Skip to content

fix CVE-2026-23490 -- add pyasn1>=0.6.2 override (runtimes + jupyter)#2191

Closed
BabbarPB08 wants to merge 1 commit intored-hat-data-services:rhoai-3.3from
BabbarPB08:runtime-jupyter-cve-2026-23490
Closed

fix CVE-2026-23490 -- add pyasn1>=0.6.2 override (runtimes + jupyter)#2191
BabbarPB08 wants to merge 1 commit intored-hat-data-services:rhoai-3.3from
BabbarPB08:runtime-jupyter-cve-2026-23490

Conversation

@BabbarPB08
Copy link
Copy Markdown

@BabbarPB08 BabbarPB08 commented May 5, 2026
edited by atlassian Bot
Loading

Summary

  • Adds pyasn1>=0.6.2 to override-dependencies in 14 image pyproject.toml files
  • Regenerates pylock.toml files (pyasn1 0.6.1 -> 0.6.3)

Jira Tickets

RHOAIENG-59303, RHOAIENG-59304, RHOAIENG-59305, RHOAIENG-59307,
RHOAIENG-59308, RHOAIENG-59309, RHOAIENG-59313, RHOAIENG-59314,
RHOAIENG-59315, RHOAIENG-59316, RHOAIENG-59317, RHOAIENG-59318,
RHOAIENG-59320, RHOAIENG-59321, RHOAIENG-59322, RHOAIENG-59323

How Has This Been Tested?

  • Lock files regenerated successfully for all 14 targeted images using bash scripts/pylocks_generator.sh public-index <dir>
  • Verified pyasn1 version upgraded from 0.6.1 to 0.6.3 in all regenerated pylock.toml files
  • pytorch+llmcompressor excluded due to pre-existing pillow conflict (unrelated to this change)

Note

pytorch+llmcompressor images (RHOAIENG-59306, RHOAIENG-59319) excluded due to
pre-existing pillow conflict (llmcompressor==0.9.0 requires pillow<=12.0.0 vs
pillow==12.2.0 from CVE-2026-40192 fix).

Test Plan

  • Lock files regenerate cleanly (14/14 targeted images)
  • pyasn1 version verified >= 0.6.2 in all pylock.toml files
  • CI pipeline passes
  • Trivy/Clair scans confirm CVE is not flagged

@openshift-ci openshift-ci Bot requested review from jiridanek and ysok May 5, 2026 09:22
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 5, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jiridanek for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 5, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This PR adds a security vulnerability fix by enforcing pyasn1>=0.6.2 across 14 container image variant configurations to address CVE-2026-23490, a DoS vulnerability in malformed RELATIVE-OID parsing. The override is applied consistently to all ubi9-python-3.12 variants across both codeserver, jupyter, and runtimes environment families.

Changes

Security Dependency Override for pyasn1

Layer / File(s) Summary
Dependency Override Configuration
codeserver/ubi9-python-3.12/pyproject.toml, jupyter/*/ubi9-python-3.12/pyproject.toml, jupyter/rocm/*/ubi9-python-3.12/pyproject.toml, runtimes/*/ubi9-python-3.12/pyproject.toml, runtimes/rocm-*/ubi9-python-3.12/pyproject.toml		 Added pyasn1>=0.6.2 to [tool.uv].override-dependencies with inline CVE-2026-23490 comment across all UBI9 Python 3.12 container variants. For files without prior override-dependencies sections, the entire [tool.uv] section is created; for others, the new constraint is prepended to existing overrides.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested labels

review-requested

Suggested reviewers

  • dibryant
  • ysok
  • jiridanek
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The PR title clearly and concisely summarizes the main change: adding a pyasn1>=0.6.2 override to address CVE-2026-23490 across multiple container image configurations.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The PR description is well-structured and covers all major required sections from the template including Summary, Jira Tickets, How Has This Been Tested, and a detailed Test Plan.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

  • Generate code and open pull requests
  • Plan features and break down work
  • Investigate incidents and troubleshoot customer tickets together
  • Automate recurring tasks and respond to alerts with triggers
  • Summarize progress and report instantly

Built for teams:

  • Shared memory across your entire org—no repeating context
  • Per-thread sandboxes to safely plan and execute work
  • Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 5, 2026

@BabbarPB08 — This PR is from a fork.
The build-rhoai CI job was skipped because subscription
builds (RHEL, AIPCC) need secrets unavailable to forks.
ODH builds and code quality checks still ran.

Recommended: Push your branch to the main repo for full CI:

git remote add upstream https://github.com/red-hat-data-services/notebooks.git
git push upstream HEAD:BabbarPB08/your-branch-name

Then open a new PR from that branch.

No push access? A maintainer will cherry-pick and test your changes.

See CONTRIBUTING.md for details.

@BabbarPB08
Copy link
Copy Markdown
Author

BabbarPB08 commented May 5, 2026

Closing: lock files were regenerated with public-index causing massive diff. Will re-raise from the main repo with only pyproject.toml changes.

@BabbarPB08 BabbarPB08 closed this May 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jiridanek jiridanek Awaiting requested review from jiridanek

@ysok ysok Awaiting requested review from ysok

Assignees

No one assigned

Labels

review-requested

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BabbarPB08