An update for python-setuptools is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4 and openEuler-24.03-LTS
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2024-1931
Final
1.0
1.0
2024-08-02
Initial
2024-08-02
2024-08-02
openEuler SA Tool V1.0
2024-08-02
python-setuptools security update
An update for python-setuptools is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4 and openEuler-24.03-LTS.
Setuptools is a collection of enhancements to the Python distutils that allow you to more easily build and distribute Python packages, especially ones that have dependencies on other packages.
Security Fix(es):
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.(CVE-2024-6345)
An update for python-setuptools is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4 and openEuler-24.03-LTS.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
python-setuptools
https://www.openeuler.org/en/security/security-bulletins/detail?id=openEuler-SA-2024-1931
https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-6345
https://nvd.nist.gov/vuln/detail/CVE-2024-6345
openEuler-20.03-LTS-SP4
openEuler-22.03-LTS-SP1
openEuler-22.03-LTS-SP3
openEuler-22.03-LTS-SP4
openEuler-24.03-LTS
python-setuptools-44.1.1-3.oe2003sp4.noarch.rpm
python3-setuptools-44.1.1-3.oe2003sp4.noarch.rpm
python2-setuptools-44.1.1-3.oe2003sp4.noarch.rpm
python-setuptools-help-44.1.1-3.oe2003sp4.noarch.rpm
python3-setuptools-59.4.0-6.oe2203sp1.noarch.rpm
python-setuptools-59.4.0-6.oe2203sp1.noarch.rpm
python-setuptools-help-59.4.0-6.oe2203sp1.noarch.rpm
python3-setuptools-59.4.0-6.oe2203sp3.noarch.rpm
python-setuptools-help-59.4.0-6.oe2203sp3.noarch.rpm
python-setuptools-59.4.0-6.oe2203sp3.noarch.rpm
python3-setuptools-59.4.0-6.oe2203sp4.noarch.rpm
python-setuptools-59.4.0-6.oe2203sp4.noarch.rpm
python-setuptools-help-59.4.0-6.oe2203sp4.noarch.rpm
python3-setuptools-68.0.0-2.oe2403.noarch.rpm
python-setuptools-68.0.0-2.oe2403.noarch.rpm
python-setuptools-help-68.0.0-2.oe2403.noarch.rpm
python-setuptools-44.1.1-3.oe2003sp4.src.rpm
python-setuptools-59.4.0-6.oe2203sp1.src.rpm
python-setuptools-59.4.0-6.oe2203sp3.src.rpm
python-setuptools-59.4.0-6.oe2203sp4.src.rpm
python-setuptools-68.0.0-2.oe2403.src.rpm
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
2024-08-02
CVE-2024-6345
openEuler-20.03-LTS-SP4
openEuler-22.03-LTS-SP1
openEuler-22.03-LTS-SP3
openEuler-22.03-LTS-SP4
openEuler-24.03-LTS
High
8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
python-setuptools security update
2024-08-02
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1931