[Bug] - python3-setuptools version 59.6.0-2.amzn2023.0.4 has vulnerabilities reported and new version is available

amazonlinux / amazon-linux-2023

Amazon Linux 2023

https://aws.amazon.com/linux/amazon-linux-2023/

Other

501 stars 38 forks source link

[Bug] - python3-setuptools version 59.6.0-2.amzn2023.0.4 has vulnerabilities reported and new version is available #589

Closed gaccardo closed 6 months ago

gaccardo commented 6 months ago

Describe the bug python3-setuptools version 59.6.0-2.amzn2023.0.4 has vulnerabilities reported.

To Reproduce Steps to reproduce the behavior:

Install python3-setuptools

Expected behavior I'd like to be able to use at least version 65.5.1 of python3-setuptools, which is a version wihout know vulns and also the version provided for python3.11-setuptools.

Desktop (please complete the following information):

OS: Amazon Linux
Version: 2023

nmeyerhans commented 6 months ago

The CVE you cite (CVE-2022-40897) was fixed in python3-setuptools-59.6.0-2.amzn2023.0.4:

bash-5.2# rpm -q system-release ; rpm -q --changelog python3-setuptools | head -n3
system-release-2023.3.20231218-0.amzn2023.noarch
* Thu Jun 22 2023 Sai Harsha <ssuryad@amazon.com> - 59.6.0-2.amzn2023.0.4
- Fix CVE-2022-40897

stewartsmith commented 6 months ago

As per https://explore.alas.aws.amazon.com/CVE-2022-40897.html this has been fixed in https://alas.aws.amazon.com/AL2023/ALAS-2023-245.html

So the CVE mentioned is fixed in Amazon Linux 2023.

stewartsmith commented 6 months ago

ahhh snap :)