Skip to content

update urllib3 and gpgv Dockerfile#17439

Merged
ishandhanani merged 2 commits intomainfrom
fix/urllib3-cve-2026-21441
Jan 20, 2026
Merged

update urllib3 and gpgv Dockerfile#17439
ishandhanani merged 2 commits intomainfrom
fix/urllib3-cve-2026-21441

Conversation

@ishandhanani
Copy link
Copy Markdown
Collaborator

@ishandhanani ishandhanani commented Jan 20, 2026
edited
Loading

Summary

  • Upgrade urllib3 to >=2.6.3
  • Upgrade gpgv in runtime stage

Test plan

  • Verify Docker image builds successfully
  • Verify urllib3 version is >=2.6.3 in the built image
  • Verify gpgv is upgraded in runtime image

🤖 Generated with Claude Code

@ishandhanani @claude
[Security] Fix urllib3 CVE-2026-21441 in Dockerfile
ab1261d 
Upgrade urllib3 to >=2.6.3 to address CVE-2026-21441 (decompression
bomb safeguards bypass when following HTTP redirects).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist Bot commented Jan 20, 2026

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@ishandhanani ishandhanani changed the title [Security] Fix urllib3 CVE-2026-21441 in Dockerfile [Security] Fix urllib3 and gpgv CVEs in Dockerfile Jan 20, 2026
@ishandhanani ishandhanani changed the title [Security] Fix urllib3 and gpgv CVEs in Dockerfile update urllib3 and gpgv Dockerfile Jan 20, 2026
nv-tusharma
nv-tusharma reviewed Jan 20, 2026
View reviewed changes
Comment thread docker/Dockerfile
nv-tusharma
nv-tusharma reviewed Jan 20, 2026
View reviewed changes
Comment thread docker/Dockerfile Outdated
&& rm -rf /var/lib/apt/lists/*

# Security: Upgrade gpgv to address CVE-2025-68973 (armor parser OOB write)
RUN apt-get update && apt-get upgrade -y gpgv && rm -rf /var/lib/apt/lists/*
Copy link
Copy Markdown

@nv-tusharma nv-tusharma Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be gnupg2, gpgv is just a dependency of this package.

@ishandhanani ishandhanani force-pushed the fix/urllib3-cve-2026-21441 branch 2 times, most recently from 652deea to 4de81a9 Compare January 20, 2026 22:40
@ishandhanani @claude
[Security] Fix gpgv CVE-2025-68973 in runtime stage
5eee8c0 
Install gnupg2 in the runtime container to address CVE-2025-68973
(out-of-bounds write in armor parser).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@ishandhanani ishandhanani force-pushed the fix/urllib3-cve-2026-21441 branch from 4de81a9 to 5eee8c0 Compare January 20, 2026 22:40
@ishandhanani ishandhanani merged commit 1e30903 into main Jan 20, 2026
47 checks passed
@ishandhanani ishandhanani deleted the fix/urllib3-cve-2026-21441 branch January 20, 2026 22:47
gmixiaojin pushed a commit to gmixiaojin/sglang that referenced this pull request Jan 21, 2026
@ishandhanani @gmixiaojin
update urllib3 and gpgv Dockerfile (sgl-project#17439)
3ec8d1c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Fridge003 Fridge003 Awaiting requested review from Fridge003 Fridge003 is a code owner

@ispobock ispobock Awaiting requested review from ispobock ispobock is a code owner

@HaiShaw HaiShaw Awaiting requested review from HaiShaw HaiShaw is a code owner

@Kangyan-Zhou Kangyan-Zhou Awaiting requested review from Kangyan-Zhou

1 more reviewer

@nv-tusharma nv-tusharma nv-tusharma approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ishandhanani @nv-tusharma