[CVE-2025-47273, CVE-2024-6345] in setuptools 67.6.1 bundled with Python 3.12 Runtime

[Nishi-1412]

Bug report

Bug description:

Python 3.12 runtime includes a vulnerable version of setuptools (v67.6.1).
File location: /lib/python3.12/test/wheeldata/setuptools-67.6.1-py3-none-any.whl

It is present in the final runtime layer, causing vulnerability scanners to flag the image with high-severity CVEs.

While this file is not actively used by a running application, its presence on the filesystem is sufficient for security scanners to detect and report these vulnerabilities.

for other versions also, we're seeing multiple setuptools versions installed along with the latest v80.9.0

• 3.9.23: v58.1.0
• 3.10.18, 3.11.13: v65.5.0
• 3.12.11, 3.13.4: v67.6.1

We wanted to know if this multiple setuptools installation behaviour is fixed in upcoming Python version upgrades.

CPython versions tested on:

3.12

Operating systems tested on:

Linux

Linked PRs

• [3.11] gh-135374: Update the bundled copy of setuptools to 79.0.1 #135396
• [3.9] gh-135374: Update the bundled copy of setuptools to 79.0.1 #135397
• [3.10] gh-135374: Update the bundled copy of setuptools to 79.0.1 #135398
• [3.11] gh-135374: Adjust test for setuptools' replacement of distutils #138796
• [3.10] gh-135374: Adjust test for setuptools' replacement of distutils (GH-138796) #139303
• [3.9] gh-135374: Adjust test for setuptools' replacement of distutils (GH-138796) #139304

[ambv]

We're seeing multiple setuptools versions installed along with the latest v80.9.0.

On Python 3.12+ setuptools is no longer installed by default so there won't be "two versions" unless the user installs setuptools on their own. Also, importantly, the old version of setuptools is inside Lib/test/wheeldata/ and is there for internal test use, it is never installed for the user. It is safe to be removed from your runtime layer.

You're right that on older supported versions of Python (3.9, 3.10, and 3.11) setuptools is bundled as part of ensurepip. I upgraded those versions to 79.0.1.

While at it, to make it less of an issue for eager security scanners in the future, I upgraded the test/wheeldata setuptools file as well since it should be a harmless operation. There is a number of breaking changes between the previous version and v79.0.1, but they shouldn't affect our limited use case inside the tests. But since there's been a lot of reported compatibility breakage with setuptools 80.x, I opted to stay at 79.0.1.

gh-135391 upgrades test/wheeldata setuptools to 79.0.1 on 3.13.
gh-135393 upgrades test/wheeldata setuptools to 79.0.1 on 3.12.
gh-135396 upgrades ensurepip setuptools to 79.0.1 on 3.11.
gh-135398 upgrades ensurepip setuptools to 79.0.1 on 3.10.
gh-135397 upgrades ensurepip setuptools to 79.0.1 on 3.9.

Note that we don't have an immediate schedule for releasing new Python versions with the upgraded versions.