| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| install-layout.diff | no | |||||
| multiarch-extname.diff | no | |||||
| no-sphinx-rst.linker.diff | no | |||||
| fix-changes-link.diff | no | |||||
| no-SOURCES.txt-in-egg-ingo.diff | =================================================================== | no | ||||
| reproducible.diff | no | |||||
| sorted-requires.diff | no | |||||
| PKG-INFO-output-reproducible.diff | no | |||||
| no-sidebar.diff | no | |||||
| get_platform.diff | no | |||||
| CVE-2022-40897.patch | [PATCH] Limit the amount of whitespace to search/backtrack. Fixes #3659. Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. |
"Jason R. Coombs" <jaraco@jaraco.com> | not-needed | upstream | https://github.com/pypa/setuptools/commit/579134321d4d9397c886a5cb50cc26d0e3fa4279 | 2022-11-04 |
| CVE-2024-6345.patch | [PATCH 01/10] .. [PATCH 10/10] Modernize package_index VCS handling The issue is a possible remote code execution by supplying malicious URLs in a package index or via the command line. The issue boils down to unsafe use of os.system. Because easy_install and package_index are deprecated, the attack surface is smaller, but it's conceivable through social engineering or minor compromise to a package index could grant remote access. The fix was released in v70.0.0. |
"Jason R. Coombs" <jaraco@jaraco.com> | yes | upstream | https://github.com/pypa/setuptools/pull/4332 | 2024-04-29 |