Headline
Ubuntu Security Notice USN-7002-1
Ubuntu Security Notice 7002-1 - It was discovered that setuptools was vulnerable to remote code execution. An attacker could possibly use this issue to execute arbitrary code.
==========================================================================
Ubuntu Security Notice USN-7002-1
September 12, 2024
python-setuptools, setuptools vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
setuptools could be made to crash or run programs if it received
specially crafted network traffic.
Software Description:
- setuptools: Python Distutils Enhancements
- python-setuptools: Python Distutils Enhancements
Details:
It was discovered that setuptools was vulnerable to remote code
execution. An attacker could possibly use this issue to execute arbitrary
code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-setuptools 68.1.2-2ubuntu1.1
Ubuntu 22.04 LTS
pypy-setuptools 44.1.1-1.2ubuntu0.22.04.1+esm1
Available with Ubuntu Pro
python-setuptools 44.1.1-1.2ubuntu0.22.04.1+esm1
Available with Ubuntu Pro
python3-setuptools 59.6.0-1.2ubuntu0.22.04.2
Ubuntu 20.04 LTS
pypy-setuptools 44.0.0-2ubuntu0.1+esm1
Available with Ubuntu Pro
python-setuptools 44.0.0-2ubuntu0.1+esm1
Available with Ubuntu Pro
python3-setuptools 45.2.0-1ubuntu0.2
Ubuntu 18.04 LTS
pypy-setuptools 39.0.1-2ubuntu0.1+esm1
Available with Ubuntu Pro
python-setuptools 39.0.1-2ubuntu0.1+esm1
Available with Ubuntu Pro
python3-setuptools 39.0.1-2ubuntu0.1+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
pypy-setuptools 20.7.0-1ubuntu0.1~esm2
Available with Ubuntu Pro
python-setuptools 20.7.0-1ubuntu0.1~esm2
Available with Ubuntu Pro
python3-setuptools 20.7.0-1ubuntu0.1~esm2
Available with Ubuntu Pro
Ubuntu 14.04 LTS
python-setuptools 3.3-1ubuntu2+esm2
Available with Ubuntu Pro
python3-setuptools 3.3-1ubuntu2+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7002-1
CVE-2024-6345
Package Information:
https://launchpad.net/ubuntu/+source/setuptools/68.1.2-2ubuntu1.1
Related news
Red Hat Security Advisory 2024-6726-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-6662-03 - An update for python-setuptools is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.
Red Hat Security Advisory 2024-6661-03 - An update for python3-setuptools is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.
Red Hat Security Advisory 2024-6612-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-6611-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-6312-03 - An update for python3.11-setuptools is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-6311-03 - An update for resource-agents is now available for Red Hat Enterprise Linux 8. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-6309-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 8. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-5534-03 - An update for python-setuptools is now available for Red Hat Enterprise Linux 9. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-5533-03 - An update for python3.12-setuptools is now available for Red Hat Enterprise Linux 9. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-5279-03 - An update for python3.11-setuptools is now available for Red Hat Enterprise Linux 9. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-5040-03 - An update for python-setuptools is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-5002-03 - An update for python3.11-setuptools is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a code execution vulnerability.
A vulnerability in the `package_index` module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.