[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1091764: marked as done (bookworm-pu: package setuptools/66.1.1-1+deb12u1)

Your message dated Sat, 11 Jan 2025 11:03:09 +0000
with message-id <E1tWZGn-009jbd-J2@coccia.debian.org>
and subject line Close 1091764
has caused the Debian Bug report #1091764,
regarding bookworm-pu: package setuptools/66.1.1-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1091764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091764
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: setuptools@packages.debian.org
Control: affects -1 + src:setuptools
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[ Reason ]
CVE-2024-6345 has been fixed in oldstable and testing/unstable, but it has not
yet been fixed in Bookworm. This update intends to provide a fix for users of
Debian Bookworm as well.

Matthias agreed that I provide the update with my Debian LTS hat on.

[ Impact ]
If the update is not approved, users will continue to be vulnerable to
CVE-2024-6345.

[ Tests ]
The fix for the CVE also includes changes to the test cases covering the
affected code. Unfortunately, the Debian project has not implemented running
the upstream testsuite. The reason is probably that it depends on Python
modules which have not been packaged. Thus, I successfully ran the changed
test-cases locally with pytest after applying a few changes. I also
successfully attempted a module installation.

[ Risks ]
There is always a risk of regression. But the changed test cases ran
successfully. Furthermore, the update has also been provided to Bullseye via
DLA-3876-1 in September. There haven't been any reports of regressions or
issues.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The usage of os.system() has been replaced by subprocess.check_call().
Furthermore, the code handling the various schemes has been modernized and
consolidated.

The test cases were adjusted to the changes mentioned above.

[ Other info ]
The patch contains links to the upstream bug report and patch.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmdzPNMACgkQS80FZ8KW
0F12pRAAz2m27gJVpulh76RCvUkFs1JxGNd+ESD0u3xFOAhCSOoI2PX3HGPAlQk0
F/ERXSt4HgKt5UdJiND0f2qM9x46lzeBBF57e094t9TCy6muhqwm+2gtY4D2Qqb0
lgheSx6s2LN+RKoo6FUiCYFvnuKKcPQQb1F4tMKwJRryOcJ3Zg87gfxX8YBkMURE
H8+ehJkjYHEZ1eD28OFR90cvxyje1Hz9faZSXYQE0lfwSoOiA7pPzd55ir/ZhIc5
tPDf0PdHbRs8ysZPSmx/sAGADkfdKyKGoxcsnZqgh2zBh57PqARHYtB8m6PCviRK
1s2JxaCahE2zGTTHonMsXNsBBTeHxqwPJOEuTxS5bbNcyXbiOwZtMu0Iz2D8S4+7
FXzseVV9s5BjnRrpaJgA2dbMsZ5XGnx63W+AnhN1AEYifTEB97p2EYvpYeGEWs9w
nFNOMOl0O4im8o43s+lTrjuSDmMzzxQqHHp/SbHzaZMy10qe6S+Hgr7UcCROMdYZ
mOSQDao6yPDBzIjxeMXNt2mVmIF57E2U1j2K4TDVTJQgEBtaVWWVJAWL6cz0uuG/
cDTg+6RWCZahSonhpsVU/w7Ve1HrZysIiuqgcM3SM1VLDKq/a+U1KeJj5mqZ21eS
pTuo37jTvyHtPgarPN2U9DcMJorskah4pkg+CHPpWyVKjvv1vBA=
=e+IS
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Version: 12.9
This update has been released as part of 12.9. Thank you for your contribution.

--- End Message ---
Reply to: