[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 4183-1] setuptools security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

From: Lee Garrett <debian@rocketjump.eu>
To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4183-1] setuptools security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4183-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Lee Garrett
May 28, 2025                                  https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : setuptools
Version        : 52.0.0-4+deb11u2
CVE ID         : CVE-2025-47273
Debian Bug     : 1105970

A path traversal vulnerability in `PackageIndex` was found in setuptools. An
attacker would be allowed to write files to arbitrary locations on the
filesystem with the permissions of the process running the Python code, which
could escalate to remote code execution depending on the context.

For Debian 11 bullseye, this problem has been fixed in version
52.0.0-4+deb11u2.

We recommend that you upgrade your setuptools packages.

For the detailed security status of setuptools please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/setuptools

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQQzBAEBCgAdFiEE2EfGJRCpwv8kLOAs1gShxII+4PgFAmg3DsYACgkQ1gShxII+
4PgRIx/8DpYJ2XXPoxaehFElM0wirJ/bYFE9cOJdoxWMKX4kQxqhxkqdIxLesKxE
yBKdkGk1li3RszQDbfZdyt2rDUbSx04IEU43GWmScTyy28BneR3vYzAYfbxEe/1G
E+IxIbkfePOBoTeSP645u3GPAS6moBeJ54PKHZI1BJqIKnXg0hdtG6RFhUptr1vj
b/BeKZRlXo+2zBhfrqjutqWguWrzwbUN8Gdmo5IyRA2Lb9kXMyQ/PM43SDoOR8HR
+JHmi4ymD2ZZh9oL6hiaa8MlFjxPVYYA1TYO4vC3L/Q81UOicDOova49/9dva4tF
wyxqnZIUiIQx4crSfnRuZIb45w6fEiQQIES+ZML2zNiJqqKkIMYETOV9txFDI4wp
jwCtciT2dZ6s0nOln5c5wQzYK4AQ8H0mDSXQkzLu0JDtqCplunzEKNlN7z5+duqY
90ytmyKL+bLOJBKijV+RgMVZbe78xkquxhyTFgtUt7KVooGNeoLbDcNrwDu26QdC
lji1QExOHMvDNxtIojhCkIW4nKsBxAAP1VOZFRNGtaPL4OlO1QZIKRE7aY0jxr1s
p/HSH1R5hL3WX0KNBl8fkSo/TeVNjMkcSQXncBkIe81jZ0OLq8Z4Tt9TMpZAAdcc
bLxowe9SpknDiBYPland+cyRYoAi1VWFBGfBds+NTGXeK8thNaWrtN9htsUg1y3C
9kZ3UmRPV4b8q2nI8BbA/eEJSLaFSp5sRGa6ENC2F29Thm2XM0e2W84IMAzoDQzp
aovE2zip8r3T2YyeOLLncC2j/clqzUqWd4UkE66iXqvw+ZfTKNok11ldtQGO037f
lDP0PcH+66faBDTEjU7oaEHubRqBB/Eh7b3SLFoJNIqPo6pxHgPtcyDODpxxWGqE
fz5dy3c/rQugLmGbY/kqFieN0iWsGN9T7GKFwJOrWCNjaqRWJgtES2rUeQ/MDU0W
H4bDC5XguG9h2c8zGlVu4Qif3+B/KUwquphYVAMxmTu6s0Xim7laMVZgwWPdheGs
v1ohJipeM0cPoSHAWkIg0ur4kWb3DPaRUNvv5QJJvnUypMqEnRT+8S1V7XAG6ACB
1ZB9guz05XfYYFoGSCSiBD66PIO6He/r+emTDcwIPwhJqxVftrmK3fuxCGlFm/8T
FUgIwG9wFecxnxmI0eo0kbW5txRZx4iA/tP0yOJu0ICwI1LoTroOwTD1HDiMhIcW
W+gK72KY5QSMvJ4mTWyMHx5l8kgPSe3nHmbSYNoRPMGGmZZtMJNJ8SA/RzrZvHI4
WwWR/cUNJhb42eRE6q9KrOYHPq/xQ5Y2W/EBGjG8zJvtsGfjRfoybgei98lY4mCG
XhPPcpQsHkC0UpGq9tCjroNPElkWBA==
=OY+o
-----END PGP SIGNATURE-----
Reply to: