Bug 33536 - python-setuptools new security issue CVE-2024-6345
Summary: python-setuptools new security issue CVE-2024-6345
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lists.suse.com/pipermail/sle-...
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-09-06 10:39 CEST by Nicolas Salguero
Modified: 2025-02-12 07:38 CET (History)
3 users (show)

See Also:
Source RPM: python-setuptools-65.5.0-3.mga9.src.rpm
CVE: CVE-2024-6345
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-09-06 10:39:35 CEST 
openSUSE has issued an advisory on August 28:
https://lists.suse.com/pipermail/sle-updates/2024-August/036709.html
Nicolas Salguero 2024-09-06 10:41:47 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => python-setuptools-69.0.2-3.mga10.src.rpm, python-setuptools-65.5.0-3.mga9.src.rpm
Status comment: (none) => Fixed upstream in 70.0.0 and patch available from upstream and openSUSE
CVE: (none) => CVE-2024-6345

Comment 1 Lewis Smith 2024-09-06 21:36:17 CEST 
Assigning to Python. Will look into the patch.

Assignee: bugsquad => pythonlulu

Lewis Smith 2024-09-06 21:36:40 CEST

Assignee: pythonlulu => python

Marja Van Waes 2024-09-06 21:38:26 CEST

CC: (none) => marja11
URL: (none) => https://lists.suse.com/pipermail/sle-updates/2024-August/036709.html

Comment 3 Nicolas Salguero 2025-02-10 12:12:15 CET 
Already fixed in Cauldron.

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Source RPM: python-setuptools-69.0.2-3.mga10.src.rpm, python-setuptools-65.5.0-3.mga9.src.rpm => python-setuptools-65.5.0-3.mga9.src.rpm

Comment 4 Nicolas Salguero 2025-02-11 10:21:26 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Remote Code Execution in pypa/setuptools. (CVE-2024-6345)

References:
https://lists.suse.com/pipermail/sle-updates/2024-August/036709.html
========================

Updated packages in core/updates_testing:
========================
python-setuptools-wheel-65.5.0-3.1.mga9
python3-setuptools-65.5.0-3.1.mga9

from SRPM:
python-setuptools-65.5.0-3.1.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: python => qa-bugs
Status comment: Fixed upstream in 70.0.0 and patch available from upstream and openSUSE => (none)

katnatek 2025-02-11 18:43:03 CET

Keywords: (none) => advisory

Comment 5 katnatek 2025-02-11 18:57:13 CET 
RH x86_64

installing python-setuptools-wheel-65.5.0-3.1.mga9.noarch.rpm python3-setuptools-65.5.0-3.1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: python3-setuptools    ##################################################################################################
      2/2: python-setuptools-wheel
                                 ##################################################################################################
      1/2: removing python3-setuptools-65.5.0-3.mga9.noarch
                                 ##################################################################################################
      2/2: removing python-setuptools-wheel-65.5.0-3.mga9.noarch
                                 ##################################################################################################

Look like clean install is the OK criteria

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 6 Thomas Andrews 2025-02-11 20:57:54 CET 
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Mageia Robot 2025-02-12 07:38:49 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0056.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.