[PATCH] drm/ci: Upgrade setuptools requirement to 70.0.0
Helen Koike
helen.koike at collabora.com
Wed Jul 17 11:06:18 UTC 2024
On 16/07/2024 05:37, WangYuli wrote:
> GitHub Dependabot has issued the following alert:
>
> "Upgrade setuptools to version 70.0.0 or later.
>
> A vulnerability in the package_index module of pypa/setuptools
> versions up to 69.1.1 allows for remote code execution via its
> download functions. These functions, which are used to download
> packages from URLs provided by users or retrieved from package
> index servers, are susceptible to code injection. If these
> functions are exposed to user-controlled inputs, such as package
> URLs, they can execute arbitrary commands on the system. The
> issue is fixed in version 70.0.
>
> Severity: 8.8 / 10 (High)
> Attack vector: Network
> Attack complexity: Low
> Privileges required: None
> User interaction: Required
> Scope: Unchanged
> Confidentiality: High
> Integrity: High
> Availability: High
> CVE ID: CVE-2024-6345"
>
> To avoid disturbing everyone with the kernel repo hosted on GitHub,
> I suggest we upgrade our python dependencies once again to appease
> GitHub Dependabot.
>
> Link: https://github.com/dependabot
> Signed-off-by: WangYuli <wangyuli at uniontech.com>
Acked-by: Helen Koike <helen.koike at collabora.com>
Thanks
Helen
> ---
> drivers/gpu/drm/ci/xfails/requirements.txt | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt
> index e9994c9db799..5e6d48d98e4e 100644
> --- a/drivers/gpu/drm/ci/xfails/requirements.txt
> +++ b/drivers/gpu/drm/ci/xfails/requirements.txt
> @@ -11,7 +11,7 @@ requests==2.31.0
> requests-toolbelt==1.0.0
> ruamel.yaml==0.17.32
> ruamel.yaml.clib==0.2.7
> -setuptools==68.0.0
> +setuptools==70.0.0
> tenacity==8.2.3
> urllib3==2.0.7
> wheel==0.41.1
More information about the dri-devel
mailing list