[pytorch] [build] [training] [ec2, sagemaker] Onboard PT2.6 to autopatch (#4953)

Onboard PT2.6 to autopatch and allowlist CVE 77740 due to sagemaker_training dependency requirement of protobuf being >=3.9.2,<=3.20.3

Author: jinyan-li1

pytorch/training/buildspec-2-6-ec2.yml

@@ -5,7 +5,7 @@ framework: &FRAMEWORK pytorch
 version: &VERSION 2.6.0
 short_version: &SHORT_VERSION "2.6"
 arch_type: x86
-# autopatch_build: "True"
+autopatch_build: "True"
 
 repository_info:
   training_repository: &TRAINING_REPOSITORY

pytorch/training/buildspec-2-6-sm.yml

@@ -5,7 +5,7 @@ framework: &FRAMEWORK pytorch
 version: &VERSION 2.6.0
 short_version: &SHORT_VERSION "2.6"
 arch_type: x86
-# autopatch_build: "True"
+autopatch_build: "True"
 
 repository_info:
   training_repository: &TRAINING_REPOSITORY

pytorch/training/docker/2.6/py3/Dockerfile.ec2.cpu.core_packages.json

@@ -43,7 +43,7 @@
     "version_specifier": ">=70.0.0"
   },
   "urllib3": {
-    "version_specifier": "<2"
+    "version_specifier": ">=2.5.0"
   },
   "awscli": {
     "version_specifier": "<2"

pytorch/training/docker/2.6/py3/Dockerfile.sagemaker.cpu.core_packages.json

@@ -43,7 +43,7 @@
     "version_specifier": ">=70.0.0"
   },
   "urllib3": {
-    "version_specifier": "<2"
+    "version_specifier": ">=2.5.0"
   },
   "awscli": {
     "version_specifier": "<2"

pytorch/training/docker/2.6/py3/Dockerfile.sagemaker.cpu.py_scan_allowlist.json

@@ -0,0 +1,3 @@
+{
+  "77740": "Affected versions of this package are vulnerable to a potential Denial of Service (DoS) attack due to unbounded recursion when parsing untrusted Protocol Buffers data. The pure-Python implementation fails to enforce recursion depth limits when processing recursive groups, recursive messages, or a series of SGROUP tags, leading to stack overflow conditions that can crash the application by exceeding Python's recursion limit."
+}

pytorch/training/docker/2.6/py3/cu126/Dockerfile.ec2.gpu.core_packages.json

@@ -47,7 +47,7 @@
     "version_specifier": ">=70.0.0"
   },
   "urllib3": {
-    "version_specifier": "<2"
+    "version_specifier": ">=2.5.0"
   },
   "awscli": {
     "version_specifier": "<2"

pytorch/training/docker/2.6/py3/cu126/Dockerfile.sagemaker.gpu.core_packages.json

@@ -47,7 +47,7 @@
     "version_specifier": ">=70.0.0"
   },
   "urllib3": {
-    "version_specifier": "<2"
+    "version_specifier": ">=2.5.0"
   },
   "awscli": {
     "version_specifier": "<2"

pytorch/training/docker/2.6/py3/cu126/Dockerfile.sagemaker.gpu.py_scan_allowlist.json

@@ -0,0 +1,3 @@
+{
+  "77740": "Affected versions of this package are vulnerable to a potential Denial of Service (DoS) attack due to unbounded recursion when parsing untrusted Protocol Buffers data. The pure-Python implementation fails to enforce recursion depth limits when processing recursive groups, recursive messages, or a series of SGROUP tags, leading to stack overflow conditions that can crash the application by exceeding Python's recursion limit."
+}