[feat]: vulnerabilities for proj 24 and few training image batch 2 (#4960)

yeshsurya · Yeshwanth Nagaraj · web-flow · commit 6097d4ac593d · 2026-04-24T15:53:48.000+05:30
* [feat]: Fix image vulnerabilities

* [feat]: fix forecasting gpu

* [feat]: Resolve vulnerabilities on train and proj 24 images

* Update Dockerfile to fix vulnerabilities and upgrade packages

Removed onnx installation and upgraded several packages including onnx to version 1.21.0 to address vulnerabilities.

* Remove unnecessary conda run command in tensorflow-2.16-cuda12

---------

Co-authored-by: Yeshwanth Nagaraj &lt;ynagaraj@microsoft.com&gt;
diff --git a/assets/training/automl/environments/ai-ml-automl-dnn-text-gpu-ptca/context/Dockerfile b/assets/training/automl/environments/ai-ml-automl-dnn-text-gpu-ptca/context/Dockerfile
@@ -18,7 +18,6 @@ RUN pip install --no-cache-dir \
 
 # onnx and onnxruntime-training installation
 RUN pip uninstall -y onnxruntime
-RUN pip install onnx==1.21.0
 RUN pip uninstall -y onnxruntime-training
 RUN pip install -i https://aiinfra.pkgs.visualstudio.com/PublicPackages/_packaging/onnxruntime-cuda-12/pypi/simple/ onnxruntime-training==1.18.0
 
@@ -45,7 +44,8 @@ RUN pip install --upgrade 'pillow>=12.1.1'
 # setuptools vendors jaraco.context internally; >=82.0.1 bundles the patched version (GHSA-58pv-8j8x-9vj2)
 # Override onnx to fix GHSA-cmw6-hcpp-c6jp, GHSA-538c-55jv-c5g9, GHSA-q56x-g2fj-4rj6, GHSA-p433-9wv8-28xj, GHSA-3r9x-f23j-gc73, GHSA-hqmj-h5c6-369m
 # Root cause: azureml-automl-runtime==1.62.0 (latest) pins onnx<=1.17.0; cannot upgrade parent
-RUN pip install --upgrade 'wheel>=0.46.2' 'cryptography>=46.0.5' 'setuptools>=82.0.1' 'distributed>=2026.1.0' 'filelock>=3.20.3' 'bokeh>=3.8.2' 'protobuf>=6.33.5' 
+RUN pip install --upgrade 'wheel>=0.46.2' 'cryptography>=46.0.5' 'setuptools>=82.0.1' 'distributed>=2026.1.0' 'filelock>=3.20.3' 'bokeh>=3.8.2' 'protobuf>=6.33.5' 'onnx>=1.21.0'
+
 
 # Vulnerability patches for ptca environment
 # pytest override: GHSA-6w46-j5rx-g56g — from ACPT base image ptca env; base image not yet patched
diff --git a/assets/training/automl/environments/ai-ml-automl-dnn-text-gpu/context/Dockerfile b/assets/training/automl/environments/ai-ml-automl-dnn-text-gpu/context/Dockerfile
@@ -97,6 +97,10 @@ RUN pip list && \
 # Root cause: azureml-automl-dnn-nlp==1.62.0 (latest) pins transformers==4.53.0; cannot upgrade parent
 RUN pip install --no-cache-dir --no-deps 'transformers[sentencepiece,torch]==5.5.4'
 
+# Override transformers to fix GHSA-69w3-r845-3855
+# Root cause: azureml-automl-dnn-nlp==1.62.0 (latest) pins transformers==4.53.0; cannot upgrade parent
+RUN pip install --no-cache-dir --no-deps 'transformers[sentencepiece,torch]==5.5.4'
+
 
 # Upgrade starlette, urllib3, bokeh, PyNaCl & filelock
 # NOTE: azureml-mlflow~=1.62.0 pins cryptography<46.0.0; upgrading anyway for CVE fix
diff --git a/assets/training/finetune_acft_image/environments/acft_image_medimageinsight_adapter_finetune/context/Dockerfile b/assets/training/finetune_acft_image/environments/acft_image_medimageinsight_adapter_finetune/context/Dockerfile
@@ -20,7 +20,9 @@ RUN pip install -r requirements.txt --no-cache-dir
 # onnx: transitive dep of onnxruntime; parent uses onnx>=1.16.0; override needed (GHSA-p433-9wv8-28xj etc.)
 # fastmcp: GHSA-rww4-4w9c-7733, GHSA-m8x7-r2rg-vh5g, GHSA-vv7q-7jx5-f767; >=3.2.0 required
 # requests: transitive dep of azure-core/mlflow; parents use loose floors (GHSA-gc5v-m9x4-r6x2)
-RUN pip install --no-cache-dir --upgrade pip==26.0 wheel==0.46.2 protobuf==6.33.5 cryptography==46.0.7 pyasn1==0.6.3 pillow==12.1.1 'fastmcp>=3.2.0' 'requests>=2.33.0' 'aiohttp>=3.13.4' 'onnx>=1.21.0'
+# Mako: transitive dep (mlflow → alembic → Mako); alembic uses unpinned Mako, cannot force via parent
+# pytest: standalone test dep from base image; no parent to upgrade
+RUN pip install --no-cache-dir --upgrade pip==26.0 wheel==0.46.2 protobuf==6.33.5 cryptography==46.0.7 pyasn1==0.6.3 pillow==12.2.0 'fastmcp>=3.2.0' 'requests>=2.33.0' 'aiohttp>=3.13.4' 'onnx>=1.21.0' 'Mako>=1.3.11' 'pytest>=9.0.3'
 # pip install updates the binary but conda-meta still references old versions; conda install syncs both
 RUN conda install -n ptca -y pip>=26.0.1 wheel>=0.46.2 
 # vulnerability in base conda env
diff --git a/assets/training/finetune_acft_image/environments/acft_image_medimageinsight_adapter_finetune/context/requirements.txt b/assets/training/finetune_acft_image/environments/acft_image_medimageinsight_adapter_finetune/context/requirements.txt
@@ -11,6 +11,6 @@ gdown~=5.2.0
 opencv-python~=4.10.0.84
 pydicom~=2.4.0
 pandas==2.2.3
-mlflow==3.10.1
+mlflow==3.11.1
 setuptools==82.0.0
 filelock>=3.20.1
diff --git a/assets/training/finetune_acft_image/environments/acft_image_medimageinsight_embedding/context/Dockerfile b/assets/training/finetune_acft_image/environments/acft_image_medimageinsight_embedding/context/Dockerfile
@@ -15,13 +15,17 @@ RUN pip install -r requirements.txt --no-cache-dir
 # protobuf is a transitive dep of mlflow-skinny/onnx; parents use loose floors (>=3.12.0), cannot force 6.33.5
 # mlflow 3.5.0 has CVEs (CVE-2025-14287, CVE-2026-2033, CVE-2026-2635); upgrade after requirements install
 # azureml-mlflow pins mlflow-skinny<=3.5.0, so mlflow must be upgraded separately to avoid resolution conflict
-RUN pip install --no-cache-dir mlflow==3.10.1
+# mlflow 3.11.1: GHSA-fh64-r2vc-xvhr requires >=3.11.1
+RUN pip install --no-cache-dir mlflow==3.11.1
 # pyasn1 is a transitive dep (mlflow → databricks-sdk → google-auth → pyasn1-modules → pyasn1);
 # parent packages use loose floors so pip resolves to 0.6.2 which has CVE-2026-30922; override to >=0.6.3
 # onnx: transitive dep of onnxruntime; parent uses onnx>=1.16.0; override needed (GHSA-p433-9wv8-28xj etc.)
 # fastmcp: GHSA-rww4-4w9c-7733, GHSA-m8x7-r2rg-vh5g, GHSA-vv7q-7jx5-f767; >=3.2.0 required
 # requests: transitive dep of azure-core/mlflow; parents use loose floors (GHSA-gc5v-m9x4-r6x2)
-RUN pip install --no-cache-dir --upgrade protobuf==6.33.5 cryptography==46.0.7 pyasn1==0.6.3 pillow==12.1.1 wheel>=0.46.2 'fastmcp>=3.2.0' 'onnx>=1.21.0' 'requests>=2.33.0'
+# pillow: GHSA-whj4-6x5x-4v2j requires >=12.2.0; direct dep override
+# Mako: GHSA-v92g-xgxw-vvmm requires >=1.3.11; transitive via alembic→mlflow, alembic has no version floor on Mako so override needed
+# pytest: GHSA-6w46-j5rx-g56g requires >=9.0.3; installed by base image, no parent to upgrade so override needed
+RUN pip install --no-cache-dir --upgrade protobuf==6.33.5 cryptography==46.0.7 pyasn1==0.6.3 pillow==12.2.0 wheel>=0.46.2 'fastmcp>=3.2.0' 'onnx>=1.21.0' 'requests>=2.33.0' 'Mako>=1.3.11' 'pytest>=9.0.3'
 
 # pip install updates the binary but conda-meta still references old versions; conda install syncs both
 RUN conda install -y -n ptca pip>=26.0.1 wheel>=0.46.2 
diff --git a/assets/training/finetune_acft_image/environments/acft_image_medimageinsight_embedding/context/requirements.txt b/assets/training/finetune_acft_image/environments/acft_image_medimageinsight_embedding/context/requirements.txt
@@ -12,10 +12,10 @@ timm==0.9.12
 numpy==1.22.2
 einops==0.8.1
 fvcore==0.1.5.post20221221
-transformers==4.53.0
+transformers==5.5.4
 sentencepiece==0.2.1
 ftfy==6.3.1
-regex==2024.11.6
+regex==2026.4.4
 vision-datasets==0.2.7
 tenacity==9.0.0
 requests>=2.33.0
diff --git a/assets/training/finetune_acft_image/environments/acft_image_medimageinsight_embedding_generator/context/Dockerfile b/assets/training/finetune_acft_image/environments/acft_image_medimageinsight_embedding_generator/context/Dockerfile
@@ -26,8 +26,13 @@ RUN conda install -y -n ptca pip>=26.0.1 wheel>=0.46.2
 # aiohttp: transitive dep of azure-core; parents use loose floors (GHSA-mwh4-6h8g-pg8w etc.)
 # onnx: transitive dep of onnxruntime; parent uses onnx>=1.16.0; override needed (GHSA-p433-9wv8-28xj etc.)
 # requests: transitive dep of azure-core/mlflow; parents use loose floors (GHSA-gc5v-m9x4-r6x2)
+# pytest comes from the base ACPT image (not a transitive dep of any requirements.txt package);
+# no parent package to upgrade — explicit override required (GHSA-6w46-j5rx-g56g)
+# Mako: transitive dep of mlflow → alembic → Mako; alembic uses loose floor (no version pin),
+# so upgrading mlflow/alembic won't force >=1.3.11 — explicit override required (GHSA-v92g-xgxw-vvmm)
 RUN /opt/conda/envs/ptca/bin/pip install --no-cache-dir --upgrade 'skops>=0.13.0' 'wheel>=0.46.2' \
-    cryptography==46.0.7 'aiohttp>=3.13.4' 'onnx>=1.21.0' 'requests>=2.33.0'
+    cryptography==46.0.7 'aiohttp>=3.13.4' 'onnx>=1.21.0' 'requests>=2.33.0' 'pytest>=9.0.3' \
+    'Mako>=1.3.11'
 
 # Upgrade requests, urllib3, aiohttpin the system Python (3.13) for fixing vulnerability
 # PyJWT 2.10.1 (CVE-2026-32597) is installed in the base conda env (python3.13) from ACPT base image; manually upgrading since base image hasn't been patched yet
diff --git a/assets/training/finetune_acft_image/environments/acft_image_medimageinsight_embedding_generator/context/requirements.txt b/assets/training/finetune_acft_image/environments/acft_image_medimageinsight_embedding_generator/context/requirements.txt
@@ -1,6 +1,6 @@
 azureml-acft-common-components=={{latest-pypi-version}}
 azureml-acft-contrib-hf-nlp=={{latest-pypi-version}}
-mlflow==3.10.1
+mlflow==3.11.1
 cloudpickle==2.2.1
 colorama==0.4.6
 einops==0.8.0
@@ -20,7 +20,7 @@ sentencepiece==0.2.1
 tenacity==9.0.0
 timm==1.0.13
 tornado>=6.5.5
-transformers==4.53.0
+transformers==5.0.0
 setuptools>=82.0.0
 filelock>=3.20.1
 pillow>=12.1.1
diff --git a/assets/training/finetune_acft_image/environments/acft_image_medimageparse_finetune/context/Dockerfile b/assets/training/finetune_acft_image/environments/acft_image_medimageparse_finetune/context/Dockerfile
@@ -22,7 +22,8 @@ RUN pip install --no-cache-dir mlflow-skinny==3.10.1
 # nltk: GHSA-gfwx-w7gr-fvh7; >=3.9.4 required
 # pydicom: GHSA-v856-2rf8-9f28; requirements.txt pins ~=2.4.0 allowing vulnerable 2.4.4; override to >=2.4.5
 # requests: transitive dep of azure-core/mlflow; parents use loose floors (GHSA-gc5v-m9x4-r6x2)
-RUN pip install --no-cache-dir --upgrade pip==26.0 wheel==0.46.2 setuptools>=82.0.1 protobuf==6.33.5 cryptography==46.0.7 pillow==12.1.1 'requests>=2.33.0' 'aiohttp>=3.13.4' 'onnx>=1.21.0' 'nltk>=3.9.4' 'pydicom>=2.4.5'
+# pytest: transitive dep from base image; not a direct requirement of any parent package (GHSA-6w46-j5rx-g56g)
+RUN pip install --no-cache-dir --upgrade pip==26.0 wheel==0.46.2 setuptools>=82.0.1 protobuf==6.33.5 cryptography==46.0.7 pillow==12.2.0 'requests>=2.33.0' 'aiohttp>=3.13.4' 'onnx>=1.21.0' 'nltk>=3.9.4' 'pydicom>=2.4.5' 'pytest>=9.0.3'
 # pip install updates the binary but conda-meta still references old versions; conda install syncs both
 RUN conda install -n ptca -y pip>=26.0.1 wheel>=0.46.2
 # vulnerability in base conda env
diff --git a/assets/training/finetune_acft_image/environments/acft_image_medimageparse_finetune/context/requirements.txt b/assets/training/finetune_acft_image/environments/acft_image_medimageparse_finetune/context/requirements.txt
@@ -10,7 +10,7 @@ azureml-dataprep==5.4.1
 timm==0.9.16
 opencv-python-headless==4.11.0.86
 deepspeed==0.15.1
-transformers==4.53.0
+transformers==5.0.0
 open-clip-torch==2.26.1
 sentencepiece==0.2.1
 peft==0.17.1
diff --git a/assets/training/finetune_acft_image/environments/acpt_image_framework_selector/context/Dockerfile b/assets/training/finetune_acft_image/environments/acpt_image_framework_selector/context/Dockerfile
@@ -13,7 +13,9 @@ RUN pip install -r requirements.txt --no-cache-dir
 # aiohttp: transitive dep of azure-core; parents use loose floors (GHSA-mwh4-6h8g-pg8w etc.)
 # onnx: transitive dep of onnxruntime; parent uses onnx>=1.16.0; override needed (GHSA-p433-9wv8-28xj etc.)
 # requests: transitive dep of azure-core/mlflow; parents use loose floors (GHSA-gc5v-m9x4-r6x2)
-RUN pip install --no-cache-dir --upgrade pip==26.0 wheel==0.46.2 cryptography==46.0.7 'setuptools>=82.0.1' 'aiohttp>=3.13.4' 'onnx>=1.21.0' 'requests>=2.33.0'
+# pytest: installed in base ACPT image; no parent package to upgrade (GHSA-6w46-j5rx-g56g, CVE-2025-71176 tmpdir handling)
+# Mako: transitive dep of mlflow -> alembic; alembic requires Mako with no version floor, cannot force >=1.3.11 via parent (GHSA-v92g-xgxw-vvmm)
+RUN pip install --no-cache-dir --upgrade pip==26.0 wheel==0.46.2 cryptography==46.0.7 'setuptools>=82.0.1' 'aiohttp>=3.13.4' 'onnx>=1.21.0' 'requests>=2.33.0' 'pytest>=9.0.3' 'Mako>=1.3.11'
 
 # Flag needed to enable control flow which is in PrP.
 ENV AZURE_ML_CLI_PRIVATE_FEATURES_ENABLED=True
diff --git a/assets/training/finetune_acft_multimodal/environments/acpt_multimodal/context/Dockerfile b/assets/training/finetune_acft_multimodal/environments/acpt_multimodal/context/Dockerfile
@@ -19,7 +19,10 @@ RUN pip install azureml-acft-accelerator=={{latest-pypi-version}}
 # aiohttp: transitive dep of azure-core/datasets; parents use loose floors (GHSA-mwh4-6h8g-pg8w etc.)
 # onnx: onnxruntime-training accepts onnx>=1.16.0; override needed (GHSA-p433-9wv8-28xj etc.)
 # nltk: GHSA-gfwx-w7gr-fvh7; >=3.9.4 required
-RUN pip install --no-cache-dir --upgrade pip==26.0 wheel==0.46.2 protobuf==6.33.5 cryptography==46.0.7 pillow==12.1.1 setuptools>=82.0.1 'requests>=2.33.0' 'aiohttp>=3.13.4' 'onnx>=1.21.0' 'nltk>=3.9.4'
+# pillow: GHSA-whj4-6x5x-4v2j; >=12.2.0 required
+# pytest: pre-installed in ACPT base image; no parent package to upgrade (GHSA-6w46-j5rx-g56g)
+# transformers: final override to ensure >=5.0.0 after azureml-* installs (GHSA-69w3-r845-3855)
+RUN pip install --no-cache-dir --upgrade pip==26.0 wheel==0.46.2 protobuf==6.33.5 cryptography==46.0.7 pillow==12.2.0 setuptools>=82.0.1 'requests>=2.33.0' 'aiohttp>=3.13.4' 'onnx>=1.21.0' 'nltk>=3.9.4' 'pytest>=9.0.3' 'transformers>=5.0.0'
 # pip install updates the binary but conda-meta still references old versions; conda install syncs both
 RUN conda install -y -n ptca pip>=26.0.1 wheel>=0.46.2 
 # vulnerability in base conda env
diff --git a/assets/training/finetune_acft_multimodal/environments/acpt_multimodal/context/requirements.txt b/assets/training/finetune_acft_multimodal/environments/acpt_multimodal/context/requirements.txt
@@ -6,7 +6,7 @@ azureml-acft-contrib-hf-nlp=={{latest-pypi-version}}
 # azureml_acft_multimodal_components=={{latest-pypi-version}}
 # needed by multimodal
 mltable==1.5.0
-transformers==4.53.0
+transformers==5.0.0
 peft==0.4.0
 deepspeed==0.16.9
 optimum==1.23.3
diff --git a/assets/training/forecasting_demand/environments/automl-gpu/context/Dockerfile b/assets/training/forecasting_demand/environments/automl-gpu/context/Dockerfile
@@ -47,9 +47,18 @@ RUN pip install cryptography>=46.0.5
 # fix until the base packages are updated with the new cryptography version. 
 # distributed is transitively pinned at 2023.2.0 by azureml-train-automl-runtime, which depends on dask==2023.2.0 
 # that in turn pulls in the matching distributed version, so it cannot be upgraded independently without updating azureml-train-automl-runtime itself.
+#
+# onnx>=1.21.0 — GHSA-3r9x-f23j-gc73, GHSA-p433-9wv8-28xj, GHSA-q56x-g2fj-4rj6,
+#                GHSA-538c-55jv-c5g9, GHSA-cmw6-hcpp-c6jp, GHSA-hqmj-h5c6-369m
+#   Parent packages cap onnx<=1.17.0; upgrading the parent is not possible because
+#   both azureml-automl-runtime==1.62.0 and azureml-train-automl-runtime==1.62.0
+#   (the latest releases) still enforce onnx<=1.17.0,>=1.16.1.
+#   Override is required to remediate the vulnerability.
+#   Chain: azureml-automl-runtime / azureml-train-automl-runtime -> onnx<=1.17.0
 RUN conda run -p $AZUREML_CONDA_ENVIRONMENT_PATH pip install --upgrade --no-cache-dir \
     'cryptography>=46.0.5' 'setuptools>=79.0.0' 'distributed>=2026.1.0' \
-    'bokeh>=3.8.2'  # bokeh: conda env installs 2.4.3, override needed for GHSA-793v-589g-574v
+    'bokeh>=3.8.2' \
+    'onnx>=1.21.0'
 
 # Clean conda pkgs cache to remove stale vendored copies
 RUN rm -rf /opt/miniconda/pkgs/
diff --git a/assets/training/general/environments/acpt-pytorch-2.2-cuda12.1/context/Dockerfile b/assets/training/general/environments/acpt-pytorch-2.2-cuda12.1/context/Dockerfile
@@ -5,7 +5,7 @@ RUN conda install -n base -c conda-forge pip=26.0 -y
 # These are from base image adding till we get new base image tag
 # PyJWT 2.10.1 (CVE-2026-32597) is installed in the base conda env (python3.13) from ACPT base image; manually upgrading since base image hasn't been patched yet
 # aiohttp 3.12.14 (8 CVEs) and urllib3 2.5.0 (3 CVEs) are also in base env from base image
-RUN conda run -n base python -m pip install --upgrade 'wheel>=0.46.2' 'cryptography>=46.0.5' 'setuptools>=82.0.1' 'PyJWT>=2.12.0' 'aiohttp>=3.13.3' 'urllib3>=2.6.3'
+RUN conda run -n base python -m pip install --upgrade 'wheel>=0.46.2' 'cryptography>=46.0.7' 'setuptools>=82.0.1' 'PyJWT>=2.12.0' 'aiohttp>=3.13.4' 'urllib3>=2.6.3' 'requests>=2.33.0'
 
 
 # Upgrade ptca environment conda packages
@@ -47,7 +47,7 @@ RUN apt-get install -y openssh-server openssh-client
 
 # Fix Vulnerability 
 # TODO: latest version of azureml-mlflow ~ 1.62.0 depends on cryptography<46.0.0
-RUN pip install --upgrade --no-cache-dir 'cryptography>=46.0.5'
+RUN pip install --upgrade --no-cache-dir 'cryptography>=46.0.7'
 # CVE-2026-23949 (jaraco.context) & CVE-2026-24049 (wheel) - upgrade setuptools in ptca and base envs
 # setuptools vendors jaraco.context internally; --force-reinstall --no-deps ensures vendored copies are replaced
 RUN pip install --force-reinstall --no-deps 'setuptools>=82.0.1'
diff --git a/assets/training/general/environments/acpt-pytorch-2.2-cuda12.1/context/requirements.txt b/assets/training/general/environments/acpt-pytorch-2.2-cuda12.1/context/requirements.txt
@@ -12,10 +12,17 @@ MarkupSafe==2.1.2
 regex
 pybind11
 urllib3==2.6.3
-requests==2.32.5
-pillow==12.1.1
-transformers==4.54.1
-aiohttp>=3.12.14
+requests>=2.33.0
+pillow>=12.2.0
+# GHSA-69w3-r845-3855 requires transformers>=5.0.0rc3; upgrading to stable 5.x
+transformers>=5.0.0
+aiohttp>=3.13.4
+# onnx: transitive dep of onnxruntime in base image; parent uses loose floor (>=1.16.0);
+# override needed for GHSA-p433-9wv8-28xj, GHSA-538c-55jv-c5g9, GHSA-cmw6-hcpp-c6jp, GHSA-q56x-g2fj-4rj6, GHSA-hqmj-h5c6-369m
+onnx>=1.21.0
+# pytest: pre-installed in base image ptca conda env (7.4.3); no parent pip package pulls it;
+# override needed for GHSA-6w46-j5rx-g56g
+pytest>=9.0.3
 py-spy==0.3.12
 debugpy~=1.6.3
 ipykernel~=6.0
diff --git a/assets/training/general/environments/acpt-pytorch-2.8-cuda12.6/context/Dockerfile b/assets/training/general/environments/acpt-pytorch-2.8-cuda12.6/context/Dockerfile
@@ -35,10 +35,12 @@ RUN apt-get install -y openssh-server openssh-client
 # Fix security vulnerabilities
 # NOTE: azureml-mlflow~=1.62.0 pins cryptography<46.0.0; upgrading anyway for CVE fix
 # setuptools vendors jaraco.context internally; >=82.0.1 bundles the patched version (GHSA-58pv-8j8x-9vj2)
-RUN pip install --upgrade 'pip>=26.0' 'wheel>=0.46.2' 'cryptography>=46.0.5' 'pillow>=12.1.1' 'protobuf>=6.33.5' 'setuptools>=82.0.1'
+# pytest 7.4.3 (GHSA-6w46-j5rx-g56g) is installed in ptca env from ACPT base image; overriding since base image hasn't been patched yet
+RUN pip install --upgrade 'pip>=26.0' 'wheel>=0.46.2' 'cryptography>=46.0.5' 'pillow>=12.1.1' 'protobuf>=6.33.5' 'setuptools>=82.0.1' 'pytest>=9.0.3'
 # vulnerability in base conda env
 # PyJWT 2.10.1 (CVE-2026-32597) is installed in the base conda env (python3.13) from ACPT base image; manually upgrading since base image hasn't been patched yet
-RUN conda run -n base python -m pip install --upgrade 'pip>=26.0' 'wheel>=0.46.2' 'cryptography>=46.0.5' 'pillow>=12.1.1' 'protobuf>=6.33.5' 'setuptools>=82.0.1' 'PyJWT>=2.12.0'
+# aiohttp 3.13.3 (GHSA-63hf-3vf5-4wqf et al.) is in base conda env; upgrading to >=3.13.4 for multiple CVE fixes
+RUN conda run -n base python -m pip install --upgrade 'pip>=26.0' 'wheel>=0.46.2' 'cryptography>=46.0.5' 'pillow>=12.1.1' 'protobuf>=6.33.5' 'setuptools>=82.0.1' 'PyJWT>=2.12.0' 'aiohttp>=3.13.4'
 # pip install updates the binary but conda-meta still references old versions; conda install syncs both
 RUN conda install -y -n ptca pip>=26.0.1
 RUN conda clean -a -y && rm -rf /opt/miniconda/pkgs/
diff --git a/assets/training/general/environments/acpt-pytorch-2.8-cuda12.6/context/requirements.txt b/assets/training/general/environments/acpt-pytorch-2.8-cuda12.6/context/requirements.txt
@@ -13,7 +13,7 @@ urllib3>=2.6.3
 requests
 pillow>=12.1.1
 transformers
-aiohttp>=3.13.3
+aiohttp>=3.13.4
 py-spy
 debugpy
 ipykernel
diff --git a/assets/training/general/environments/lightgbm-3.3/context/Dockerfile b/assets/training/general/environments/lightgbm-3.3/context/Dockerfile
@@ -54,4 +54,4 @@ RUN conda run -p $CONDA_PREFIX pip install --no-cache-dir \
 # cryptography, pip, setuptools, urllib3, wheel already fixed in openmpi base (20260315.v1)
 # Only override packages still vulnerable after conda env create
 RUN conda run -p $CONDA_PREFIX pip install --no-cache-dir --upgrade \
-    aiohttp==3.13.3 'protobuf>=6.33.5' 'distributed>=2026.1.0'
+    'aiohttp>=3.13.5' 'protobuf>=6.33.5' 'distributed>=2026.1.0'
diff --git a/assets/training/general/environments/sklearn-1.5/context/Dockerfile b/assets/training/general/environments/sklearn-1.5/context/Dockerfile
@@ -52,6 +52,6 @@ RUN conda run -p $CONDA_PREFIX pip install --no-cache-dir \
 # Security vulnerability fixes
 # cryptography, pip, setuptools, urllib3, wheel already fixed in openmpi base (20260315.v1)
 # cryptography: azureml-mlflow==1.62.0 (latest) caps cryptography<46.0.0, so conda env installs 44.x;
-#   override after conda env create to restore 46.0.5
+#   override after conda env create to restore 46.0.7
 RUN conda run -p $CONDA_PREFIX pip install --no-cache-dir --upgrade \
-    aiohttp==3.13.3 cryptography==46.0.5 'distributed>=2026.1.0'
+    aiohttp==3.13.4 cryptography==46.0.7 'distributed>=2026.1.0'
diff --git a/assets/training/general/environments/tensorflow-2.16-cuda12/context/Dockerfile b/assets/training/general/environments/tensorflow-2.16-cuda12/context/Dockerfile
@@ -81,6 +81,8 @@ RUN apt-get update && \
         linux-headers-generic \
         locales \
         openssl \
+        libssl-dev \
+        libssl3 \
         gnupg2 \
         systemd \
         systemd-sysv \
@@ -238,7 +240,6 @@ RUN conda env create -p $CONDA_PREFIX -f conda_dependencies.yaml -q && \
     conda run -p $CONDA_PREFIX pip cache purge && \
     conda clean -a -y
 
-RUN conda run -p $CONDA_PREFIX
 
 RUN HOROVOD_WITH_TENSORFLOW=1  HOROVOD_CUDA_HOME=/usr/local/cuda pip  install --no-cache-dir --no-build-isolation horovod["tensorflow"]==0.28.1
 
@@ -248,7 +249,14 @@ RUN conda run -p $CONDA_PREFIX conda install -c conda-forge openssl
 # Security vulnerability fixes
 # NOTE: azureml-mlflow~=1.62.0 pins cryptography<46.0.0; upgrading anyway for CVE fix
 # setuptools vendors jaraco.context internally; >=82.0.1 bundles the patched version (GHSA-58pv-8j8x-9vj2)
-RUN conda run -p $CONDA_PREFIX pip install --upgrade 'pip>=26.0' 'cryptography>=46.0.5' 'setuptools>=82.0.1' 'protobuf>=5.29.6'
+# Upgrade vulnerable packages in the conda env
+# cryptography>=46.0.7 fixes GHSA-m959-cc7f-wv43 and GHSA-p423-j2cm-9vmq
+# requests>=2.33.0 fixes GHSA-gc5v-m9x4-r6x2
+# pillow>=12.2.0 fixes GHSA-whj4-6x5x-4v2j
+RUN conda run -p $CONDA_PREFIX pip install --upgrade 'pip>=26.0' 'cryptography>=46.0.7' 'setuptools>=82.0.1' 'protobuf>=5.29.6' 'requests>=2.33.0' 'pillow>=12.2.0'
+
+# Upgrade vulnerable packages in the base miniconda env (python3.10)
+RUN pip install --upgrade 'cryptography>=46.0.7' 'requests>=2.33.0'
 
 # This is needed for mpi to locate libpython
 ENV LD_LIBRARY_PATH=$CONDA_PREFIX/lib:$LD_LIBRARY_PATH
diff --git a/assets/training/general/environments/tensorflow-2.16-cuda12/context/conda_dependencies.yaml b/assets/training/general/environments/tensorflow-2.16-cuda12/context/conda_dependencies.yaml
@@ -27,5 +27,5 @@ dependencies:
   - debugpy~=1.6.3
   - idna>=3.7
   - flask-cors==6.0.0
-  - pillow==12.1.1
+  - pillow>=12.2.0  # GHSA-whj4-6x5x-4v2j - bumped from 12.1.1
   
diff --git a/assets/training/vision/environments/automl-dnn-vision-gpu/context/Dockerfile b/assets/training/vision/environments/automl-dnn-vision-gpu/context/Dockerfile
