[PATCH] drm/ci: Upgrade setuptools requirement to 70.0.0

Helen Mae Koike Fornazier helen.koike at collabora.com
Tue Aug 13 20:03:52 UTC 2024





---- On Wed, 17 Jul 2024 08:06:18 -0300 Helen Koike  wrote ---

 > 
 > 
 > On 16/07/2024 05:37, WangYuli wrote: 
 > > GitHub Dependabot has issued the following alert: 
 > > 
 > > "Upgrade setuptools to version 70.0.0 or later. 
 > > 
 > >   A vulnerability in the package_index module of pypa/setuptools 
 > >   versions up to 69.1.1 allows for remote code execution via its 
 > >   download functions. These functions, which are used to download 
 > >   packages from URLs provided by users or retrieved from package 
 > >   index servers, are susceptible to code injection. If these 
 > >   functions are exposed to user-controlled inputs, such as package 
 > >   URLs, they can execute arbitrary commands on the system. The 
 > >   issue is fixed in version 70.0. 
 > > 
 > >   Severity: 8.8 / 10 (High) 
 > >   Attack vector:        Network 
 > >   Attack complexity:        Low 
 > >   Privileges required:     None 
 > >   User interaction:    Required 
 > >   Scope:              Unchanged 
 > >   Confidentiality:         High 
 > >   Integrity:               High 
 > >   Availability:            High 
 > >   CVE ID:         CVE-2024-6345" 
 > > 
 > > To avoid disturbing everyone with the kernel repo hosted on GitHub, 
 > > I suggest we upgrade our python dependencies once again to appease 
 > > GitHub Dependabot. 
 > > 
 > > Link: https://github.com/dependabot 
 > > Signed-off-by: WangYuli wangyuli at uniontech.com> 
 >  
 > Acked-by: Helen Koike helen.koike at collabora.com> 
 >  
 > Thanks 
 > Helen 

Applied to drm-ci-next.

Thanks
Helen

 >  
 > > --- 
 > >   drivers/gpu/drm/ci/xfails/requirements.txt | 2 +- 
 > >   1 file changed, 1 insertion(+), 1 deletion(-) 
 > > 
 > > diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt 
 > > index e9994c9db799..5e6d48d98e4e 100644 
 > > --- a/drivers/gpu/drm/ci/xfails/requirements.txt 
 > > +++ b/drivers/gpu/drm/ci/xfails/requirements.txt 
 > > @@ -11,7 +11,7 @@ requests==2.31.0 
 > >   requests-toolbelt==1.0.0 
 > >   ruamel.yaml==0.17.32 
 > >   ruamel.yaml.clib==0.2.7 
 > > -setuptools==68.0.0 
 > > +setuptools==70.0.0 
 > >   tenacity==8.2.3 
 > >   urllib3==2.0.7 
 > >   wheel==0.41.1 
 >  
 > 


More information about the dri-devel mailing list