[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1914d56fe86.f860dad0912384.3097768595392912889@collabora.com>
Date: Tue, 13 Aug 2024 17:03:52 -0300
From: Helen Mae Koike Fornazier <helen.koike@...labora.com>
To: "Helen Koike" <helen.koike@...labora.com>
Cc: "WangYuli" <wangyuli@...ontech.com>,
"maarten.lankhorst" <maarten.lankhorst@...ux.intel.com>,
"mripard" <mripard@...nel.org>, "tzimmermann" <tzimmermann@...e.de>,
"airlied" <airlied@...il.com>, "daniel" <daniel@...ll.ch>,
"david.heidelberg" <david.heidelberg@...labora.com>,
"dri-devel" <dri-devel@...ts.freedesktop.org>,
"linux-kernel" <linux-kernel@...r.kernel.org>,
"vignesh.raman" <vignesh.raman@...labora.com>,
"torvalds" <torvalds@...ux-foundation.org>,
"guanwentao" <guanwentao@...ontech.com>
Subject: Re: [PATCH] drm/ci: Upgrade setuptools requirement to 70.0.0
---- On Wed, 17 Jul 2024 08:06:18 -0300 Helen Koike wrote ---
>
>
> On 16/07/2024 05:37, WangYuli wrote:
> > GitHub Dependabot has issued the following alert:
> >
> > "Upgrade setuptools to version 70.0.0 or later.
> >
> > A vulnerability in the package_index module of pypa/setuptools
> > versions up to 69.1.1 allows for remote code execution via its
> > download functions. These functions, which are used to download
> > packages from URLs provided by users or retrieved from package
> > index servers, are susceptible to code injection. If these
> > functions are exposed to user-controlled inputs, such as package
> > URLs, they can execute arbitrary commands on the system. The
> > issue is fixed in version 70.0.
> >
> > Severity: 8.8 / 10 (High)
> > Attack vector: Network
> > Attack complexity: Low
> > Privileges required: None
> > User interaction: Required
> > Scope: Unchanged
> > Confidentiality: High
> > Integrity: High
> > Availability: High
> > CVE ID: CVE-2024-6345"
> >
> > To avoid disturbing everyone with the kernel repo hosted on GitHub,
> > I suggest we upgrade our python dependencies once again to appease
> > GitHub Dependabot.
> >
> > Link: https://github.com/dependabot
> > Signed-off-by: WangYuli wangyuli@...ontech.com>
>
> Acked-by: Helen Koike helen.koike@...labora.com>
>
> Thanks
> Helen
Applied to drm-ci-next.
Thanks
Helen
>
> > ---
> > drivers/gpu/drm/ci/xfails/requirements.txt | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt
> > index e9994c9db799..5e6d48d98e4e 100644
> > --- a/drivers/gpu/drm/ci/xfails/requirements.txt
> > +++ b/drivers/gpu/drm/ci/xfails/requirements.txt
> > @@ -11,7 +11,7 @@ requests==2.31.0
> > requests-toolbelt==1.0.0
> > ruamel.yaml==0.17.32
> > ruamel.yaml.clib==0.2.7
> > -setuptools==68.0.0
> > +setuptools==70.0.0
> > tenacity==8.2.3
> > urllib3==2.0.7
> > wheel==0.41.1
>
>
Powered by blists - more mailing lists