git: 11842bbbd942 - main - security/vuxml: another correction for devel/py-setuptools*

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Eugene Grosbein <eugen_at_FreeBSD.org>
Date: Fri, 23 Jun 2023 09:29:15 UTC
The branch main has been updated by eugen:

URL: https://cgit.FreeBSD.org/ports/commit/?id=11842bbbd9424891c951239431ef1e4bd5e9b789

commit 11842bbbd9424891c951239431ef1e4bd5e9b789
Author:     Eugene Grosbein <eugen@FreeBSD.org>
AuthorDate: 2023-06-23 09:27:00 +0000
Commit:     Eugene Grosbein <eugen@FreeBSD.org>
CommitDate: 2023-06-23 09:29:09 +0000

    security/vuxml: another correction for devel/py-setuptools*
    
    This time is covers two other records additionally.
    
    Reported-by:    leres
---
 security/vuxml/vuln/2023.xml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index cd13f7023658..30e22f2f78f0 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -2833,7 +2833,7 @@
     <affects>
       <package>
     <name>py39-setuptools</name>
-    <range><lt>44.1.1</lt></range>
+    <range><lt>44.1.1_1</lt></range>
     <range><ge>57.0.0</ge><lt>58.5.3_3</lt></range>
     <range><ge>62.1.0</ge><lt>63.1.0_1</lt></range>
       </package>
@@ -2863,7 +2863,9 @@
     <affects>
       <package>
     <name>py27-setuptools44</name>
-    <range><lt>65.5.1</lt></range>
+    <range><lt>44.1.1_1</lt></range>
+    <range><ge>57.0.0</ge><lt>58.5.3_3</lt></range>
+    <range><ge>62.1.0</ge><lt>63.1.0_1</lt></range>
       </package>
     </affects>
     <description>
@@ -2872,7 +2874,7 @@
     <blockquote cite="https://osv.dev/vulnerability/GHSA-r9hx-vwmv-q579">
       <p>Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.</p>
       <p>Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.</p>
-      <p>This has been patched in version 65.5.1.</p>
+      <p>This has been patched in version 65.5.1. The patch backported to the revision 44.1.1_1.</p>
     </blockquote>
       </body>
     </description>
@@ -2891,7 +2893,9 @@
     <affects>
       <package>
     <name>py39-setuptools58</name>
-    <range><lt>65.5.1</lt></range>
+    <range><lt>44.1.1_1</lt></range>
+    <range><ge>57.0.0</ge><lt>58.5.3_3</lt></range>
+    <range><ge>62.1.0</ge><lt>63.1.0_1</lt></range>
       </package>
     </affects>
     <description>
@@ -2900,7 +2904,7 @@
     <blockquote cite="https://osv.dev/vulnerability/GHSA-r9hx-vwmv-q579">
       <p>Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.</p>
       <p>Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.</p>
-      <p>This has been patched in version 65.5.1.</p>
+      <p>This has been patched in version 65.5.1. The patch backported to the revision 58.5.3_3.</p>
     </blockquote>
       </body>
     </description>