOAIENG-54233
RHOAIENG-54232
RHOAIENG-54231
RHOAIENG-54230
RHOAIENG-54229
RHOAIENG-54227
RHOAIENG-54225

Summary by CodeRabbit

• Chores
  • Updated the pyasn1 dependency to 0.6.3 across multiple deployment configurations and lockfiles.
  • Added a CVE-based minimum-version constraint for pyasn1 to dependency constraints.

[github-actions]

@swattamw2024 — This PR is from a fork.
The build-rhoai CI job was skipped because subscription
builds (RHEL, AIPCC) need secrets unavailable to forks.
ODH builds and code quality checks still ran.

Recommended: Push your branch to the main repo for full CI:

git remote add upstream https://github.com/red-hat-data-services/notebooks.git
git push upstream HEAD:swattamw2024/your-branch-name

Then open a new PR from that branch.

No push access? A maintainer will cherry-pick and test your changes.

See CONTRIBUTING.md for details.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: bfd409a2-01cb-4649-ae52-0d983f50d40d

📥 Commits

Reviewing files that changed from the base of the PR and between 650926f and a005fba.

📒 Files selected for processing (1)

• dependencies/cve-constraints.txt

✅ Files skipped from review due to trivial changes (1)

• dependencies/cve-constraints.txt

---

📝 Walkthrough

Walkthrough

This PR updates the pyasn1 package from 0.6.1 to 0.6.3 across multiple lockfiles and adds a CVE constraint requiring pyasn1>=0.6.3.

Changes

Cohort / File(s)	Summary
CVE Constraint dependencies/cve-constraints.txt	Added pyasn1>=0.6.3 CVE constraint (new entry).
Jupyter lockfiles jupyter/datascience/ubi9-python-3.12/pylock.toml, jupyter/pytorch+llmcompressor/ubi9-python-3.12/pylock.toml, jupyter/pytorch/ubi9-python-3.12/pylock.toml, jupyter/rocm/.../pylock.toml, jupyter/tensorflow/ubi9-python-3.12/pylock.toml, jupyter/trustyai/ubi9-python-3.12/pylock.toml	Bumped pyasn1 0.6.1 → 0.6.3; updated sdist/wheel URLs, upload times, sizes, and SHA-256 hashes.
Runtimes lockfiles runtimes/datascience/ubi9-python-3.12/pylock.toml, runtimes/pytorch/ubi9-python-3.12/pylock.toml, runtimes/rocm-.../pylock.toml, runtimes/rocm-pytorch/.../pylock.toml, runtimes/rocm-tensorflow/.../pylock.toml, runtimes/tensorflow/ubi9-python-3.12/pylock.toml	Bumped pyasn1 0.6.1 → 0.6.3; updated sdist/wheel metadata and hashes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• [rhoai-3.4-ea.2] lockfile refresh with protobuf pinned to keep IBM arch wheels #2053: Updates pinned pyasn1 version to 0.6.3 in lockfiles.

Suggested labels

review-requested

Suggested reviewers

• dibryant
• daniellutz
• jiridanek

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically summarizes the main change: a CVE fix updating pyasn1 to 0.6.3, with appropriate branch context.
Description check	✅ Passed	The description is comprehensive and well-structured, including CVE details, fix summary, file changes, test results, breaking change assessment, verification steps, and Jira references.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign atheo89 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@dependencies/cve-constraints.txt`:
- Line 14: Update the issue key in the dependencies/cve-constraints.txt entry
that currently reads "RHAIENG-3841" to use the project’s correct prefix by
changing it to "RHOAIENG-3841" (i.e., replace the RHAIENG- prefix with
RHOAIENG-), so the CVE comment line referencing CVE-2026-30922 matches the
repository's RHOAIENG-* tracking convention.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 11906daf-808c-48f8-9996-1ffa87768556

📥 Commits

Reviewing files that changed from the base of the PR and between f7e6bfb and 650926f.

📒 Files selected for processing (14)

• codeserver/ubi9-python-3.12/pylock.toml
• dependencies/cve-constraints.txt
• jupyter/datascience/ubi9-python-3.12/pylock.toml
• jupyter/pytorch+llmcompressor/ubi9-python-3.12/pylock.toml
• jupyter/pytorch/ubi9-python-3.12/pylock.toml
• jupyter/rocm/pytorch/ubi9-python-3.12/pylock.toml
• jupyter/rocm/tensorflow/ubi9-python-3.12/pylock.toml
• jupyter/tensorflow/ubi9-python-3.12/pylock.toml
• jupyter/trustyai/ubi9-python-3.12/pylock.toml
• runtimes/datascience/ubi9-python-3.12/pylock.toml
• runtimes/pytorch/ubi9-python-3.12/pylock.toml
• runtimes/rocm-pytorch/ubi9-python-3.12/pylock.toml
• runtimes/rocm-tensorflow/ubi9-python-3.12/pylock.toml
• runtimes/tensorflow/ubi9-python-3.12/pylock.toml

👮 Files not reviewed due to content moderation or server errors (1)

• codeserver/ubi9-python-3.12/pylock.toml

[crackcodecamp]

/kfbuild\s+(all|odh-base-image-rocm-py312-ubi9|base-images/rocm/6.4/ubi9-python-3.12

[san7ket]

/build-konflux

[swattamw2024]

@daniellutz could you please review