python3-setuptools: Fix CVE-2024-6345 - linux/poky.git - Mirror of git.yoctoproject.org/poky

diff options

author	Soumya Sambu <soumya.sambu@windriver.com>	2025-04-25 04:50:26 +0000
committer	Steve Sakoman <steve@sakoman.com>	2025-05-02 08:12:41 -0700
commit	8208d973b908a3d4b0162534b7168f4e22590e7e (patch)
tree	a49a5ca3a6e590d3bcfa90045600cfd07df0bc43 /scripts/lib/scriptpath.py
parent	520ba611e6b5bfb592d2e57032493ac9dd57ccaf (diff)
download	poky-8208d973b908a3d4b0162534b7168f4e22590e7e.tar.gz

python3-setuptools: Fix CVE-2024-6345

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. References: https://nvd.nist.gov/vuln/detail/CVE-2024-6345 https://ubuntu.com/security/CVE-2024-6345 Upstream patch: https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0 (From OE-Core rev: 238c305ba2c513a070818de4b6ad4316b54050a7) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>

Diffstat (limited to 'scripts/lib/scriptpath.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: