Update setuptools from version 18.5 to version >= 65.5.1 #6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update setuptools to 65.5.1
Merge this pull request to resolve 3 vulnerabilities in version 18.5 of setuptools.
HIGH - CVE-2022-40897: pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py
Description
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
References
https://access.redhat.com/errata/RHSA-2023:0952
https://access.redhat.com/security/cve/CVE-2022-40897
https://bugzilla.redhat.com/2158559
https://bugzilla.redhat.com/show_bug.cgi?id=2158559
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897
https://errata.almalinux.org/9/ALSA-2023-0952.html
https://errata.rockylinux.org/RLSA-2023:0952
https://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2022-43012.yaml
https://github.com/pypa/setuptools
https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200
pypa/setuptools@43a9c9b
pypa/setuptools@v65.5.0...v65.5.1
[BUG] Inefficient Regex pypa/setuptools#3659
https://linux.oracle.com/cve/CVE-2022-40897.html
https://linux.oracle.com/errata/ELSA-2024-2987.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/
https://lists.fedoraproject.org/archives/list/[email protected]/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R
https://lists.fedoraproject.org/archives/list/[email protected]/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H
https://nvd.nist.gov/vuln/detail/CVE-2022-40897
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
https://pyup.io/vulnerabilities/CVE-2022-40897/52495
https://pyup.io/vulnerabilities/CVE-2022-40897/52495/
https://security.netapp.com/advisory/ntap-20230214-0001
https://security.netapp.com/advisory/ntap-20230214-0001/
https://security.netapp.com/advisory/ntap-20240621-0006
https://security.netapp.com/advisory/ntap-20240621-0006/
https://setuptools.pypa.io/en/latest
https://ubuntu.com/security/notices/USN-5817-1
https://www.cve.org/CVERecord?id=CVE-2022-40897
Publish date
2022-12-23
HIGH - CVE-2024-6345: pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools
Description
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
References
https://access.redhat.com/errata/RHSA-2024:6726
https://access.redhat.com/security/cve/CVE-2024-6345
https://bugzilla.redhat.com/2297771
https://bugzilla.redhat.com/show_bug.cgi?id=2297771
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6345
https://errata.almalinux.org/9/ALSA-2024-6726.html
https://errata.rockylinux.org/RLSA-2024:6726
https://github.com/pypa/setuptools
pypa/setuptools@88807c7
Modernize package_index VCS handling pypa/setuptools#4332
https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
https://linux.oracle.com/cve/CVE-2024-6345.html
https://linux.oracle.com/errata/ELSA-2024-6726.html
https://nvd.nist.gov/vuln/detail/CVE-2024-6345
https://ubuntu.com/security/notices/USN-7002-1
https://www.cve.org/CVERecord?id=CVE-2024-6345
Publish date
2024-07-15
HIGH - CVE-2025-47273: setuptools: Path Traversal Vulnerability in setuptools PackageIndex
Description
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in
PackageIndexis present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.References
https://access.redhat.com/security/cve/CVE-2025-47273
https://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2025-49.yaml
https://github.com/pypa/setuptools
https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88
pypa/setuptools@250a6d1
Path traversal in PackageIndex.download leads to Arbitrary File Write. pypa/setuptools#4946
GHSA-5rjg-fvgr-3xxf
https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html
https://nvd.nist.gov/vuln/detail/CVE-2025-47273
https://ubuntu.com/security/notices/USN-7544-1
https://www.cve.org/CVERecord?id=CVE-2025-47273
Publish date
2025-05-17