Week 20: vuln fixes for ACFT images (hf-nlp/image/multimodal) (#5059)

Includes: acpt, acpt-draft, acft_image_huggingface, acft_image_medimageinsight_*, acft_image_medimageparse_finetune, acft_image_mmdetection, acft_video_mmtracking, acpt_image_framework_selector, acpt_multimodal.

Author: yeshsurya

assets/training/finetune_acft_hf_nlp/environments/acpt-draft/context/Dockerfile

@@ -2,6 +2,35 @@
 FROM mcr.microsoft.com/aifx/acpt/stable-ubuntu2204-cu126-py310-torch280:{{latest-image-tag:biweekly\.\d{6}\.\d{1}.*}}
 USER root
 
+# USN-8227-1 (curl/libcurl4/libcurl3-gnutls), USN-8233-1 (libnghttp2-14),
+# USN-8251-1 (libpng16-16), USN-8229-1 (sed): Ubuntu 22.04 system packages
+# installed in the base image. The base image tag already pins to the latest
+# biweekly build, but it has not yet picked up these jammy-security updates.
+# Direct apt upgrade is the only fix path.
+RUN apt-get -y update && apt-get -y upgrade && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# GHSA-jp4c-xjxw-mgf9 (CVE-2026-6357): pip<26.1 self-update vulnerability.
+# pip has no parent package — it is shipped directly by the base image in both
+# conda envs (base: python3.13 / ptca: python3.10), so we upgrade both via
+# conda-forge and remove the leftover dist-info / conda-meta entries from the
+# old 26.0.1 so the SBOM scanner does not double-detect the vulnerable version.
+RUN conda install -y -n base -c conda-forge pip==26.1.1 && \
+    conda install -y -n ptca -c conda-forge pip==26.1.1 && \
+    rm -rf /opt/conda/lib/python3.13/site-packages/pip-26.0*.dist-info && \
+    rm -f /opt/conda/conda-meta/pip-26.0*.json && \
+    rm -rf /opt/conda/envs/ptca/lib/python3.10/site-packages/pip-26.0*.dist-info && \
+    rm -f /opt/conda/envs/ptca/conda-meta/pip-26.0*.json && \
+    conda clean -ay
+
+# GHSA-qccp-gfcp-xxvc (CVE-2026-44431), GHSA-mf9v-mfxr-j63j (CVE-2026-44432):
+# urllib3 streaming-API vulnerabilities; patched in urllib3>=2.7.0. Only the
+# base conda env (python3.13) ships the vulnerable urllib3 2.6.3 as a transitive
+# dep (pulled by requests/other HTTP clients in the base image). No parent
+# package pins urllib3<2.7.0 with a tight upper bound, so a direct upgrade in
+# the base env is the simplest fix.
+RUN /opt/conda/bin/python -m pip install --no-cache-dir --upgrade 'urllib3>=2.7.0'
+
 COPY requirements.txt .
 RUN pip install -r requirements.txt --no-cache-dir
 # GHSA-jx93-g359-86wm, GHSA-hvwj-8w5g-28rg: sglang vulnerabilities; patched in >=0.5.10

assets/training/finetune_acft_hf_nlp/environments/acpt/context/Dockerfile

@@ -30,14 +30,20 @@ RUN pip install --upgrade --no-cache-dir 'fastmcp>=3.2.0'
 # Mako: transitive dep (mlflow → alembic → Mako); alembic has no version constraint; override needed (GHSA-v92g-xgxw-vvmm)
 # python-dotenv: transitive dep (fastmcp → python-dotenv); fastmcp 3.2.4 uses >=1.1.0; override needed (GHSA-mf9w-mj56-hr94)
 # onnx: azureml-acft-accelerator 0.0.89 caps onnx<=1.17.0; override needed for GHSA-3r9x-f23j-gc73, GHSA-hqmj-h5c6-369m etc.
-# skops: transitive dep (mlflow → skops); pip resolves to 0.11.0 which has CVE-2025-54412/54413/54886
+# skops: transitive dep (mlflow → skops); mlflow 3.12.0 declares 'skops<1' (loose floor), so pip
+#        resolves to 0.11.0 which has CVE-2025-54412/54413/54886
 #        (GHSA-m7f4-hrc6-fwg3, GHSA-4v6w-xpmh-gfgp, GHSA-378x-6p4f-8jgm); override to >=0.13.0
-RUN pip install --upgrade --no-cache-dir pyasn1==0.6.3 'python-multipart>=0.0.26' 'Mako>=1.3.11' 'python-dotenv>=1.2.2' 'onnx>=1.21.0' 'skops>=0.13.0'
-
-# python-dotenv 1.2.1 in base conda env (python3.13) from ACPT base image needs upgrade (GHSA-mf9w-mj56-hr94)
-# parents in base env are anaconda-auth (no version pin) and pydantic-settings (>=0.21.0); both use loose floors
-# so upgrading parents does not pull in 1.2.2; direct override required until base image refreshes
-RUN conda run -n base python -m pip install --upgrade --no-cache-dir 'python-dotenv>=1.2.2'
+# urllib3: transitive dep brought in by many parents (requests, botocore, kubernetes, etc.); the closest
+#          parent `requests` 2.34.2 declares `urllib3>=1.26,<3` (loose floor) so upgrading requests does
+#          not pull urllib3>=2.7.0; direct override required for GHSA-mf9v-mfxr-j63j, GHSA-qccp-gfcp-xxvc
+RUN pip install --upgrade --no-cache-dir pyasn1==0.6.3 'python-multipart>=0.0.26' 'Mako>=1.3.11' 'python-dotenv>=1.2.2' 'onnx>=1.21.0' 'skops>=0.13.0' 'urllib3>=2.7.0'
+
+# Base conda env (python3.13) overrides from ACPT base image:
+# - python-dotenv 1.2.1: parents anaconda-auth (no pin) and pydantic-settings (>=0.21.0) use loose
+#   floors so upgrading them does not pull in 1.2.2; direct override (GHSA-mf9w-mj56-hr94).
+# - urllib3 2.6.3: parents requests (>=1.26,<3) and others use loose floors; direct override
+#   required for GHSA-mf9v-mfxr-j63j and GHSA-qccp-gfcp-xxvc until base image refreshes.
+RUN conda run -n base python -m pip install --upgrade --no-cache-dir 'python-dotenv>=1.2.2' 'urllib3>=2.7.0'
 
 # pip 26.0.1 in both base (python3.13) and ptca (python3.10) conda envs from ACPT base image needs upgrade
 # (GHSA-jp4c-xjxw-mgf9 / CVE-2026-6357; fixed in 26.1). pip is the package manager itself, bundled by conda;

assets/training/finetune_acft_hf_nlp/environments/acpt/context/requirements.txt

@@ -10,7 +10,7 @@ datasets==4.7.0
 evaluate==0.4.5
 optimum==1.27.0
 accelerate==1.7.0
-diffusers==0.33.1
+diffusers>=0.38.0
 onnxruntime==1.22.0
 rouge-score==0.1.2
 sacrebleu==2.4.0

assets/training/finetune_acft_image/environments/acft_image_huggingface/context/Dockerfile

@@ -28,17 +28,24 @@ RUN pip install -r requirements.txt --no-cache-dir
 # pytest: comes from the base ACPT image (not a hard runtime dep of any requirements.txt package;
 #   azureml-acft-accelerator only pins pytest~=5.3.0 under extras_require [test]); base image ships
 #   7.4.3 which has GHSA-6w46-j5rx-g56g; no parent package to upgrade — explicit override required (>=9.0.3)
-RUN pip install --no-cache-dir --upgrade 'onnx>=1.21.0' pyasn1==0.6.3 'fastmcp>=3.2.0' 'Mako>=1.3.12' 'GitPython>=3.1.47' 'python-dotenv>=1.2.2' 'pillow>=12.2.0' 'pytest>=9.0.3'
+# urllib3: transitive dep of requests/botocore/etc.; parent packages use loose
+#   floors (requests>=2.33 allows urllib3<3,>=1.21.1) so pip won't pull a newer
+#   urllib3 on its own. Base image still ships 2.6.3 in the base conda env,
+#   vulnerable to GHSA-qccp-gfcp-xxvc and GHSA-mf9v-mfxr-j63j; override to >=2.7.0.
+RUN pip install --no-cache-dir --upgrade 'onnx>=1.21.0' pyasn1==0.6.3 'fastmcp>=3.2.0' 'Mako>=1.3.12' 'GitPython>=3.1.47' 'python-dotenv>=1.2.2' 'pillow>=12.2.0' 'pytest>=9.0.3' 'urllib3>=2.7.0'
 # python-dotenv in base conda env: transitive dep of uvicorn[standard] (>=0.13); loose floor,
 #   base image has 1.2.1 which has GHSA-mf9w-mj56-hr94; override to >=1.2.2
+# urllib3 in base conda env: same root cause as above — base ships 2.6.3 via
+#   requests/botocore transitive chain; override to >=2.7.0 for
+#   GHSA-qccp-gfcp-xxvc and GHSA-mf9v-mfxr-j63j.
 # pip: package installer itself — there is no parent package that brings it in.
 #   Both conda envs (ptca python3.10, base python3.13) ship pip 26.0.1 from the base
 #   image, vulnerable to GHSA-jp4c-xjxw-mgf9. No parent upgrade is possible — pip is
 #   the package manager; direct override to >=26.1 in both envs is the only option.
 #   We also remove the stale conda-meta json files for the old pip, otherwise SBOM
 #   scanners (trivy) read them from /opt/conda*/conda-meta and continue to report
 #   pip 26.0.1 even though the dist-info shows 26.1.x.
-RUN conda run -n base python -m pip install --no-cache-dir --upgrade 'python-dotenv>=1.2.2' 'pip>=26.1' && \
+RUN conda run -n base python -m pip install --no-cache-dir --upgrade 'python-dotenv>=1.2.2' 'urllib3>=2.7.0' 'pip>=26.1' && \
     rm -f /opt/conda/conda-meta/pip-26.0*.json && \
     python -m pip install --no-cache-dir --upgrade 'pip>=26.1' && \
     rm -f /opt/conda/envs/ptca/conda-meta/pip-26.0*.json

assets/training/finetune_acft_image/environments/acft_image_medimageinsight_adapter_finetune/context/Dockerfile

@@ -8,16 +8,13 @@ RUN apt-get -y install unzip
 
 # pip 26.0.1 in both the base (py3.13) and ptca (py3.10) conda envs is
 # vulnerable to GHSA-jp4c-xjxw-mgf9 / CVE-2026-6357 (fixed in pip>=26.1).
-# pip is a build/install tool installed by conda from the upstream base image
-# (mcr.microsoft.com/aifx/acpt/stable-ubuntu2204-cu126-py310-torch280, biweekly
-# tag) — there is no parent Python package that brings it in, so an upstream
-# parent upgrade is not possible. The base ACPT image has not yet refreshed to
-# pip 26.1+ as of 2026-05-12, so we override here. We use `conda install`
-# (rather than `pip install --upgrade`) so that conda-meta JSON and
-# /opt/conda/pkgs cache are also updated, and we additionally remove stray
-# pip-26.0*.dist-info / conda-meta entries from prior pip self-upgrades that
-# conda does not track — otherwise the SBOM scanner re-flags them. Done before
-# the requirements install so requirements are installed with the patched pip.
+# pip is installed by conda from the upstream base image; there is no parent
+# Python package that brings it in, so an upstream parent upgrade is not
+# possible. The base ACPT image (biweekly.202605.2 as of 2026-05-19) still
+# ships pip 26.0.1 in both envs, so we override here. `conda install` is used
+# so conda-meta JSON and /opt/conda/pkgs cache are updated, and stale
+# pip-26.0*.dist-info / conda-meta entries from prior pip self-upgrades are
+# removed (conda does not track those, and the SBOM scanner re-flags them).
 RUN conda install -y -n base -c conda-forge pip==26.1.1 && \
     conda install -y -n ptca -c conda-forge pip==26.1.1 && \
     rm -rf /opt/conda/lib/python3.13/site-packages/pip-26.0*.dist-info && \
@@ -35,19 +32,29 @@ RUN pip install -r requirements.txt --no-cache-dir
 # `pip` resolves to the ptca env, so base-env overrides need /opt/conda/bin/pip.
 #
 # ptca env (py3.10):
-#   pyasn1: mlflow -> databricks-sdk -> google-auth -> pyasn1-modules -> pyasn1;
-#     pyasn1-modules pins pyasn1 with no version floor so pip may resolve <0.6.3 (CVE-2026-30922)
-#   Mako: mlflow -> alembic -> Mako; alembic 1.18.4 uses unpinned `Requires-Dist: Mako`
-#   python-dotenv: mlflow -> mlflow-skinny -> python-dotenv<2,>=0.19.0;
-#     mlflow 3.11.1 (latest as of 2026-05-08) keeps that wide range so pip may resolve <1.2.2 (GHSA-mf9w-mj56-hr94)
+#   pyasn1 (>=0.6.3, CVE-2026-30922): mlflow -> databricks-sdk -> google-auth
+#     -> pyasn1-modules -> pyasn1; pyasn1-modules pins pyasn1 with no version
+#     floor so pip may resolve <0.6.3.
+#   Mako (>=1.3.11): mlflow -> alembic -> Mako; alembic 1.18.4 uses unpinned
+#     `Requires-Dist: Mako`.
+#   python-dotenv (>=1.2.2, GHSA-mf9w-mj56-hr94): mlflow -> mlflow-skinny ->
+#     python-dotenv<2,>=0.19.0; mlflow 3.11.1 (latest as of 2026-05-19) keeps
+#     that wide range.
+#   (urllib3 is already 2.7.0 in the ptca env of biweekly.202605.2, so no
+#    override is needed there.)
 #
 # base conda env (py3.13):
-#   python-dotenv 1.2.1 is brought in by anaconda-auth 0.13.1 (`Requires-Dist: python-dotenv`,
-#   no version pin) and pydantic-settings 2.12.0 (`python-dotenv>=0.21.0`); both are shipped
-#   pre-installed in the base env from the upstream base image and neither parent ships a
-#   tighter pin in its latest release as of 2026-05-08, so we patch python-dotenv directly
-#   in the base env via /opt/conda/bin/pip.
+#   python-dotenv 1.2.1 is brought in by anaconda-auth 0.14.4
+#     (`Requires-Dist: python-dotenv`, no version pin) and pydantic-settings
+#     2.12.0 (`python-dotenv>=0.21.0`); both are pre-installed in the base env
+#     from the upstream base image and neither parent ships a tighter pin in
+#     its latest release as of 2026-05-19, so we patch python-dotenv directly.
+#   urllib3 2.6.3 (GHSA-qccp-gfcp-xxvc / CVE-2026-44431,
+#     GHSA-mf9v-mfxr-j63j / CVE-2026-44432; fixed in 2.7.0) is brought in by
+#     `requests` (`urllib3<3,>=1.26`). requests 2.32.5 (latest as of
+#     2026-05-19) keeps that wide range so no parent upgrade can pull in the
+#     patched urllib3 — override directly via /opt/conda/bin/pip.
 RUN pip install --no-cache-dir --upgrade 'pyasn1>=0.6.3' 'Mako>=1.3.11' 'python-dotenv>=1.2.2' \
- && /opt/conda/bin/pip install --no-cache-dir --upgrade 'python-dotenv>=1.2.2'
+ && /opt/conda/bin/pip install --no-cache-dir --upgrade 'python-dotenv>=1.2.2' 'urllib3>=2.7.0'
 
 RUN conda clean -a -y && rm -rf /opt/miniconda/pkgs/

assets/training/finetune_acft_image/environments/acft_image_medimageinsight_adapter_finetune/context/requirements.txt

@@ -12,5 +12,4 @@ opencv-python~=4.10.0.84
 pydicom~=2.4.0
 pandas==2.2.3
 mlflow==3.11.1
-setuptools==82.0.0
-filelock>=3.20.1
+setuptools==82.0.0

assets/training/finetune_acft_image/environments/acft_image_medimageinsight_embedding/context/Dockerfile

@@ -3,12 +3,7 @@ FROM mcr.microsoft.com/aifx/acpt/stable-ubuntu2204-cu126-py310-torch280:{{latest
 
 USER root
 
-# Install unzip and upgrade OS packages to fix vulnerabilities.
-# `apt-get -y upgrade` against the current ACPT base image (biweekly.202605.1) already pulls
-# openssh-client to 1:8.9p1-3ubuntu0.15 (USN-8222-1 fix) and keeps dotnet-{host,hostfxr,runtime}-8.0
-# at 8.0.26-0ubuntu1~22.04.1 (USN-8176-1 fix), so no explicit `apt-get install` overrides are
-# required. Verified via `apt-get install` returning "0 upgraded, 0 newly installed" for these
-# packages on top of the upgraded layer (build run ca42, 2026-05-08).
+# Install unzip and upgrade OS packages to pick up any pending security fixes from the base image.
 RUN apt-get -y update && apt-get -y upgrade && apt-get -y install unzip && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 # Install required packages from pypi
@@ -24,6 +19,12 @@ RUN pip install --no-cache-dir mlflow==3.11.1
 RUN pip uninstall -y fastmcp mcp
 
 # Override vulnerable transitive deps in the ptca env (Python 3.10) that pip won't auto-upgrade:
+# pip: shipped by the base image conda env at 26.0.1 (GHSA-jp4c-xjxw-mgf9). pip is a top-level
+#   tool with no parent package; the base image hasn't been rebuilt with pip 26.1 yet, so we
+#   upgrade it explicitly in both the ptca env and the system Python 3.13 env below.
+# urllib3: transitive dep via requests/botocore/etc. (requests pins urllib3<3,>=1.21.1 with a
+#   loose floor); pip resolves to vulnerable 2.6.3 (GHSA-qccp-gfcp-xxvc, GHSA-mf9v-mfxr-j63j).
+#   No parent release floors urllib3>=2.7.0, so explicit override is required.
 # Mako: transitive dep (mlflow → alembic 1.18.4 → Mako); alembic 1.18.4 declares "Mako" with no
 #   version pin at all, so pip resolves to 1.3.10 which has GHSA-v92g-xgxw-vvmm. No parent
 #   release floors Mako >= 1.3.11, so explicit override is the only fix.
@@ -35,9 +36,12 @@ RUN pip uninstall -y fastmcp mcp
 #   azureml-mlflow, transformers, etc.). No parent package to bump — the base image pre-installs
 #   pytest 7.4.3 and the ACPT base hasn't been rebuilt with a fix yet, so explicit override
 #   to >=9.0.3 is required (GHSA-6w46-j5rx-g56g).
-RUN pip install --no-cache-dir --upgrade 'Mako>=1.3.11' 'GitPython>=3.1.47' 'pytest>=9.0.3'
+RUN pip install --no-cache-dir --upgrade 'pip>=26.1' 'urllib3>=2.7.0' 'Mako>=1.3.11' 'GitPython>=3.1.47' 'pytest>=9.0.3'
 
-# Upgrade python-dotenv in the system Python(3.13)
+# Upgrade vulnerable packages in the system Python (3.13)
+# pip: base image ships 26.0.1 (GHSA-jp4c-xjxw-mgf9); pip is a top-level tool with no parent, override required.
+# urllib3: transitive dep via requests; loose floor (urllib3<3,>=1.21.1) resolves to vulnerable 2.6.3
+#   (GHSA-qccp-gfcp-xxvc, GHSA-mf9v-mfxr-j63j). No parent release floors urllib3>=2.7.0, override required.
 # python-dotenv: transitive dep via pydantic-settings (>=0.21.0 floor); parent uses loose floor so base resolves to
-# vulnerable 1.2.1 (GHSA-mf9w-mj56-hr94); override to >=1.2.2
-RUN /opt/conda/bin/python3.13 -m pip install --no-cache-dir --upgrade 'python-dotenv>=1.2.2'
+#   vulnerable 1.2.1 (GHSA-mf9w-mj56-hr94); override to >=1.2.2
+RUN /opt/conda/bin/python3.13 -m pip install --no-cache-dir --upgrade 'pip>=26.1' 'urllib3>=2.7.0' 'python-dotenv>=1.2.2'

assets/training/finetune_acft_image/environments/acft_image_medimageinsight_embedding_generator/context/Dockerfile

@@ -4,9 +4,6 @@ FROM mcr.microsoft.com/aifx/acpt/stable-ubuntu2204-cu126-py310-torch280:{{latest
 USER root
 
 # Install unzip and upgrade OS packages to fix vulnerabilities.
-# `apt-get -y upgrade` against the current ACPT base image (biweekly.202605.1) already pulls
-# dotnet-{host,hostfxr,runtime}-8.0 to 8.0.26-0ubuntu1~22.04.1 (USN-8176-1 fix), so no
-# explicit `apt-get install` overrides are required.
 RUN apt-get -y update && apt-get -y upgrade && apt-get -y install unzip && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 # pip 26.0.1 in both the ptca conda env (Python 3.10) and the /opt/conda base env (Python 3.13)
@@ -43,12 +40,19 @@ RUN pip install -r requirements.txt --no-cache-dir
 # skops: transitive dep (mlflow → mlflow-skinny 3.11.1 requires skops<1 with no minimum), pip
 #   resolves to 0.11.0 which has CVE-2025-54412/54413/54886 (arbitrary code execution).
 #   mlflow-skinny has no release that bumps the floor, so explicit override is required.
-RUN pip install --no-cache-dir --upgrade 'Mako>=1.3.11' 'GitPython>=3.1.47' 'pytest>=9.0.3' 'skops>=0.13.0'
+# urllib3: transitive dep (requests>=2.33.0 → urllib3<3,>=1.26); latest requests 2.34.2 still
+#   declares `urllib3<3,>=1.26`, no parent package release floors urllib3>=2.7.0, so explicit
+#   override is the only fix for GHSA-qccp-gfcp-xxvc (CVE-2026-44431) and GHSA-mf9v-mfxr-j63j
+#   (CVE-2026-44432).
+RUN pip install --no-cache-dir --upgrade 'Mako>=1.3.11' 'GitPython>=3.1.47' 'pytest>=9.0.3' 'skops>=0.13.0' 'urllib3>=2.7.0'
 
 # python-dotenv: pre-installed in the /opt/conda base env (Python 3.13) by the ACPT base image
 #   at version 1.2.1 which has GHSA-mf9w-mj56-hr94. Not pulled in by any package in
 #   requirements.txt nor their transitive deps, so the ptca env (Python 3.10) gets the
 #   already-patched 1.2.2 from the base image's own upgrades. The /opt/conda Python 3.13 env
 #   is unaffected by `pip install -r requirements.txt` (which targets ptca's pip), so an
 #   explicit upgrade against /opt/conda/bin/python3.13 is required to reach >= 1.2.2.
-RUN /opt/conda/bin/python3.13 -m pip install --no-cache-dir --upgrade 'python-dotenv>=1.2.2'
+# urllib3: same situation — /opt/conda Python 3.13 ships urllib3 2.6.3 from the base image and
+#   is not reached by ptca pip installs, so an explicit upgrade to >=2.7.0 is required to fix
+#   GHSA-qccp-gfcp-xxvc and GHSA-mf9v-mfxr-j63j in this env.
+RUN /opt/conda/bin/python3.13 -m pip install --no-cache-dir --upgrade 'python-dotenv>=1.2.2' 'urllib3>=2.7.0'