An update for python-setuptools is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4 and openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1931 Final 1.0 1.0 2024-08-02 Initial 2024-08-02 2024-08-02 openEuler SA Tool V1.0 2024-08-02 python-setuptools security update An update for python-setuptools is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4 and openEuler-24.03-LTS. Setuptools is a collection of enhancements to the Python distutils that allow you to more easily build and distribute Python packages, especially ones that have dependencies on other packages. Security Fix(es): A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.(CVE-2024-6345) An update for python-setuptools is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4 and openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High python-setuptools https://www.openeuler.org/en/security/security-bulletins/detail?id=openEuler-SA-2024-1931 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-6345 https://nvd.nist.gov/vuln/detail/CVE-2024-6345 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS python-setuptools-44.1.1-3.oe2003sp4.noarch.rpm python3-setuptools-44.1.1-3.oe2003sp4.noarch.rpm python2-setuptools-44.1.1-3.oe2003sp4.noarch.rpm python-setuptools-help-44.1.1-3.oe2003sp4.noarch.rpm python3-setuptools-59.4.0-6.oe2203sp1.noarch.rpm python-setuptools-59.4.0-6.oe2203sp1.noarch.rpm python-setuptools-help-59.4.0-6.oe2203sp1.noarch.rpm python3-setuptools-59.4.0-6.oe2203sp3.noarch.rpm python-setuptools-help-59.4.0-6.oe2203sp3.noarch.rpm python-setuptools-59.4.0-6.oe2203sp3.noarch.rpm python3-setuptools-59.4.0-6.oe2203sp4.noarch.rpm python-setuptools-59.4.0-6.oe2203sp4.noarch.rpm python-setuptools-help-59.4.0-6.oe2203sp4.noarch.rpm python3-setuptools-68.0.0-2.oe2403.noarch.rpm python-setuptools-68.0.0-2.oe2403.noarch.rpm python-setuptools-help-68.0.0-2.oe2403.noarch.rpm python-setuptools-44.1.1-3.oe2003sp4.src.rpm python-setuptools-59.4.0-6.oe2203sp1.src.rpm python-setuptools-59.4.0-6.oe2203sp3.src.rpm python-setuptools-59.4.0-6.oe2203sp4.src.rpm python-setuptools-68.0.0-2.oe2403.src.rpm A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. 2024-08-02 CVE-2024-6345 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS High 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H python-setuptools security update 2024-08-02 https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1931