Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2022-40897

Published: 23 December 2022

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

Notes

AuthorNote
mdeslaur
the python-pip package bundles python-setuptools binaries
when built. After updating python-setuptools, a no-change
rebuild of python-pip is required.
Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
python-pip
Launchpad, Ubuntu, Debian
bionic
Released (9.0.1-2.3~ubuntu1.18.04.6)
focal
Released (20.0.2-5ubuntu1.7)
jammy
Released (22.0.2+dfsg-1ubuntu0.1)
kinetic
Released (22.2+dfsg-1ubuntu0.1)
trusty
Released (1.5.4-1ubuntu4+esm2)
upstream Needed

xenial
Released (8.1.1-2ubuntu0.6+esm3)
python-setuptools
Launchpad, Ubuntu, Debian
bionic
Released (39.0.1-2ubuntu0.1)
focal
Released (44.0.0-2ubuntu0.1)
jammy
Released (44.1.1-1.2ubuntu0.22.04.1)
kinetic
Released (44.1.1-1.2ubuntu0.22.10.1)
trusty
Released (3.3-1ubuntu2+esm1)
upstream
Released (65.5.1)
xenial
Released (20.7.0-1ubuntu0.1~esm1)
setuptools
Launchpad, Ubuntu, Debian
bionic Does not exist

focal
Released (45.2.0-1ubuntu0.1)
jammy
Released (59.6.0-1.2ubuntu0.22.04.1)
kinetic
Released (59.6.0-1.2ubuntu0.22.10.1)
trusty Does not exist

upstream
Released (65.5.1)
xenial Does not exist