Your message dated Tue, 27 May 2025 15:01:10 +0000
with message-id <e1ujvni-00eamy...@fasolo.debian.org>
and subject line Bug#1105970: fixed in setuptools 78.1.1-0.1
has caused the Debian Bug report #1105970,
regarding setuptools: CVE-2025-47273
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1105970: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105970
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: setuptools
Version: 78.1.0-1.2
Severity: important
Tags: security upstream
Forwarded: https://github.com/pypa/setuptools/issues/4946
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for setuptools.
CVE-2025-47273[0]:
| setuptools is a package that allows users to download, build,
| install, upgrade, and uninstall Python packages. A path traversal
| vulnerability in `PackageIndex` is present in setuptools prior to
| version 78.1.1. An attacker would be allowed to write files to
| arbitrary locations on the filesystem with the permissions of the
| process running the Python code, which could escalate to remote code
| execution depending on the context. Version 78.1.1 fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-47273
https://www.cve.org/CVERecord?id=CVE-2025-47273
[1] https://github.com/pypa/setuptools/issues/4946
[2]
https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b
[3] https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: setuptools
Source-Version: 78.1.1-0.1
Done: Lee Garrett <deb...@rocketjump.eu>
We believe that the bug you reported is fixed in the latest version of
setuptools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1105...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lee Garrett <deb...@rocketjump.eu> (supplier of updated setuptools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 27 May 2025 15:19:40 +0200
Source: setuptools
Architecture: source
Version: 78.1.1-0.1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <d...@debian.org>
Changed-By: Lee Garrett <deb...@rocketjump.eu>
Closes: 1105970
Changes:
setuptools (78.1.1-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Update to upstream 78.1.1 which fixes CVE-2025-47273 (Closes: #1105970)
- Path traversal in PackageIndex.download leads to Arbitrary File Write.
* debian/watch: Update URI to https.
Checksums-Sha1:
55337a0aeb077e7d4273d19f82e9b9a5598a6c4a 2843 setuptools_78.1.1-0.1.dsc
b752a80ce7dc2541ed53731347844516a80830ab 1368163 setuptools_78.1.1.orig.tar.gz
11d61d49d906d8079b3b6c8ff4ad94c1c405c091 15532
setuptools_78.1.1-0.1.debian.tar.xz
5e81821176217ccf66736e93f8173e83873c4a2e 8629
setuptools_78.1.1-0.1_amd64.buildinfo
Checksums-Sha256:
d0425d9385c8ad1cd5635b222dd90e1964c03de4ed3b1484317e912f0aac7e39 2843
setuptools_78.1.1-0.1.dsc
fcc17fd9cd898242f6b4adfaca46137a9edef687f43e6f78469692a5e70d851d 1368163
setuptools_78.1.1.orig.tar.gz
cf74bf9817f5eba7bc9bfcfbdce16ec57ba89c38280e5004b97e7caa9e1c9361 15532
setuptools_78.1.1-0.1.debian.tar.xz
5ec0fc01762b9d227d1afef9f816c4aa0c4f98d0cd0083d727072a6a64f65bc8 8629
setuptools_78.1.1-0.1_amd64.buildinfo
Files:
ccd15c5e3aa5e150002c2612e29fb075 2843 python optional setuptools_78.1.1-0.1.dsc
ce1332cf70b71d9a481ff5a9cd3ff7df 1368163 python optional
setuptools_78.1.1.orig.tar.gz
ca2c4903e55e73eca2a6c2ae6082fc11 15532 python optional
setuptools_78.1.1-0.1.debian.tar.xz
f9c8c9b11b25c5e7201c6f92ca796082 8629 python optional
setuptools_78.1.1-0.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQQzBAEBCgAdFiEE2EfGJRCpwv8kLOAs1gShxII+4PgFAmg1w3wACgkQ1gShxII+
4Pg3YyAAgtbIVLrhI0MczGCZUaa/A7EMecAjC0/pGj/zSR01/9DEAAmOymvB+FSB
IlJvgcoUOQFUp45kwjmMXea65PLsoCxToElzQFOsT8YeOtJoCwkoXoHkKxBNBd7G
w0onJB44iL1xYUJnwteEyf7zPx4j6mtm+mhxpJbH00qQExmzTvafa7V2uda37Jan
ymFQ+Synx0lD1evrXGPSumh0RPgprXW7aKn/VmzENOkF1ww0orinxr4MESQ4adnp
CN9HPegtAMWY1OuIXuqNm9Y9s4gzBESB0OrZT3COzDq0/Xo9nom4VAohSleIaYrr
ls7udUaHt+KcjrlOuZjoF9lbGxFSGuMYmHGdn1AbS58+Q2oe+AJPBwV3kZwRhZey
3XA3BIAMWezHj0Fe8+ZjSm+QI8IRrLvjJlFBG1d+lXddeJCBQK1wrqQhNaK+3Tyj
2W4/YbGxhXjCo27yx1KbftbnZizcvH5azY2bjf65cTm6Ld7wfKPReeloycAHPrKt
6Aqplj+QWNeliKJJWeDSs5R0oc8gYpeUEF2TOtg0fVa6fdnikfoaEj8dowrgjWXJ
XJtkW8lG/7+l+qp6MCxb6dIGz6fWasK0baU95rRf5/T5CBUVU1dTU6Uxxt7rD/Ic
H04kFvPUt0cc7waoZYnAz+iMRS+Xv32OuMXb70iDEQcWKGWcnGaIDnUtWc1MYdGU
691pzq9d6fDosKnvuvEtAPGVvBoNe4GXPojMDEkQYJxhKXUwxZwBOHh2kEZ6R1Rn
MJn72UvcEgST0Yu6cOebblLeZ+psVHbISI6ZwyoSJGeZo/Hrr5/y5hLx0NZ7XFWt
WcGdsmoPOD9207ffBXvzxOkPXPMU9aN1bZEptkIdVF3FerFa6a0vKp0uthyEpto4
bVBwKtJ9dMlnE0o1antjszIC+Kg+5Fd+pKRdo3UGTv/h+Y+nNYinOExGuy+K9L3Q
KotPB3/g/NafZveK54qEk0/9SFVlhRl9cXsIU6svcv+WrEj2X1FkcOIEDLLwUi9a
5vH+QFb7S01jb6C7JiKl16d+DS6gnk+XYzb4VHAm1RVX0xeOqEfsA/K2qx6IU+iN
pxgP5KH1/pNM0OHo4rL1FbMKAyvrg/9cKQ4o4TgmklZ2dlDttshRbOY5AlW8nwQe
fGjiyXVeV/8X5UuOW0hNh9y1ZIQmTFcm5Nh0M1U68UCqEl7jFEvpUSL9MKc7zjp7
BWivHFb3xgZXYS11+EZq1QJKOu88hUanI60F1rFrJATup7sLZCKgPQjObBZAkof2
9GJLR3DiadidC4KdiOHLxjz00g6pUaYC5tVZrOeN4DC8yDy54cq6AiL69EQa4gAm
frr5xTIT7ns6nUizTPqD9mn5F+0CTw==
=ojeB
-----END PGP SIGNATURE-----
pgpLIxOT3BVK8.pgp
Description: PGP signature
--- End Message ---
