drivers/gpu/drm/ci/xfails/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
GitHub Dependabot has issued the following alert:
"Upgrade setuptools to version 70.0.0 or later.
A vulnerability in the package_index module of pypa/setuptools
versions up to 69.1.1 allows for remote code execution via its
download functions. These functions, which are used to download
packages from URLs provided by users or retrieved from package
index servers, are susceptible to code injection. If these
functions are exposed to user-controlled inputs, such as package
URLs, they can execute arbitrary commands on the system. The
issue is fixed in version 70.0.
Severity: 8.8 / 10 (High)
Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: Required
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High
CVE ID: CVE-2024-6345"
To avoid disturbing everyone with the kernel repo hosted on GitHub,
I suggest we upgrade our python dependencies once again to appease
GitHub Dependabot.
Link: https://github.com/dependabot
Signed-off-by: WangYuli <wangyuli@uniontech.com>
---
drivers/gpu/drm/ci/xfails/requirements.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt
index e9994c9db799..5e6d48d98e4e 100644
--- a/drivers/gpu/drm/ci/xfails/requirements.txt
+++ b/drivers/gpu/drm/ci/xfails/requirements.txt
@@ -11,7 +11,7 @@ requests==2.31.0
requests-toolbelt==1.0.0
ruamel.yaml==0.17.32
ruamel.yaml.clib==0.2.7
-setuptools==68.0.0
+setuptools==70.0.0
tenacity==8.2.3
urllib3==2.0.7
wheel==0.41.1
--
2.43.4On 16/07/2024 05:37, WangYuli wrote: > GitHub Dependabot has issued the following alert: > > "Upgrade setuptools to version 70.0.0 or later. > > A vulnerability in the package_index module of pypa/setuptools > versions up to 69.1.1 allows for remote code execution via its > download functions. These functions, which are used to download > packages from URLs provided by users or retrieved from package > index servers, are susceptible to code injection. If these > functions are exposed to user-controlled inputs, such as package > URLs, they can execute arbitrary commands on the system. The > issue is fixed in version 70.0. > > Severity: 8.8 / 10 (High) > Attack vector: Network > Attack complexity: Low > Privileges required: None > User interaction: Required > Scope: Unchanged > Confidentiality: High > Integrity: High > Availability: High > CVE ID: CVE-2024-6345" > > To avoid disturbing everyone with the kernel repo hosted on GitHub, > I suggest we upgrade our python dependencies once again to appease > GitHub Dependabot. > > Link: https://github.com/dependabot > Signed-off-by: WangYuli <wangyuli@uniontech.com> Acked-by: Helen Koike <helen.koike@collabora.com> Thanks Helen > --- > drivers/gpu/drm/ci/xfails/requirements.txt | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt > index e9994c9db799..5e6d48d98e4e 100644 > --- a/drivers/gpu/drm/ci/xfails/requirements.txt > +++ b/drivers/gpu/drm/ci/xfails/requirements.txt > @@ -11,7 +11,7 @@ requests==2.31.0 > requests-toolbelt==1.0.0 > ruamel.yaml==0.17.32 > ruamel.yaml.clib==0.2.7 > -setuptools==68.0.0 > +setuptools==70.0.0 > tenacity==8.2.3 > urllib3==2.0.7 > wheel==0.41.1
---- On Wed, 17 Jul 2024 08:06:18 -0300 Helen Koike wrote --- > > > On 16/07/2024 05:37, WangYuli wrote: > > GitHub Dependabot has issued the following alert: > > > > "Upgrade setuptools to version 70.0.0 or later. > > > > A vulnerability in the package_index module of pypa/setuptools > > versions up to 69.1.1 allows for remote code execution via its > > download functions. These functions, which are used to download > > packages from URLs provided by users or retrieved from package > > index servers, are susceptible to code injection. If these > > functions are exposed to user-controlled inputs, such as package > > URLs, they can execute arbitrary commands on the system. The > > issue is fixed in version 70.0. > > > > Severity: 8.8 / 10 (High) > > Attack vector: Network > > Attack complexity: Low > > Privileges required: None > > User interaction: Required > > Scope: Unchanged > > Confidentiality: High > > Integrity: High > > Availability: High > > CVE ID: CVE-2024-6345" > > > > To avoid disturbing everyone with the kernel repo hosted on GitHub, > > I suggest we upgrade our python dependencies once again to appease > > GitHub Dependabot. > > > > Link: https://github.com/dependabot > > Signed-off-by: WangYuli wangyuli@uniontech.com> > > Acked-by: Helen Koike helen.koike@collabora.com> > > Thanks > Helen Applied to drm-ci-next. Thanks Helen > > > --- > > drivers/gpu/drm/ci/xfails/requirements.txt | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt > > index e9994c9db799..5e6d48d98e4e 100644 > > --- a/drivers/gpu/drm/ci/xfails/requirements.txt > > +++ b/drivers/gpu/drm/ci/xfails/requirements.txt > > @@ -11,7 +11,7 @@ requests==2.31.0 > > requests-toolbelt==1.0.0 > > ruamel.yaml==0.17.32 > > ruamel.yaml.clib==0.2.7 > > -setuptools==68.0.0 > > +setuptools==70.0.0 > > tenacity==8.2.3 > > urllib3==2.0.7 > > wheel==0.41.1 > >
© 2016 - 2026 Red Hat, Inc.