Closed matthawley closed 1 week ago
IIRC there was some reason we didnt already update to 3.12, but I've added a specific dependency on setuptools.
Will make a release some time next week. Thanks for reminding me!
@cyberw Unfortunately, it doesn't seem as if this works - docker scout still detects v65.5.1 as it's directly referenced/installed in the Python 3.11 docker container.
docker pull locustio/locust:master
docker scout cves locustio/locust:master
pkg:pypi/setuptools@65.5.1
x HIGH CVE-2024-6345 [Improper Control of Generation of Code ('Code Injection')]
https://scout.docker.com/v/CVE-2024-6345
Affected range : <70.0.0
Fixed version : 70.0.0
CVSS Score : 8.8
CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Prerequisites
Description
Version 2.32.2 of locust via the usage of the python 3.11.0-slim base image reports the usage of setuptools@65.5.0 which contains the vulnerability https://github.com/advisories/GHSA-r9hx-vwmv-q579
We are requesting locust to upgrade to a newer version of the python base image to a newer one (3.12.0-slim or 3.13.0-slim) to resolve this issue. Referencing #2761
Command line
n/a
Locustfile contents
Python version
3.11
Locust version
2.32.2
Operating system
Linux