Update bundled setuptools to address CVE-2024-6345, CVE-2022-40897 in cpython 3.9, 3.10 & 3.11

[briensea]

Update bundled setuptools to address CVE-2024-6345, CVE-2022-40897 in cpython 3.9, 3.10 & 3.11

Description:

Security vulnerabilities, CVE-2024-6345 and CVE-2022-40897, have been identified in older versions of setuptools. The versions of setuptools bundled with CPython 3.9, 3.10, and 3.11 are affected.

This results in users being required to manually update setuptools to mitigate these security vulnerabilities.

CPython versions affected:

• 3.9 (bundled setuptools version outdated)
• 3.10 (bundled setuptools version outdated)
• 3.11 (bundled setuptools version outdated)

Operating systems tested on:

• Linux

[picnixz]

cc @sethmlarson @gpshead

[zware]

Duplicate of gh-102202.

[laptchik]

@zware why it's a duplicate if it's two totally different CVEs. CVE-2024-6345 wasn't discussed there and it has higher priority

[sethmlarson]

@laptchik The justification for not updating the bundled copy is the same, if it's possible to securely upgrade pip and setuptools in your own installation of Python then there's no need to upgrade the bundled copy. As a user you can fix the vulnerability by upgrading the library or by creating an environment and installing setuptools/pip yourself into that environment.

[laptchik]

@sethmlarson i thought it was closed not because it can be manually fixed, but because THAT cve is not a big deal, no?
With that, let's close. It's not a notable security vulnerability in Python. Telling that to your security scanner is, in this case, up to you.

[vuchuoverjet]

@laptchik The justification for not updating the bundled copy is the same, if it's possible to securely upgrade pip and setuptools in your own installation of Python then there's no need to upgrade the bundled copy. As a user you can fix the vulnerability by upgrading the library or by creating an environment and installing setuptools/pip yourself into that environment.

Hello, We're facing the same issue. We could, of course, upgrade pip and setuptools to latest versions, but what about the ones in ensurepip/_bundled ? They're still subjected to be scanned.

cc: @sethmlarson