-
-
Notifications
You must be signed in to change notification settings - Fork 33.1k
Closed
Closed
Copy link
Labels
3.10only security fixesonly security fixes3.9only security fixesonly security fixesdependenciesPull requests that update a dependency filePull requests that update a dependency filetype-bugAn unexpected behavior, bug, or errorAn unexpected behavior, bug, or errortype-securityA security issueA security issue
Description
Bug report
Bug description:
Python 3.12 runtime includes a vulnerable version of setuptools
(v67.6.1).
File location: /lib/python3.12/test/wheeldata/setuptools-67.6.1-py3-none-any.whl
It is present in the final runtime layer, causing vulnerability scanners to flag the image with high-severity CVEs.
While this file is not actively used by a running application, its presence on the filesystem is sufficient for security scanners to detect and report these vulnerabilities.
for other versions also, we're seeing multiple setuptools versions installed along with the latest v80.9.0
- 3.9.23:
v58.1.0
- 3.10.18, 3.11.13:
v65.5.0
- 3.12.11, 3.13.4:
v67.6.1
We wanted to know if this multiple setuptools installation behaviour is fixed in upcoming Python version upgrades.
CPython versions tested on:
3.12
Operating systems tested on:
Linux
Linked PRs
- [3.11] gh-135374: Update the bundled copy of setuptools to 79.0.1 #135396
- [3.9] gh-135374: Update the bundled copy of setuptools to 79.0.1 #135397
- [3.10] gh-135374: Update the bundled copy of setuptools to 79.0.1 #135398
- [3.11] gh-135374: Adjust test for setuptools' replacement of distutils #138796
- [3.10] gh-135374: Adjust test for setuptools' replacement of distutils (GH-138796) #139303
- [3.9] gh-135374: Adjust test for setuptools' replacement of distutils (GH-138796) #139304
Metadata
Metadata
Assignees
Labels
3.10only security fixesonly security fixes3.9only security fixesonly security fixesdependenciesPull requests that update a dependency filePull requests that update a dependency filetype-bugAn unexpected behavior, bug, or errorAn unexpected behavior, bug, or errortype-securityA security issueA security issue