CVE-2022-40898

Advisory

[This advisory has been limited. Please create a free account to view the full advisory.]

Affected package

Affected versions

[This affected versions has been limited. Please create a free account to view the full affected versions.]

Fixed versions

[This fixed versions has been limited. Please create a free account to view the full fixed versions.]

Vulnerability changelog

- Dropped support for Python < 3.7
- Updated vendored ``packaging`` to 21.3
- Replaced all uses of ``distutils`` with ``setuptools``
- The handling of ``license_files`` (including glob patterns and default
values) is now delegated to ``setuptools>=57.0.0`` (466).
The package dependencies were updated to reflect this change.
- Fixed potential DoS attack via the ``WHEEL_INFO_RE`` regular expression
- Fixed ``ValueError: ZIP does not support timestamps before 1980`` when using
``SOURCE_DATE_EPOCH=0`` or when on-disk timestamps are earlier than 1980-01-01. Such
timestamps are now changed to the minimum value before packaging.

Resources

• https://pypi.org/project/wheel
• https://pyup.io/changelogs/wheel/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40898
• https://pypi.org/project/wheel/
• https://github.com/pypa/wheel/blob/main/src/wheel/wheelfile.py#L18
• https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/