Python/setuptools/64.0.1
Easily download, build, install, upgrade, and uninstall Python packages
https://pypi.org/project/setuptools
MIT
2 Security Vulnerabilities
setuptools vulnerable to Command Injection via package URL
A vulnerability in the package_index
module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)
- https://nvd.nist.gov/vuln/detail/CVE-2022-40897
- https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200
- https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
- https://github.com/pypa/setuptools/issues/3659
- https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
- https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1
- https://pyup.io/vulnerabilities/CVE-2022-40897/52495/
- https://setuptools.pypa.io/en/latest/
- https://github.com/advisories/GHSA-r9hx-vwmv-q579
- https://security.netapp.com/advisory/ntap-20230214-0001/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H
- https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages
- https://pyup.io/vulnerabilities/CVE-2022-40897/52495
- https://security.netapp.com/advisory/ntap-20230214-0001
- https://security.netapp.com/advisory/ntap-20240621-0006
- https://setuptools.pypa.io/en/latest
- https://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2022-43012.yaml
Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index
. This has been patched in version 65.5.1.
583 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
0.6b1 | PSF-2.0 OR ZPL-2.1 | 3 | 2006-05-12 - 22:42 | over 18 years |
0.6b2 | PSF-2.0 OR ZPL-2.1 | 3 | 2006-06-01 - 15:45 | over 18 years |
0.6b3 | PSF-2.0 OR ZPL-2.1 | 3 | 2006-06-09 - 18:48 | over 18 years |
0.6b4 | PSF-2.0 OR ZPL-2.1 | 3 | 2006-07-11 - 18:51 | over 18 years |
0.6c1 | PSF-2.0 OR ZPL-2.1 | 3 | 2006-07-20 - 21:03 | over 18 years |
0.6c10 | PSF-2.0 OR ZPL-2.1 | 3 | 2009-10-19 - 21:49 | about 15 years |
0.6c11 | PSF-2.0 OR ZPL-2.1 | 3 | 2009-10-20 - 16:07 | about 15 years |
0.6c2 | PSF-2.0 OR ZPL-2.1 | 3 | 2006-09-06 - 21:26 | about 18 years |
0.6c3 | PSF-2.0 OR ZPL-2.1 | 3 | 2006-09-20 - 21:30 | about 18 years |
0.6c4 | PSF-2.0 OR ZPL-2.1 | 3 | 2007-01-09 - 18:22 | almost 18 years |
0.6c5 | PSF-2.0 OR ZPL-2.1 | 3 | 2007-01-09 - 19:39 | almost 18 years |
0.6c6 | PSF-2.0 OR ZPL-2.1 | 3 | 2007-05-31 - 17:32 | over 17 years |
0.6c7 | PSF-2.0 OR ZPL-2.1 | 3 | 2007-09-04 - 16:48 | about 17 years |
0.6c8 | PSF-2.0 OR ZPL-2.1 | 3 | 2008-02-15 - 18:13 | over 16 years |
0.6c9 | PSF-2.0 OR ZPL-2.1 | 3 | 2008-09-24 - 17:23 | about 16 years |
0.7.2 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-06-09 - 16:10 | over 11 years |
0.7.3 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-06-18 - 21:08 | over 11 years |
0.7.4 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-06-19 - 13:52 | over 11 years |
0.7.5 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-06-29 - 14:55 | over 11 years |
0.7.6 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-07-02 - 12:35 | over 11 years |
0.7.7 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-07-02 - 16:17 | over 11 years |
0.7.8 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-07-05 - 02:10 | over 11 years |
0.8 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-07-05 - 18:18 | over 11 years |
0.9 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-07-13 - 15:53 | over 11 years |
0.9.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-07-14 - 02:03 | over 11 years |
0.9.2 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-07-15 - 17:13 | over 11 years |
0.9.3 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-07-15 - 17:33 | over 11 years |
0.9.4 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-07-15 - 18:46 | over 11 years |
0.9.5 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-07-15 - 21:13 | over 11 years |
0.9.6 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-07-18 - 01:08 | over 11 years |
0.9.7 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-07-22 - 20:56 | over 11 years |
0.9.8 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-08-05 - 05:09 | over 11 years |
1.0 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-08-17 - 19:28 | about 11 years |
1.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-08-27 - 01:42 | about 11 years |
1.1.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-09-04 - 02:49 | about 11 years |
1.1.2 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-09-06 - 13:37 | about 11 years |
1.1.3 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-09-06 - 13:40 | about 11 years |
1.1.4 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-09-07 - 21:18 | about 11 years |
1.1.5 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-09-12 - 13:59 | about 11 years |
1.1.6 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-10-26 - 15:12 | about 11 years |
1.1.7 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-10-28 - 01:44 | about 11 years |
1.2 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-11-02 - 18:31 | about 11 years |
1.3 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-11-03 - 16:38 | about 11 years |
1.3.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-11-07 - 06:15 | about 11 years |
1.3.2 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-11-09 - 18:49 | about 11 years |
1.4 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-11-17 - 15:06 | almost 11 years |
1.4.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-11-23 - 22:53 | almost 11 years |
1.4.2 | PSF-2.0 OR ZPL-2.1 | 2 | 2013-12-01 - 11:15 | almost 11 years |
10.0 | PSF-2.0 OR ZPL-2.1 | 2 | 2014-12-30 - 16:05 | almost 10 years |
10.0.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2014-12-30 - 17:40 | almost 10 years |
10.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2014-12-31 - 15:17 | almost 10 years |
10.2 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-01-02 - 19:29 | almost 10 years |
10.2.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-01-02 - 21:46 | almost 10 years |
11.0 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-01-03 - 03:28 | almost 10 years |
11.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-01-04 - 19:36 | almost 10 years |
11.2 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-01-05 - 18:03 | almost 10 years |
11.3 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-01-05 - 19:23 | almost 10 years |
11.3.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-01-06 - 15:12 | almost 10 years |
12.0 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-01-16 - 21:38 | almost 10 years |
12.0.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-01-16 - 22:37 | almost 10 years |
12.0.2 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-01-19 - 01:35 | almost 10 years |
12.0.3 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-01-19 - 01:48 | almost 10 years |
12.0.4 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-01-21 - 03:13 | almost 10 years |
12.0.5 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-01-26 - 13:35 | almost 10 years |
12.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-02-11 - 01:16 | over 9 years |
12.2 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-02-16 - 15:24 | over 9 years |
12.3 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-02-26 - 19:15 | over 9 years |
12.4 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-03-04 - 16:08 | over 9 years |
13.0 | PSF-2.0 OR ZPL-2.1 | 2 | ||
13.0.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-03-06 - 01:43 | over 9 years |
13.0.2 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-03-06 - 16:09 | over 9 years |
14.0 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-03-06 - 22:30 | over 9 years |
14.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-03-15 - 01:31 | over 9 years |
14.1.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-03-15 - 02:45 | over 9 years |
14.2 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-03-15 - 12:18 | over 9 years |
14.3 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-03-15 - 13:47 | over 9 years |
14.3.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-03-20 - 20:08 | over 9 years |
15.0 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-04-03 - 22:26 | over 9 years |
15.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-04-15 - 13:16 | over 9 years |
15.2 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-04-26 - 15:02 | over 9 years |
16.0 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-05-18 - 07:08 | over 9 years |
17.0 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-05-29 - 02:22 | over 9 years |
17.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-06-07 - 14:38 | over 9 years |
17.1.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-06-08 - 17:36 | over 9 years |
18.0 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-06-23 - 22:51 | over 9 years |
18.0.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-06-24 - 21:00 | over 9 years |
18.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-08-02 - 18:51 | over 9 years |
18.2 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-08-19 - 16:46 | about 9 years |
18.3 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-09-06 - 18:04 | about 9 years |
18.3.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-09-07 - 07:18 | about 9 years |
18.3.2 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-09-19 - 16:30 | about 9 years |
18.4 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-10-11 - 01:04 | about 9 years |
18.5 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-11-02 - 00:20 | about 9 years |
18.6 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-11-24 - 16:44 | almost 9 years |
18.6.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-11-24 - 23:53 | almost 9 years |
18.7 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-11-28 - 22:58 | almost 9 years |
18.7.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-12-01 - 19:14 | almost 9 years |
18.8 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-12-11 - 17:27 | almost 9 years |
18.8.1 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-12-13 - 16:58 | almost 9 years |
19.0 | PSF-2.0 OR ZPL-2.1 | 2 | 2015-12-16 - 00:48 | almost 9 years |