Update Python packages to handle CVEs.

puneetmatharu · puneetmatharu · commit fbe23c42c197 · 2026-02-09T13:38:27.000Z
diff --git a/ML-Frameworks/pytorch-aarch64/Dockerfile b/ML-Frameworks/pytorch-aarch64/Dockerfile
@@ -42,10 +42,10 @@ ENV PATH="/home/$DOCKER_USER/.venv/bin:${PATH}"
 # Install uv for quicker package installations
 RUN pip install uv==0.9.29
 
-# Update to newer pip/setuptools/wheel (setuptools >= 70.0.0 due to CVE-2024-6345
-# and CVE-2025-47273, wheel >= 0.38.0 due to CVE-2022-40898) and delete old system
-# version (we essentially use apt:python3-pip to bootstrap pip)
-RUN uv pip install --upgrade pip~=25.2 setuptools~=78.1.1 wheel~=0.45.1
+# Update to newer pip/setuptools/wheel:
+#  - setuptools >= 70.0.0 due to CVE-2024-6345 and CVE-2025-47273
+#  - wheel >= 0.38.0 due to CVE-2022-40898 and >= 0.46.2 due to CVE-2026-24049
+RUN uv pip install --upgrade pip~=26.0 setuptools~=78.1.1 wheel~=0.46.2
 
 # Install non-torch requirements
 COPY --chown=$DOCKER_USER:$DOCKER_USER requirements.txt .
diff --git a/ML-Frameworks/pytorch-aarch64/requirements.txt b/ML-Frameworks/pytorch-aarch64/requirements.txt
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright 2024, 2025 Arm Limited and affiliates.
+# SPDX-FileCopyrightText: Copyright 2024-2026 Arm Limited and affiliates.
 #
 # SPDX-License-Identifier: Apache-2.0
 
@@ -37,4 +37,4 @@ tqdm~=4.66.5
 transformers~=4.55.2  # >= 4.50.0 due to CVE-2025-2099
 typing_extensions~=4.12.2
 tzdata==2024.2
-urllib3~=2.2.3
+urllib3~=2.6.3 # >= 2.6.3 due to CVE-2026-21441
diff --git a/ML-Frameworks/tensorflow-aarch64/Dockerfile b/ML-Frameworks/tensorflow-aarch64/Dockerfile
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright 2020-2025 Arm Limited and affiliates.
+# SPDX-FileCopyrightText: Copyright 2020-2026 Arm Limited and affiliates.
 #
 # SPDX-License-Identifier: Apache-2.0
 
@@ -82,10 +82,10 @@ RUN python -m venv /home/$DOCKER_USER/.venv
 # Make the venv python/pip first on PATH for all subsequent layers and at runtime
 ENV PATH="/home/$DOCKER_USER/.venv/bin:$PATH"
 
-# Update to newer pip/setuptools/wheel (setuptools >= 70.0.0 due to CVE-2024-6345
-# and CVE-2025-47273, wheel >= 0.38.0 due to CVE-2022-40898) and delete old system
-# version (we essentially use apt:python3-pip to bootstrap pip)
-RUN pip install --upgrade pip~=25.2 setuptools~=78.1.1 wheel~=0.45.1
+# Update to newer pip/setuptools/wheel:
+#  - setuptools >= 70.0.0 due to CVE-2024-6345 and CVE-2025-47273
+#  - wheel >= 0.38.0 due to CVE-2022-40898 and >= 0.46.2 due to CVE-2026-24049
+RUN pip install --upgrade pip~=26.0 setuptools~=78.1.1 wheel~=0.46.2
 
 # Check TENSORFLOW_WHEEL was set and copy
 RUN test -n "$TENSORFLOW_WHEEL"
diff --git a/ML-Frameworks/tensorflow-aarch64/requirements.txt b/ML-Frameworks/tensorflow-aarch64/requirements.txt
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright 2025 Arm Limited and affiliates.
+# SPDX-FileCopyrightText: Copyright 2025, 2026 Arm Limited and affiliates.
 #
 # SPDX-License-Identifier: Apache-2.0
 
@@ -18,3 +18,4 @@ tokenizers~=0.21.0
 tqdm~=4.67.1
 transformers~=4.53.0
 tzdata==2025.1
+urllib3~=2.6.3 # >= 2.6.0 due to CVE-2025-66418 and CVE-2025-66471, and >= 2.6.3 due to CVE-2026-21441

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# SPDX-FileCopyrightText: Copyright 2025 Arm Limited and affiliates.`
	`1`	`+# SPDX-FileCopyrightText: Copyright 2025, 2026 Arm Limited and affiliates.`
`2`	`2`	`#`
`3`	`3`	`# SPDX-License-Identifier: Apache-2.0`
`4`	`4`
`@@ -18,3 +18,4 @@ tokenizers~=0.21.0`
`18`	`18`	`tqdm~=4.67.1`
`19`	`19`	`transformers~=4.53.0`
`20`	`20`	`tzdata==2025.1`
	`21`	`+urllib3~=2.6.3 # >= 2.6.0 due to CVE-2025-66418 and CVE-2025-66471, and >= 2.6.3 due to CVE-2026-21441`