---- On Wed, 17 Jul 2024 08:06:18 -0300 Helen Koike wrote --- > > > On 16/07/2024 05:37, WangYuli wrote: > > GitHub Dependabot has issued the following alert: > > > > "Upgrade setuptools to version 70.0.0 or later. > > > > A vulnerability in the package_index module of pypa/setuptools > > versions up to 69.1.1 allows for remote code execution via its > > download functions. These functions, which are used to download > > packages from URLs provided by users or retrieved from package > > index servers, are susceptible to code injection. If these > > functions are exposed to user-controlled inputs, such as package > > URLs, they can execute arbitrary commands on the system. The > > issue is fixed in version 70.0. > > > > Severity: 8.8 / 10 (High) > > Attack vector: Network > > Attack complexity: Low > > Privileges required: None > > User interaction: Required > > Scope: Unchanged > > Confidentiality: High > > Integrity: High > > Availability: High > > CVE ID: CVE-2024-6345" > > > > To avoid disturbing everyone with the kernel repo hosted on GitHub, > > I suggest we upgrade our python dependencies once again to appease > > GitHub Dependabot. > > > > Link: https://github.com/dependabot > > Signed-off-by: WangYuli wangy...@uniontech.com> > > Acked-by: Helen Koike helen.ko...@collabora.com> > > Thanks > Helen Applied to drm-ci-next. Thanks Helen > > > --- > > drivers/gpu/drm/ci/xfails/requirements.txt | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt > > b/drivers/gpu/drm/ci/xfails/requirements.txt > > index e9994c9db799..5e6d48d98e4e 100644 > > --- a/drivers/gpu/drm/ci/xfails/requirements.txt > > +++ b/drivers/gpu/drm/ci/xfails/requirements.txt > > @@ -11,7 +11,7 @@ requests==2.31.0 > > requests-toolbelt==1.0.0 > > ruamel.yaml==0.17.32 > > ruamel.yaml.clib==0.2.7 > > -setuptools==68.0.0 > > +setuptools==70.0.0 > > tenacity==8.2.3 > > urllib3==2.0.7 > > wheel==0.41.1 > >
