GHSA-94v7-wxj6-r2q5

Описание

Impact

• Some source-builds may be impacted by a CWE-1395 (eg. vulnerable setuptools dependency).
  • Multicast prior to v2.0.9a3 on systems with minimal dependancies installed may use setuptools <78.1.1 and thus rely on a compromised dependency. In some cases there is a chance that source-builds would fail due to an exploit of the closely related CVE-2025-47273, or become arbitrarily modified.

Patches

• Pre-release version v2.0.9a0 and later resolve the issue by bumping requirements to setuptools>=80.4
  • Pre-release version v2.0.9a3 and later are recommended for improved stability over v2.0.9a0

Workarounds

• Further hardening in v2.0.9a4+ of the build process in CI builds allowing source builds to be verified via GH attestations.

References

• GHSA-5rjg-fvgr-3xxf
• pypa/setuptools#4946

Fixes

• https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/tests/requirements.txt#L32
• https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/docs/requirements.txt#L27
• https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/requirements.txt#L26
• https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/pyproject.toml#L2