lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f9ed4aba-9a28-4620-be5f-9060556efd93@collabora.com>
Date: Wed, 17 Jul 2024 08:06:18 -0300
From: Helen Koike <helen.koike@...labora.com>
To: WangYuli <wangyuli@...ontech.com>, maarten.lankhorst@...ux.intel.com,
 mripard@...nel.org, tzimmermann@...e.de, airlied@...il.com, daniel@...ll.ch,
 david.heidelberg@...labora.com
Cc: dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
 vignesh.raman@...labora.com, torvalds@...ux-foundation.org,
 guanwentao@...ontech.com
Subject: Re: [PATCH] drm/ci: Upgrade setuptools requirement to 70.0.0



On 16/07/2024 05:37, WangYuli wrote:
> GitHub Dependabot has issued the following alert:
> 
> "Upgrade setuptools to version 70.0.0 or later.
> 
>   A vulnerability in the package_index module of pypa/setuptools
>   versions up to 69.1.1 allows for remote code execution via its
>   download functions. These functions, which are used to download
>   packages from URLs provided by users or retrieved from package
>   index servers, are susceptible to code injection. If these
>   functions are exposed to user-controlled inputs, such as package
>   URLs, they can execute arbitrary commands on the system. The
>   issue is fixed in version 70.0.
> 
>   Severity: 8.8 / 10 (High)
>   Attack vector:        Network
>   Attack complexity:        Low
>   Privileges required:     None
>   User interaction:    Required
>   Scope:              Unchanged
>   Confidentiality:         High
>   Integrity:               High
>   Availability:            High
>   CVE ID:         CVE-2024-6345"
> 
> To avoid disturbing everyone with the kernel repo hosted on GitHub,
> I suggest we upgrade our python dependencies once again to appease
> GitHub Dependabot.
> 
> Link: https://github.com/dependabot
> Signed-off-by: WangYuli <wangyuli@...ontech.com>

Acked-by: Helen Koike <helen.koike@...labora.com>

Thanks
Helen

> ---
>   drivers/gpu/drm/ci/xfails/requirements.txt | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt
> index e9994c9db799..5e6d48d98e4e 100644
> --- a/drivers/gpu/drm/ci/xfails/requirements.txt
> +++ b/drivers/gpu/drm/ci/xfails/requirements.txt
> @@ -11,7 +11,7 @@ requests==2.31.0
>   requests-toolbelt==1.0.0
>   ruamel.yaml==0.17.32
>   ruamel.yaml.clib==0.2.7
> -setuptools==68.0.0
> +setuptools==70.0.0
>   tenacity==8.2.3
>   urllib3==2.0.7
>   wheel==0.41.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ