Allowlist mesa CVE-2026-40393 for PT 2.8 EC2 training (CPU and GPU)#6267
Merged
bhanutejagk merged 10 commits intoJun 19, 2026
Merged
Conversation
added 7 commits
June 18, 2026 09:40
…st verification Pin build_frameworks to ["pytorch"] and dlc-pr-pytorch-training to pytorch/training/buildspec-2-8-ec2.yml so the PR exercises only the PT 2.8 EC2 training images (CPU + GPU) where the mesa CVE-2026-40393 allowlist entries were added. Disable inference build, ECS/EKS/EC2 functional jobs, and SageMaker local/remote tests; keep sanity_tests and security_tests on so the ECR enhanced scan path is covered.
… result Update CVE-2026-40393 mesa entry in both EC2 allowlists (CPU and GPU) to match the live ECR scan finding's cvss_v3_score (9.8), cvss_v31_score (9.8), and full description text. The allowlist matcher requires full field equality, so the previous placeholder values prevented the allowlist from suppressing the finding.
Quick-checks asserts dlc_developer_config.toml is in default (merge-ready) state. Revert the PR-scoping toggles that were set for local verification so the gate passes: - build_inference: false -> true - ec2_benchmark_tests: true -> false - sagemaker_efa_tests: true -> false - sagemaker_rc_tests: true -> false - sagemaker_benchmark_tests: true -> false - dlc-pr-pytorch-training buildspec_override: "..." -> ""
sallyseok
approved these changes
Jun 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Test Plan
Test Result
5307e59 - passed all tests for ec2 image
Toggle if you are merging into master Branch
By default, docker image builds and tests are disabled. Two ways to run builds and tests:
How to use the helper utility for updating dlc_developer_config.toml
Assuming your remote is called
origin(you can find out more withgit remote -v)...python src/prepare_dlc_dev_environment.py -b </path/to/buildspec.yml> -cp originpython src/prepare_dlc_dev_environment.py -b </path/to/buildspec.yml> -t sanity_tests -cp originpython src/prepare_dlc_dev_environment.py -rcp originNOTE: If you are creating a PR for a new framework version, please ensure success of the local, standard, rc, and efa sagemaker tests by updating the dlc_developer_config.toml file:
sagemaker_remote_tests = truesagemaker_efa_tests = truesagemaker_rc_tests = truesagemaker_local_tests = trueHow to use PR description
Use the code block below to uncomment commands and run the PR CodeBuild jobs. There are two commands available:# /buildspec <buildspec_path># /buildspec pytorch/training/buildspec.yml# /tests <test_list># /tests sanity security ec2sanity, security, ec2, ecs, eks, sagemaker, sagemaker-local.Toggle if you are merging into main Branch
PR Checklist
pre-commit run --all-fileslocally before creating this PR. (Read DEVELOPMENT.md for details).