CVE-2022-40897

NameCVE-2022-40897
DescriptionPython Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
setuptools (PTS)bullseye52.0.0-4vulnerable
bookworm66.1.1-1fixed
trixie, sid68.1.2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
setuptoolssource(unstable)65.6.3-1

Notes

[bullseye] - setuptools <no-dsa> (Minor issue)
https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be (v65.5.1)

Search for package or bug name: Reporting problems