Closed javilonso closed 2 months ago
Hi @javilonso, please follow the instructions in https://github.com/pypa/setuptools/blob/main/SECURITY.md to report security problems.
It's just flagging zlib which has a couple known CVEs in versions 1.2.18 & 1.2.12. https://secure.software/pypi/packages/setuptools/vulnerabilities/72.1.0
But it's an optional dependency not even declared by setuptools or it's own dependencies. It's just tentatively imported in distutils
and backports.tarfile
. Moreso, zlib is an external dependency to Python's packaging ecosystem, so you couldn't even enforce/specify a version! Sounds like a big false-positive from that security tooling to me, where the only thing actionable is for the users to install a secure version on their machines:
https://docs.python.org/3/library/zlib.html
The zlib library has its own home page at https://www.zlib.net/. There are known incompatibilities between the Python module and versions of the zlib library earlier than 1.1.3; 1.1.3 has a security vulnerability, so we recommend using 1.1.4 or later.
setuptools version
setuptools > 71.0
Python version
3.11
OS
macOS
Additional environment information
No response
Description
Since version 71.0, setuptools has some important vulnerabilities that have not been solved. This makes the installation imposible as my Forti antivirus client blocks the installation. We have been confirmed about the vulnerability from setuptools.
For more details about the vulnerabilities, check the following page. https://secure.software/pypi/packages/setuptools/72.1.0
Expected behavior
Installation successful
How to Reproduce
Output