[202505] ci: fix debian security docker-ptf cherry-pick 26242

dockers/docker-ptf/Dockerfile.j2

@@ -116,10 +116,8 @@ ENV PATH="/usr/local/go/bin:$HOME/go/bin:$PATH"
 RUN go install github.com/fullstorydev/grpcurl/cmd/grpcurl@v1.9.3 \
     && mv "$(go env GOPATH)/bin/grpcurl" /usr/local/bin/grpcurl \
     && chmod +x /usr/local/bin/grpcurl
-# Security fixes: upgrade vulnerable system packages (S360 scan remediation)
-RUN apt-get update && apt-get install -y --only-upgrade \
-        telnet               \
-        inetutils-telnet     \
+# Security fixes: upgrade all vulnerable system packages (S360 scan remediation)
+RUN apt-get update && apt-get upgrade -y \
     && rm -rf /var/lib/apt/lists/*
 {% if PTF_ENV_PY_VER == "py3" %}
 RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
@@ -283,15 +281,8 @@ RUN pip3 install Flask \
     && pip3 install retrying \
     && pip3 install jinja2
 
-# gnxi/gnmi_cli_py ships pre-generated _pb2.py stubs; they are
-# Pin to 6.33.5 to match grpcio-tools keep a known-good version.
-RUN set -e; \
-    . /etc/os-release; \
-    if [ "$VERSION_CODENAME" = "bookworm" ]; then \
-        pip3 install protobuf==6.33.5; \
-    else \
-        pip3 install protobuf; \
-    fi
+# Keep protobuf aligned with generated gNMI stubs.
+RUN pip3 install protobuf==6.33.5
 
 {% if docker_ptf_whls.strip() -%}
 # Copy locally-built Python wheel dependencies
@@ -306,6 +297,10 @@ RUN set -e; \
 ENV PATH="$BACKUP_OF_PATH"
 {% endif %}
 
+# Ensure setuptools stays in a secure range while retaining pkg_resources
+# required by grpc_tools.protoc.
+RUN pip3 install "setuptools>=70.0.0,<78.0"
+
 ## Adjust sshd settings
 RUN mkdir /var/run/sshd \
     && echo 'root:root' | chpasswd \
@@ -339,14 +334,17 @@ RUN cd gnxi \
     && pip install -r requirements.txt \
     && pip3 install protobuf==6.33.5 --no-binary=protobuf
 {% else %}
+    && pip3 install "setuptools>=70.0.0,<78.0" "grpcio==1.74.0" "grpcio-tools==1.74.0" "protobuf==6.33.5" \
+    && rm -f gnmi_pb2.py gnmi_ext_pb2.py gnmi_pb2_grpc.py \
     && wget -q -O gnmi_ext.proto https://raw.githubusercontent.com/openconfig/gnmi/master/proto/gnmi_ext/gnmi_ext.proto \
     && wget -q -O gnmi.proto https://raw.githubusercontent.com/openconfig/gnmi/master/proto/gnmi/gnmi.proto \
     && sed -i 's|github.com/openconfig/gnmi/proto/gnmi_ext/gnmi_ext.proto|gnmi_ext.proto|' gnmi.proto \
-    && python -m grpc_tools.protoc -I. --python_out=. --grpc_python_out=. gnmi_ext.proto gnmi.proto \
+    && python3 -m grpc_tools.protoc -I. --python_out=. --grpc_python_out=. gnmi_ext.proto gnmi.proto \
+    && if grep -q _internal_create_key gnmi_ext_pb2.py; then echo "ERROR: gnmi stubs generated with incompatible protoc"; exit 1; fi \
     && rm -f gnmi.proto gnmi_ext.proto \
-    && pip3 install setuptools==51.0.0 \
-    && cat requirements.txt | grep -v futures > /tmp/requirements.txt \
-    && pip3 install -r /tmp/requirements.txt
+    && cat requirements.txt | grep -Ev '^(futures|grpcio==|grpcio-tools==|protobuf==)' > /tmp/requirements.txt \
+    && pip3 install -r /tmp/requirements.txt \
+    && pip3 install "setuptools>=70.0.0,<78.0" "grpcio==1.74.0" "grpcio-tools==1.74.0" "protobuf==6.33.5"
 {% endif %}
 
 # Install gnoic tool
@@ -395,4 +393,4 @@ RUN mkdir -p /root/env-python3/bin \
 COPY ["*.ini", "/etc/ptf/"]
 EXPOSE 22 8009
 
-ENTRYPOINT ["/usr/local/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
+ENTRYPOINT ["/usr/local/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]