linux-kernel - Re: [PATCH] drm/ci: Upgrade setuptools requirement to 70.0.0

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <1914d56fe86.f860dad0912384.3097768595392912889@collabora.com>
Date: Tue, 13 Aug 2024 17:03:52 -0300
From: Helen Mae Koike Fornazier <helen.koike@...labora.com>
To: "Helen Koike" <helen.koike@...labora.com>
Cc: "WangYuli" <wangyuli@...ontech.com>,
	"maarten.lankhorst" <maarten.lankhorst@...ux.intel.com>,
	"mripard" <mripard@...nel.org>, "tzimmermann" <tzimmermann@...e.de>,
	"airlied" <airlied@...il.com>, "daniel" <daniel@...ll.ch>,
	"david.heidelberg" <david.heidelberg@...labora.com>,
	"dri-devel" <dri-devel@...ts.freedesktop.org>,
	"linux-kernel" <linux-kernel@...r.kernel.org>,
	"vignesh.raman" <vignesh.raman@...labora.com>,
	"torvalds" <torvalds@...ux-foundation.org>,
	"guanwentao" <guanwentao@...ontech.com>
Subject: Re: [PATCH] drm/ci: Upgrade setuptools requirement to 70.0.0





---- On Wed, 17 Jul 2024 08:06:18 -0300 Helen Koike  wrote ---

 > 
 > 
 > On 16/07/2024 05:37, WangYuli wrote: 
 > > GitHub Dependabot has issued the following alert: 
 > > 
 > > "Upgrade setuptools to version 70.0.0 or later. 
 > > 
 > >   A vulnerability in the package_index module of pypa/setuptools 
 > >   versions up to 69.1.1 allows for remote code execution via its 
 > >   download functions. These functions, which are used to download 
 > >   packages from URLs provided by users or retrieved from package 
 > >   index servers, are susceptible to code injection. If these 
 > >   functions are exposed to user-controlled inputs, such as package 
 > >   URLs, they can execute arbitrary commands on the system. The 
 > >   issue is fixed in version 70.0. 
 > > 
 > >   Severity: 8.8 / 10 (High) 
 > >   Attack vector:        Network 
 > >   Attack complexity:        Low 
 > >   Privileges required:     None 
 > >   User interaction:    Required 
 > >   Scope:              Unchanged 
 > >   Confidentiality:         High 
 > >   Integrity:               High 
 > >   Availability:            High 
 > >   CVE ID:         CVE-2024-6345" 
 > > 
 > > To avoid disturbing everyone with the kernel repo hosted on GitHub, 
 > > I suggest we upgrade our python dependencies once again to appease 
 > > GitHub Dependabot. 
 > > 
 > > Link: https://github.com/dependabot 
 > > Signed-off-by: WangYuli wangyuli@...ontech.com> 
 >  
 > Acked-by: Helen Koike helen.koike@...labora.com> 
 >  
 > Thanks 
 > Helen 

Applied to drm-ci-next.

Thanks
Helen

 >  
 > > --- 
 > >   drivers/gpu/drm/ci/xfails/requirements.txt | 2 +- 
 > >   1 file changed, 1 insertion(+), 1 deletion(-) 
 > > 
 > > diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt 
 > > index e9994c9db799..5e6d48d98e4e 100644 
 > > --- a/drivers/gpu/drm/ci/xfails/requirements.txt 
 > > +++ b/drivers/gpu/drm/ci/xfails/requirements.txt 
 > > @@ -11,7 +11,7 @@ requests==2.31.0 
 > >   requests-toolbelt==1.0.0 
 > >   ruamel.yaml==0.17.32 
 > >   ruamel.yaml.clib==0.2.7 
 > > -setuptools==68.0.0 
 > > +setuptools==70.0.0 
 > >   tenacity==8.2.3 
 > >   urllib3==2.0.7 
 > >   wheel==0.41.1 
 >  
 >