Security update for python-setuptools SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20053-1 Final 1 1 2025-02-03T08:56:29Z current 2025-02-03T08:56:29Z 2025-02-03T08:56:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-setuptools This update for python-setuptools fixes the following issues: - CVE-2024-6345: Fixed code execution via download functions in the package_index module in pypa/setuptools (bsc#1228105) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-76 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520053-1/ Link for SUSE-SU-2025:20053-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021273.html E-Mail link for SUSE-SU-2025:20053-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1228105 SUSE Bug 1228105 https://www.suse.com/security/cve/CVE-2024-6345/ SUSE CVE CVE-2024-6345 page SUSE Linux Micro 6.0 python311-setuptools-69.0.2-2.1 python311-setuptools-69.0.2-2.1 as a component of SUSE Linux Micro 6.0 A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. CVE-2024-6345 SUSE Linux Micro 6.0:python311-setuptools-69.0.2-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520053-1/ https://www.suse.com/security/cve/CVE-2024-6345.html CVE-2024-6345 https://bugzilla.suse.com/1228105 SUSE Bug 1228105