CVE-2022-40897

NameCVE-2022-40897
DescriptionPython Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3876-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
setuptools (PTS)bullseye52.0.0-4vulnerable
bullseye (security)52.0.0-4+deb11u2fixed
bookworm66.1.1-1+deb12u2fixed
forky, sid, trixie78.1.1-0.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
setuptoolssourcebullseye52.0.0-4+deb11u1DLA-3876-1
setuptoolssource(unstable)65.6.3-1

Notes

https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be (v65.5.1)
Search for package or bug name: Reporting problems