-
-
Notifications
You must be signed in to change notification settings - Fork 641
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability in setuptools versions up to 69.1.1 #21184
Comments
If the fix is to update that file and regenerating the lock file, I might be able to do that :) |
That is the fix, if you can that would be awesome! But note that this is not a normal lockfile in the pants repo, but a resource, that is generated by running |
I guess the other part of the fix is communication. The code change you've kindly suggested will fix for the next Pants release, but we want to blast out to people how to fix in existing Pants versions, which is basically this: https://www.pantsbuild.org/2.20/docs/python/overview/lockfiles#lockfiles-for-tools |
I.e., we should strongly recommend that folks upgrade and spell out exactly how to do so. If you're comfortable writing that up @gruzewski? |
Changing the default version of
Related issue: #21103 |
@krishnan-chandra is right. I got this error: ERROR: Ignored the following versions that require a different python version: 68.1.0 Requires-Python >=3.8; 68.1.2 Requires-Python >=3.8; 68.2.0 Requires-Python >=3.8; 68.2.1 Requires-Python >=3.8; 68.2.2 Requires-Python >=3.8; 69.0.0 Requires-Python >=3.8; 69.0.1 Requires-Python >=3.8; 69.0.2 Requires-Python >=3.8; 69.0.3 Requires-Python >=3.8; 69.1.0 Requires-Python >=3.8; 69.1.1 Requires-Python >=3.8; 69.2.0 Requires-Python >=3.8; 69.3 Requires-Python >=3.8; 69.3.0 Requires-Python >=3.8; 69.3.1 Requires-Python >=3.8; 69.4 Requires-Python >=3.8; 69.4.0 Requires-Python >=3.8; 69.4.1 Requires-Python >=3.8; 69.4.2 Requires-Python >=3.8; 69.5.0 Requires-Python >=3.8; 69.5.1 Requires-Python >=3.8; 70.0.0 Requires-Python >=3.8; 70.1.0 Requires-Python >=3.8; 70.1.1 Requires-Python >=3.8; 70.2.0 Requires-Python >=3.8; 70.3.0 Requires-Python >=3.8; 71.0.0 Requires-Python >=3.8; 71.0.1 Requires-Python >=3.8; 71.0.2 Requires-Python >=3.8; 71.0.3 Requires-Python >=3.8; 71.0.4 Requires-Python >=3.8; 71.1.0 Requires-Python >=3.8 To get it working, I had to update @benjyw I can look into dropping support for Python 3.7. WDYT? Updated typo. |
Ooooof. No good deed goes unpunished, huh... |
This would mean dropping support for 3.7 in the default settings. We would still want to support it, and must test for that support, if you're willing to downgrade to a vulnerable setuptools. That seems non-controversial given how old 3.7 is now. So this would require a new test that uses a downgraded setuptools. |
So to clarify, I would:
* For the test case, what kind of functionality I should cover? I am thinking of covering similar functionality as in test_plugin_resolver.py, so create a Pex and run a setup.py. Alternatively, checking DistBuildRequest. |
Well, you can override |
Providing the path forward for: pantsbuild/pants#21184 pantsbuild/pants#21103
Providing the path forward for: pantsbuild/pants#21184 pantsbuild/pants#21103
As a consequence, most tests no longer work with 3.7 since -- for example -- the lockfile with pytest does not support 3.7. This downgrades 3.7 to "probably works but not well tested", which is the same state as 3.6. Since 3.7 has been EoL for over a year I think this is reasonable. This opens up the way for Python 3.13 support in lockfiles among other benefits. As another consequence, lockfiles are regenerated which means we have some new versions coming along for the ride. The pretty lockfile diff does not seem to work with the generation script though --> pantsbuild#21388 Uses of Pants can still use 3.7 by generating their own lockfiles. Deprecation plan annouced at https://www.pantsbuild.org/blog/2024/08/24/venerable-pythons Based off work started in pantsbuild#21314 ref pantsbuild#21184, pantsbuild#21103, pantsbuild#20852
As a consequence, most tests no longer work with 3.7 since -- for example -- the lockfile with pytest does not support 3.7. This downgrades 3.7 to "probably works but not well tested", which is the same state as 3.6. Since 3.7 has been EoL for over a year I think this is reasonable. This opens up the way for Python 3.13 support in lockfiles among other benefits. As another consequence, lockfiles are regenerated which means we have some new versions coming along for the ride. The pretty lockfile diff does not seem to work with the generation script though --> #21388 Uses of Pants can still use 3.7 by generating their own lockfiles. Deprecation plan announced at https://www.pantsbuild.org/blog/2024/08/24/venerable-pythons Based off work started in #21314 ref #21184, #21103, #20852
Describe the bug
Recently, there was a new vulnerability reported against
setuptools
that could allow RCE, see reports below:The fix was deployed in version
70.0.0
.Pants version
2.21
OS
Linux
Additional info
From browsing the code, looks Pants is using
63.x
.The text was updated successfully, but these errors were encountered: