[BUG] Vulnerabilities blocks installation on setuptools>71.0

[javilonso]

setuptools version

setuptools > 71.0

Python version

3.11

OS

macOS

Additional environment information

No response

Description

Since version 71.0, setuptools has some important vulnerabilities that have not been solved. This makes the installation imposible as my Forti antivirus client blocks the installation. We have been confirmed about the vulnerability from setuptools.

For more details about the vulnerabilities, check the following page. https://secure.software/pypi/packages/setuptools/72.1.0

Expected behavior

Installation successful

How to Reproduce

1. Having FortiClient AntiVirus >=6.0
2. Try to install from pip setuptools > 71.0
3. Installation fails as the AntiVirus detects vulnerabilities

Output

[abravalheri]

Hi @javilonso, please follow the instructions in https://github.com/pypa/setuptools/blob/main/SECURITY.md to report security problems.

[Avasam]

It's just flagging zlib which has a couple known CVEs in versions 1.2.18 & 1.2.12. https://secure.software/pypi/packages/setuptools/vulnerabilities/72.1.0 But it's an optional dependency not even declared by setuptools or it's own dependencies. It's just tentatively imported in distutils and backports.tarfile. Moreso, zlib is an external dependency to Python's packaging ecosystem, so you couldn't even enforce/specify a version! Sounds like a big false-positive from that security tooling to me, where the only thing actionable is for the users to install a secure version on their machines: https://docs.python.org/3/library/zlib.html

The zlib library has its own home page at https://www.zlib.net/. There are known incompatibilities between the Python module and versions of the zlib library earlier than 1.1.3; 1.1.3 has a security vulnerability, so we recommend using 1.1.4 or later.