Setuptools CVE-2022-40897

[matthawley]

Prerequisites

• I am using the latest version of Locust
• I am reporting a bug, not asking a question

Description

Version 2.32.2 of locust via the usage of the python 3.11.0-slim base image reports the usage of [email protected] which contains the vulnerability GHSA-r9hx-vwmv-q579

We are requesting locust to upgrade to a newer version of the python base image to a newer one (3.12.0-slim or 3.13.0-slim) to resolve this issue. Referencing #2761

Command line

n/a

Locustfile contents

n/a

Python version

3.11

Locust version

2.32.2

Operating system

Linux

[cyberw]

IIRC there was some reason we didnt already update to 3.12, but I've added a specific dependency on setuptools.

Will make a release some time next week. Thanks for reminding me!

[matthawley]

@cyberw Unfortunately, it doesn't seem as if this works - docker scout still detects v65.5.1 as it's directly referenced/installed in the Python 3.11 docker container.

docker pull locustio/locust:master
docker scout cves locustio/locust:master

pkg:pypi/[email protected]

    x HIGH CVE-2024-6345 [Improper Control of Generation of Code ('Code Injection')]
      https://scout.docker.com/v/CVE-2024-6345
      Affected range : <70.0.0
      Fixed version  : 70.0.0
      CVSS Score     : 8.8
      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N