[code sync] Merge code from sonic-net/sonic-buildimage:202505 to 202506

device/arista/x86_64-arista_7060x6_64pe/platform.json

@@ -110,6 +110,14 @@
             {
                 "name": "Management Card Inlet",
                 "controllable": false
+            },
+            {
+                "name": "TH5 Diode 1",
+                "controllable": false
+            },
+            {
+                "name": "TH5 Diode 2",
+                "controllable": false
             }
         ],
         "sfps": [

device/arista/x86_64-arista_7060x6_64pe/sensors.conf

@@ -5,8 +5,6 @@ bus "i2c-29" "SCD 0000:03:00.0 SMBus master 1 bus 4"
 chip "max6581-i2c-25-4d"
     ignore temp5
     ignore temp6
-    ignore temp7
-    ignore temp8
 
 chip "nvme-pci-0400"
     # TODO: sensors complaining about tempX_min and tempX_max

device/arista/x86_64-arista_7060x6_64pe_b/platform.json

@@ -118,6 +118,14 @@
             {
                 "name": "Management Card Inlet",
                 "controllable": false
+            },
+            {
+                "name": "TH5 Diode 1",
+                "controllable": false
+            },
+            {
+                "name": "TH5 Diode 2",
+                "controllable": false
             }
         ],
         "sfps": [

device/arista/x86_64-arista_7060x6_64pe_b/sensors.conf

@@ -5,8 +5,6 @@ bus "i2c-31" "SCD 0000:08:00.0 SMBus master 1 bus 4"
 chip "max6581-i2c-27-4d"
     ignore temp5
     ignore temp6
-    ignore temp7
-    ignore temp8
 
 chip "nvme-pci-0400"
     # TODO: sensors complaining about tempX_min and tempX_max

dockers/docker-platform-monitor/Dockerfile.j2

@@ -44,7 +44,7 @@ RUN apt-get install -y -t bookworm-backports \
 # install any dependencies required by the Arista sonic_platform package.
 # TODO: eliminate the need to install these explicitly.
 RUN pip3 install grpcio==1.51.1 \
-        grpcio-tools==1.51.1
+        grpcio-tools==1.51.1 --no-build-isolation
 
 # Barefoot platform vendors' sonic_platform packages import these Python libraries
 RUN pip3 install thrift==0.13.0 netifaces

dockers/docker-ptf/Dockerfile.j2

@@ -92,33 +92,48 @@ RUN apt-get update          \
         automake            \
         iproute2            \
         iptables            \
+{% if PTF_ENV_PY_VER != "mixed" %}
         wireshark-common    \
+{% endif %}
         freeradius          \
         quilt
 
 # Install Go toolchain for building grpcurl and gnoic from source
 # to ensure they use a patched Go stdlib (GO-2026-4337: crypto/tls)
 {% if CONFIGURED_ARCH == "armhf" %}
 RUN GO_ARCH=armv6l \
+    && GO_SHA256=7d4f0d266d871301e08ef4ac31c56e66048688893b2848392e5c600276351ee8 \
 {% elif CONFIGURED_ARCH == "arm64" %}
 RUN GO_ARCH=arm64 \
+    && GO_SHA256=ec342e7389b7f489564ed5463c63b16cf8040023dabc7861256677165a8c0e2b \
 {% else %}
 RUN GO_ARCH=amd64 \
+    && GO_SHA256=00859d7bd6defe8bf84d9db9e57b9a4467b2887c18cd93ae7460e713db774bc1 \
 {% endif %}
-    && GO_VERSION=1.25.8 \
+    && GO_VERSION=1.25.9 \
     && curl -L "https://go.dev/dl/go${GO_VERSION}.linux-${GO_ARCH}.tar.gz" -o /tmp/go.tar.gz \
+    && echo "${GO_SHA256}  /tmp/go.tar.gz" | sha256sum -c - \
     && tar -C /usr/local -xzf /tmp/go.tar.gz \
     && rm /tmp/go.tar.gz
 
 ENV PATH="/usr/local/go/bin:$HOME/go/bin:$PATH"
 
-# Build grpcurl from source with patched Go (GO-2026-4337)
-RUN go install github.com/fullstorydev/grpcurl/cmd/grpcurl@v1.9.3 \
-    && mv "$(go env GOPATH)/bin/grpcurl" /usr/local/bin/grpcurl \
-    && chmod +x /usr/local/bin/grpcurl
+# Build grpcurl from source with patched Go and golang.org/x/* deps
+# upgraded to latest to address current and future golang.org/x/* CVEs.
+RUN GRPCURL_VERSION=v1.9.3 \
+    && git clone --depth 1 --branch "${GRPCURL_VERSION}" https://github.com/fullstorydev/grpcurl.git /tmp/grpcurl \
+    && cd /tmp/grpcurl \
+    && go get google.golang.org/grpc@v1.79.3 \
+    && go get github.com/go-jose/go-jose/v4@latest \
+    && go get golang.org/x/crypto@latest golang.org/x/net@latest golang.org/x/text@latest golang.org/x/sys@latest golang.org/x/oauth2@latest \
+    && go mod tidy \
+    && go build -o /usr/local/bin/grpcurl ./cmd/grpcurl \
+    && chmod +x /usr/local/bin/grpcurl \
+    && rm -rf /tmp/grpcurl
 # Security fixes: upgrade all vulnerable system packages (S360 scan remediation)
 RUN apt-get update && apt-get upgrade -y \
     && rm -rf /var/lib/apt/lists/*
+
 {% if PTF_ENV_PY_VER == "py3" %}
 RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
     && update-alternatives --install /usr/bin/pip pip /usr/bin/pip3 1 \
@@ -186,7 +201,6 @@ RUN rm -rf /debs \
     && pip install pysubnettree \
     && pip install paramiko \
     && pip install flask   \
-    && pip install tornado \
     && pip install exabgp==3.4.17\
     && pip install pyaml   \
     && pip install pybrctl pyro4 rpyc yabgp \
@@ -196,7 +210,7 @@ RUN rm -rf /debs \
 {% endif %}
     && mkdir -p /opt       \
     && cd /opt             \
-    && wget https://raw.githubusercontent.com/p4lang/ptf/master/ptf_nn/ptf_nn_agent.py
+    && wget https://raw.githubusercontent.com/p4lang/ptf/23ebe7237f3c284032bda02fbd1f4a98f1bc12f4/ptf_nn/ptf_nn_agent.py
 
 {% if PTF_ENV_PY_VER == "py3" %}
 RUN curl -L -o tacacs.tar.gz https://shrubbery.net/pub/tac_plus/tacacs-F4.0.4.31.tar.gz\
@@ -214,17 +228,25 @@ COPY ["tacacs_plus", "/etc/init.d"]
 COPY ["tacacs+", "/etc/default"]
 {% endif %}
 
-{% if PTF_ENV_PY_VER == "mixed" %}
-RUN python3 -m venv --system-site-packages env-python3
+# Workaround: Tornado installed outside of the
+# virtualenv as the call to the process API
+# Ansible -> Supervisor -> ExaBGP -> Process API
+# causes the process API to have a restricted
+# environment without access to the virtualenv.
+{% if PTF_ENV_PY_VER == "py3" %}
+    RUN pip3 install --break-system-packages "tornado>=6.5.5"
+{% endif %}
+
+
+RUN python3 -m venv env-python3
 # Activating a virtualenv. The virtualenv automatically works for RUN, ENV and CMD.
 ENV VIRTUAL_ENV=/root/env-python3
 ARG BACKUP_OF_PATH="$PATH"
 ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 ENV LANG=C.UTF-8 LC_ALL=C.UTF-8 PYTHONIOENCODING=UTF-8
 
-# Upgrade pip to address CVE vulnerabilities in older pip versions
-RUN pip3 install --upgrade pip
-{% endif %}
+# Upgrade pip and wheel to address CVE vulnerabilities
+RUN pip3 install --upgrade pip "wheel>=0.46.2"
 
 {% if PTF_ENV_PY_VER == "mixed" %}
 RUN python3 -m pip install --upgrade --ignore-installed pip
@@ -234,12 +256,12 @@ RUN python3 -m pip install --upgrade --ignore-installed pip
 # setuptools on Python 3.9. The packages downgrade setuptools 
 # to 40.x causing further installations to fail
 {% if PTF_ENV_PY_VER == "py3" %}
-{% set offending_packages = ["supervisor", "ipython==5.4.1", "exabgp==4.2.25", "grpcio-tools", "pybrctl", "pyrasite", "scapy==2.5.0", "thrift"] %}
+{% set offending_packages = ["supervisor", "ipython", "exabgp==4.2.25", "grpcio-tools", "pybrctl", "pyrasite", "scapy==2.5.0", "thrift"] %}
 {{ install_offending_packages(offending_packages) }}
 {% else %}
 RUN pip3 install setuptools \
         && pip3 install supervisor \
-        && pip3 install ipython==5.4.1 \
+        && pip3 install ipython \
         && pip3 install exabgp==4.2.25 \
         && pip3 install grpcio-tools \
         && pip3 install pybrctl \
@@ -254,8 +276,8 @@ RUN pip3 install setuptools \
 # Werkzeug 3.1.3 has a bug and causes announce routes to fail
 # by returning 413 Request Entity Too Large though request buffers
 # have been increased.
-RUN pip3 install Flask==3.0.3   \
-    && pip3 install Werkzeug==3.1.2 \
+RUN pip3 install Flask   \
+    && pip3 install Werkzeug \
 {% else %}
 RUN pip3 install Flask \
 {% endif %}
@@ -266,14 +288,13 @@ RUN pip3 install Flask \
     && pip3 install ipaddress \
     && pip3 install pysubnettree \
     && pip3 install paramiko \
-    && pip3 install tornado \
+    && pip3 install "tornado>=6.5.5" \
     && pip3 install Flask   \
     && pip3 install exabgp \
     && pip3 install pyaml   \
     && pip3 install pyro4 rpyc \
     && pip3 install unittest-xml-reporting \
     && pip3 install python-libpcap \
-    && pip3 install enum34 \
     && pip3 install grpcio \
     && pip3 install protobuf \
     && pip3 install six==1.16.0 \
@@ -292,14 +313,14 @@ RUN pip3 install protobuf==6.33.5
 {{ install_python_wheels(docker_ptf_whls.split(' ')) }}
 {% endif %}
 
-{% if PTF_ENV_PY_VER == "mixed" %}
 # Deactivating a virtualenv.
 ENV PATH="$BACKUP_OF_PATH"
-{% endif %}
 
 # Ensure setuptools stays in a secure range while retaining pkg_resources
-# required by grpc_tools.protoc.
-RUN pip3 install "setuptools>=70.0.0,<78.0"
+# required by grpc_tools.protoc. setuptools >=78.1.1 restores pkg_resources
+# compatibility removed in 78.0 and fixes CVE-2025-47273.
+# Upgrade lxml to address GHSA-vfmq-68hx-4jfw
+RUN pip3 install "setuptools>=78.1.1" "wheel>=0.46.2" "lxml>=5.3.2"
 
 ## Adjust sshd settings
 RUN mkdir /var/run/sshd \
@@ -334,7 +355,7 @@ RUN cd gnxi \
     && pip install -r requirements.txt \
     && pip3 install protobuf==6.33.5 --no-binary=protobuf
 {% else %}
-    && pip3 install "setuptools>=70.0.0,<78.0" "grpcio==1.74.0" "grpcio-tools==1.74.0" "protobuf==6.33.5" \
+    && pip3 install "setuptools>=78.1.1" "grpcio==1.74.0" "grpcio-tools==1.74.0" "protobuf==6.33.5" \
     && rm -f gnmi_pb2.py gnmi_ext_pb2.py gnmi_pb2_grpc.py \
     && wget -q -O gnmi_ext.proto https://raw.githubusercontent.com/openconfig/gnmi/master/proto/gnmi_ext/gnmi_ext.proto \
     && wget -q -O gnmi.proto https://raw.githubusercontent.com/openconfig/gnmi/master/proto/gnmi/gnmi.proto \
@@ -344,24 +365,12 @@ RUN cd gnxi \
     && rm -f gnmi.proto gnmi_ext.proto \
     && cat requirements.txt | grep -Ev '^(futures|grpcio==|grpcio-tools==|protobuf==)' > /tmp/requirements.txt \
     && pip3 install -r /tmp/requirements.txt \
-    && pip3 install "setuptools>=70.0.0,<78.0" "grpcio==1.74.0" "grpcio-tools==1.74.0" "protobuf==6.33.5"
+    && pip3 install "setuptools>=78.1.1" "grpcio==1.74.0" "grpcio-tools==1.74.0" "protobuf==6.33.5"
 {% endif %}
 
-# Install gnoic tool
-# Without specifying the version there is a failure
-# to determine the latest version automatically.
-#
-# root@a2014cb5bc54:~/gnoic# ./install.sh
-# Warning: Failed to verify the package: https://api.github.com/repos/karimra/gnoic/releases/latest, the version is not specified
-# Could not determine the latest release
-# Failed to install gnoic
-# For support, go to https://github.com/karimra/gnoic/issues
-RUN git clone https://github.com/karimra/gnoic.git \
-    && cd gnoic \
-    && git checkout 27bc5a6 \
-    && go build -o /usr/local/bin/gnoic . \
-    && cd .. \
-    && rm -rf gnoic
+# Deactivating a virtualenv.
+# ENV PATH="$BACKUP_OF_PATH"
+
 
 COPY \
 {% for deb in docker_ptf_debs.split(' ') -%}
@@ -378,19 +387,51 @@ debs/{{ deb }}{{' '}}
 RUN rm -rf /usr/local/go "$(go env GOPATH 2>/dev/null || echo $HOME/go)"
 ENV PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 
-{% if PTF_ENV_PY_VER == "py3" %}
-# Create symlink so that test scripts and ptf_runner invocation path
-# is same across python 2 and python 3 envs. Note that for virtual-env
-# ptf is under /root/env-python3/bin.
-# TODO - cleanup when the supported PTF image is py3only across all branches
-RUN mkdir -p /root/env-python3/bin \
-    && ln -s /usr/local/bin/ptf /usr/bin/ptf \
-    && ln -s /usr/bin/python /root/env-python3/bin/python3 \
-    && ln -s /usr/bin/python /root/env-python3/bin/python \
-    && ln -s /usr/local/bin/ptf /root/env-python3/bin/ptf
-{% endif %}
+# Apply pending Debian security updates.
+# The build system pins package versions via /etc/apt/preferences.d/01-versions-deb.
+# Remove the pin so apt-get upgrade can pull in the latest security patches.
+RUN rm -f /etc/apt/preferences.d/01-versions-deb \
+    && apt-get update \
+    && apt-get upgrade -y \
+    && rm -rf /var/lib/apt/lists/*
+
+# Final system-level security upgrade: ensure every Debian package is at its
+# latest patched version from the security repos.  This must run AFTER all
+# apt-get install / dpkg -i steps so nothing slips through.
+RUN apt-get update \
+    && apt-get upgrade -y \
+    && apt-get dist-upgrade -y \
+    && rm -rf /var/lib/apt/lists/*
+
+# There are some scripts like supervisorctl and others invoked from
+# custom Ansible modules which use exec_command to run these. Since
+# Ansible module's exec_command uses a restricted shell without sourcing
+# the profile or other rc files the PATH does not include the virtualenv.
+# This step keeps links to required binaries from /usr/local/bin to the
+# virtualenv bin directory.
+RUN set -eux; \
+  for f in /root/env-python3/bin/*; do \
+    base="$(basename "$f")"; \
+    case "$base" in \
+      python*|pip*) continue ;; \
+    esac; \
+    ln -sf "$f" "/usr/local/bin/$base"; \
+  done
+
+RUN echo "/root/env-python3/lib/python3.9/site-packages" > /usr/lib/python3/dist-packages/virtualenv.pth
+
+RUN echo "PYTHONPATH=/root/env-python3/lib/python3.9/site-packages" >> /etc/environment
+
+# Final system-level security upgrade: ensure every Debian package is at its
+# latest patched version. This must run AFTER all apt-get install / dpkg -i
+# steps so nothing slips through.
+# Covers OpenSSL, openssh, libpng, gdk-pixbuf, inetutils, tiff CVEs.
+RUN apt-get update \
+    && apt-get upgrade -y \
+    && apt-get dist-upgrade -y \
+    && rm -rf /var/lib/apt/lists/*
 
 COPY ["*.ini", "/etc/ptf/"]
 EXPOSE 22 8009
 
-ENTRYPOINT ["/usr/local/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
+ENTRYPOINT ["/root/env-python3/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]

files/build/versions/build/build-sonic-slave-bookworm/versions-deb-bookworm

@@ -60,9 +60,9 @@ mlxbf-gige-dkms==1.0-0
 mlxbf-pka-dkms==2.0-1
 mlxbf-ptm-dkms==1.0-0
 mlxbf-tmfifo-dkms==1.0-0
-p4lang-bmv2==1.15.0-7
+p4lang-bmv2==1.15.0-9
 p4lang-p4c==1.2.4.2-2
-p4lang-pi==0.1.0-15
+p4lang-pi==0.1.0-17
 pinctrl-mlxbf3-dkms==1.0-0
 pwr-mlxbf-dkms==1.0-0
 python3-swsscommon==1.0.0

files/build/versions/build/build-sonic-slave-bookworm/versions-py3

@@ -1,20 +1,20 @@
-blessed==1.20.0
-cffi==1.17.1
+blessed==1.38.0
+cffi==2.0.0
 click-log==0.4.0
-colorful==0.5.6
+colorful==0.5.8
 deepdiff==6.2.2
 docker==7.1.0
 docker-image-py==0.1.13
-enlighten==1.13.0
+enlighten==1.14.1
 enum34==1.1.10
-filelock==3.17.0
-freezegun==1.5.1
+filelock==3.29.0
+freezegun==1.5.5
 ijson==3.2.3
-inotify==0.2.10
+inotify==0.2.12
 ipaddress==1.0.23
 jsondiff==2.2.1
 jsonpatch==1.33
-jsonpointer==3.0.0
+jsonpointer==3.1.1
 jsonschema==2.6.0
 natsort==8.4.0
 netaddr==0.8.0
@@ -26,8 +26,8 @@ prefixed==0.9.0
 prettyprinter==0.18.0
 ptyprocess==0.7.0
 pycairo==1.26.1
-pycparser==2.22
-pynacl==1.5.0
+pycparser==3.0
+pynacl==1.6.2
 pyroute2==0.7.12
 python-arptable==0.0.2
 python-sdk-api==4.8.1086
@@ -36,6 +36,6 @@ semantic-version==2.10.0
 systemd-python==235
 tabulate==0.9.0
 toposort==1.6
-wcwidth==0.2.13
+wcwidth==0.6.0
 www-authenticate==0.9.2
 xmltodict==0.12.0

files/build/versions/build/build-sonic-slave-bookworm/versions-py3-all-arm64

@@ -2,5 +2,5 @@ bitarray==2.8.1
 click==7.0
 lxml==4.9.1
 pyyaml==6.0.1
-urllib3==2.3.0
+urllib3==2.6.3
 zipp==1.2.0

files/build/versions/build/build-sonic-slave-bookworm/versions-py3-all-armhf

@@ -2,5 +2,5 @@ bitarray==2.8.1
 click==7.0
 lxml==4.9.1
 pyyaml==6.0.1
-urllib3==2.3.0
+urllib3==2.6.3
 zipp==1.2.0