Skip to content

[auto-cve-patch] [vllm] allowlist ffmpeg/zvbi ESM-only CVEs; refresh mooncake go/stdlib reason#6279

Draft
jinyan-li1 wants to merge 2 commits into
mainfrom
cve-patch/vllm-a8001b
Draft

[auto-cve-patch] [vllm] allowlist ffmpeg/zvbi ESM-only CVEs; refresh mooncake go/stdlib reason#6279
jinyan-li1 wants to merge 2 commits into
mainfrom
cve-patch/vllm-a8001b

Conversation

@jinyan-li1

@jinyan-li1 jinyan-li1 commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Purpose

Patch CVEs across vllm DLC images. This run is scoped to the Ubuntu sagemaker variant (vllm:0.23-gpu-py312) — a partial scan; pruning is suppressed.

Images affected

  • vllm:0.23-gpu-py312 (sagemaker, Ubuntu 22.04) — Ubuntu allowlist edits apply to all Ubuntu vllm variants that share docker/vllm/Dockerfile.

CVEs handled

CVE Package Severity Affected images Action Notes
CVE-2022-3109 ffmpeg + libavcodec/device/filter/format/util, libpostproc, libswresample/swscale HIGH Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2022-48434 ffmpeg + libav* HIGH Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2023-49502 ffmpeg + libav* HIGH Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2023-50010 ffmpeg + libav* HIGH Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2023-51793 ffmpeg + libav* HIGH Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2023-51794 ffmpeg + libav* HIGH Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2023-51798 ffmpeg + libav* HIGH Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2023-6603 ffmpeg + libavcodec58 + libavformat58 HIGH Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2023-6605 ffmpeg + libavcodec58 + libavformat58 HIGH Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2024-31578 ffmpeg + libav* HIGH Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2024-32230 ffmpeg + libav* HIGH Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2024-35366 ffmpeg CRITICAL Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2024-35367 ffmpeg CRITICAL Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2024-35368 ffmpeg CRITICAL Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2025-2173 libzvbi0 HIGH Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2025-63757 ffmpeg + libavcodec58 + libavformat58 HIGH Ubuntu vllm allowlist (ESM_ONLY) Ubuntu Pro fix
CVE-2026-42504 go/stdlib (mooncake libetcd_wrapper.so) HIGH Ubuntu vllm reason refresh Existing reason cited stale go/stdlib version (1.24.11); image now ships 1.25.9

Pin-source conflicts:

  • pin-source conflict: DLC_MAJOR_VERSION is 2 in docker/vllm/versions.env but 1 in docker/vllm/Dockerfile.amzn2023. No CVE in this run is on the conflicting package — surfaced for reviewer reconciliation.

Test plan

  • CI security tests pass for vllm sagemaker Ubuntu variant
  • CI sanity tests pass
  • CI vllm-specific tests pass

🤖 Generated by Claude Code.

@jinyan-li1

Copy link
Copy Markdown
Contributor Author

Retry 1/5: allowlist RUSTSEC-2026-0185 (quinn-proto 0.11.14 vendored in /usr/local/bin/uv; latest uv 0.11.23 still pins same version).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant