Security update for python39-setuptools SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2906-1 Final 1 1 2024-08-14T09:04:09Z current 2024-08-14T09:04:09Z 2024-08-14T09:04:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python39-setuptools This update for python39-setuptools fixes the following issues: - CVE-2024-6345: Fixed code execution via download functions in the package_index module (bsc#1228105) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container containers/python:3.9-2024-2906,Image python_15_6-2024-2906,SUSE-2024-2906,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-2906,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-2906,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-2906,SUSE-Storage-7.1-2024-2906,openSUSE-SLE-15.5-2024-2906,openSUSE-SLE-15.6-2024-2906 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242906-1/ Link for SUSE-SU-2024:2906-1 https://lists.suse.com/pipermail/sle-security-updates/2024-August/019190.html E-Mail link for SUSE-SU-2024:2906-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1228105 SUSE Bug 1228105 https://www.suse.com/security/cve/CVE-2024-6345/ SUSE CVE CVE-2024-6345 page Container containers/python:3.9 Image python_15_6 SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP3 openSUSE Leap 15.5 openSUSE Leap 15.6 python39-setuptools-44.1.1-150300.7.9.1 python39-setuptools-44.1.1-150300.7.9.1 as a component of Container containers/python:3.9 python39-setuptools-44.1.1-150300.7.9.1 as a component of Image python_15_6 python39-setuptools-44.1.1-150300.7.9.1 as a component of SUSE Enterprise Storage 7.1 python39-setuptools-44.1.1-150300.7.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS python39-setuptools-44.1.1-150300.7.9.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS python39-setuptools-44.1.1-150300.7.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 python39-setuptools-44.1.1-150300.7.9.1 as a component of openSUSE Leap 15.5 python39-setuptools-44.1.1-150300.7.9.1 as a component of openSUSE Leap 15.6 A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. CVE-2024-6345 Container containers/python:3.9:python39-setuptools-44.1.1-150300.7.9.1 Image python_15_6:python39-setuptools-44.1.1-150300.7.9.1 SUSE Enterprise Storage 7.1:python39-setuptools-44.1.1-150300.7.9.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:python39-setuptools-44.1.1-150300.7.9.1 SUSE Linux Enterprise Server 15 SP3-LTSS:python39-setuptools-44.1.1-150300.7.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:python39-setuptools-44.1.1-150300.7.9.1 openSUSE Leap 15.5:python39-setuptools-44.1.1-150300.7.9.1 openSUSE Leap 15.6:python39-setuptools-44.1.1-150300.7.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242906-1/ https://www.suse.com/security/cve/CVE-2024-6345.html CVE-2024-6345 https://bugzilla.suse.com/1228105 SUSE Bug 1228105