A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
Created buku tracking bugs for this issue: Affects: fedora-all [bug 2298673] Created cura tracking bugs for this issue: Affects: fedora-all [bug 2298674] Created limnoria tracking bugs for this issue: Affects: epel-all [bug 2298672] Created pypy tracking bugs for this issue: Affects: fedora-all [bug 2298675] Created python-setuptools_scm tracking bugs for this issue: Affects: fedora-40 [bug 2298671] Created qcoro tracking bugs for this issue: Affects: fedora-all [bug 2298676]
The main part of the PR fixing the vulnerability is the switch from os.system("git clone …") to subprocess.check_call(["git", "clone", …]).
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:5000 https://access.redhat.com/errata/RHSA-2024:5000
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:5002 https://access.redhat.com/errata/RHSA-2024:5002
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:5040 https://access.redhat.com/errata/RHSA-2024:5040
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2024:5078 https://access.redhat.com/errata/RHSA-2024:5078
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:5084 https://access.redhat.com/errata/RHSA-2024:5084
FEDORA-2024-247e9ba33a (python-setuptools-69.0.3-4.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:5137 https://access.redhat.com/errata/RHSA-2024:5137
FEDORA-2024-9ed182a5d3 (python-setuptools-67.7.2-8.fc39) has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:5279 https://access.redhat.com/errata/RHSA-2024:5279
Are the upgrades expected to be shipped in the registry.redhat.io/rhel9-2-els/rhel:9.2 image?
(In reply to aleskandro from comment #15) > Are the upgrades expected to be shipped in the > registry.redhat.io/rhel9-2-els/rhel:9.2 image? This is a high-severity vulnerability and RHEL 9.2 is still supported so the answer is yes. python-setuptools is already fixed, the update for python3.11-setuptools is in progress.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:5389 https://access.redhat.com/errata/RHSA-2024:5389
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5532 https://access.redhat.com/errata/RHSA-2024:5532
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5531 https://access.redhat.com/errata/RHSA-2024:5531
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:5533 https://access.redhat.com/errata/RHSA-2024:5533
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5530 https://access.redhat.com/errata/RHSA-2024:5530
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:5534 https://access.redhat.com/errata/RHSA-2024:5534
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5962 https://access.redhat.com/errata/RHSA-2024:5962
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:6220 https://access.redhat.com/errata/RHSA-2024:6220
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6311 https://access.redhat.com/errata/RHSA-2024:6311
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:6312 https://access.redhat.com/errata/RHSA-2024:6312
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6309 https://access.redhat.com/errata/RHSA-2024:6309
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2024:6488 https://access.redhat.com/errata/RHSA-2024:6488
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:6612 https://access.redhat.com/errata/RHSA-2024:6612
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:6611 https://access.redhat.com/errata/RHSA-2024:6611
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2024:6661 https://access.redhat.com/errata/RHSA-2024:6661
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2024:6662 https://access.redhat.com/errata/RHSA-2024:6662
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:6726 https://access.redhat.com/errata/RHSA-2024:6726
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2024:6907 https://access.redhat.com/errata/RHSA-2024:6907
This issue has been addressed in the following products: Service Interconnect 1.4 for RHEL 9 Via RHSA-2024:7213 https://access.redhat.com/errata/RHSA-2024:7213
This issue has been addressed in the following products: Service Interconnect 1 for RHEL 9 Via RHSA-2024:7374 https://access.redhat.com/errata/RHSA-2024:7374