Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: setupto...@packages.debian.org Control: affects -1 + src:setuptools User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ Reason ] CVE-2024-6345 has been fixed in oldstable and testing/unstable, but it has not yet been fixed in Bookworm. This update intends to provide a fix for users of Debian Bookworm as well. Matthias agreed that I provide the update with my Debian LTS hat on. [ Impact ] If the update is not approved, users will continue to be vulnerable to CVE-2024-6345. [ Tests ] The fix for the CVE also includes changes to the test cases covering the affected code. Unfortunately, the Debian project has not implemented running the upstream testsuite. The reason is probably that it depends on Python modules which have not been packaged. Thus, I successfully ran the changed test-cases locally with pytest after applying a few changes. I also successfully attempted a module installation. [ Risks ] There is always a risk of regression. But the changed test cases ran successfully. Furthermore, the update has also been provided to Bullseye via DLA-3876-1 in September. There haven't been any reports of regressions or issues. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The usage of os.system() has been replaced by subprocess.check_call(). Furthermore, the code handling the various schemes has been modernized and consolidated. The test cases were adjusted to the changes mentioned above. [ Other info ] The patch contains links to the upstream bug report and patch. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmdzPNMACgkQS80FZ8KW 0F12pRAAz2m27gJVpulh76RCvUkFs1JxGNd+ESD0u3xFOAhCSOoI2PX3HGPAlQk0 F/ERXSt4HgKt5UdJiND0f2qM9x46lzeBBF57e094t9TCy6muhqwm+2gtY4D2Qqb0 lgheSx6s2LN+RKoo6FUiCYFvnuKKcPQQb1F4tMKwJRryOcJ3Zg87gfxX8YBkMURE H8+ehJkjYHEZ1eD28OFR90cvxyje1Hz9faZSXYQE0lfwSoOiA7pPzd55ir/ZhIc5 tPDf0PdHbRs8ysZPSmx/sAGADkfdKyKGoxcsnZqgh2zBh57PqARHYtB8m6PCviRK 1s2JxaCahE2zGTTHonMsXNsBBTeHxqwPJOEuTxS5bbNcyXbiOwZtMu0Iz2D8S4+7 FXzseVV9s5BjnRrpaJgA2dbMsZ5XGnx63W+AnhN1AEYifTEB97p2EYvpYeGEWs9w nFNOMOl0O4im8o43s+lTrjuSDmMzzxQqHHp/SbHzaZMy10qe6S+Hgr7UcCROMdYZ mOSQDao6yPDBzIjxeMXNt2mVmIF57E2U1j2K4TDVTJQgEBtaVWWVJAWL6cz0uuG/ cDTg+6RWCZahSonhpsVU/w7Ve1HrZysIiuqgcM3SM1VLDKq/a+U1KeJj5mqZ21eS pTuo37jTvyHtPgarPN2U9DcMJorskah4pkg+CHPpWyVKjvv1vBA= =e+IS -----END PGP SIGNATURE-----
