From fe049947a7c5ad6d765273ee4dbcaf65db7140ca Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 28 Apr 2025 10:15:25 +0200 Subject: [PATCH 01/11] overlay profiles: Update accept keywords for a never-stabilized package --- .../profiles/coreos/base/package.accept_keywords | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index ee268a45d4..182d6dee25 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -80,8 +80,10 @@ # Needed to address CVE-2024-54661 =net-misc/socat-1.8.0.3 ~amd64 ~arm64 -# Package has not been stabilised yet. -=sys-apps/azure-vm-utils-0.4.0 ~amd64 ~arm64 +# Package has not been stabilised yet. Nothing is using it in Gentoo, +# so it will never be stabilized. Thus an unusual form is used to pick +# up the latest version of the package with the unstable keywords. +sys-apps/azure-vm-utils # Keep versions on both arches in sync. =sys-apps/policycoreutils-3.7 ~arm64 From 4607864e227b2c9901d5dfae54847a962c7d81ff Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 28 Apr 2025 10:34:59 +0200 Subject: [PATCH 02/11] overlay profiles: Add some accept keywords --- .../profiles/coreos/base/package.accept_keywords | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 182d6dee25..43c14ced69 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -28,6 +28,9 @@ # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet. =app-crypt/clevis-19-r1 ** +# Keep versions on both arches in sync. +=app-crypt/tpm2-tss-4.1.3-r2 ~amd64 + # Needed by arm64-native SDK. =app-emulation/open-vmdk-1.0 * @@ -62,6 +65,7 @@ =dev-util/catalyst-4.0.0 ~amd64 ~arm64 # Keep versions on both arches in sync. +=net-dns/bind-9.18.31-r1 ~arm64 =net-firewall/conntrack-tools-1.4.8-r1 ~arm64 # Needed to address CVE-2025-2312. @@ -92,7 +96,7 @@ sys-apps/azure-vm-utils =sys-apps/zram-generator-1.2.1 ~arm64 # Needed to avoid pulling python into production images. -=sys-auth/sssd-2.9.6-r1 ~arm64 +=sys-auth/sssd-2.9.6-r3 ~arm64 # Keep versions on both arches in sync. =sys-boot/mokutil-0.7.2 ** @@ -101,5 +105,6 @@ sys-apps/azure-vm-utils =sys-cluster/ipvsadm-1.31-r1 ~arm64 # Keep versions on both arches in sync. +=sys-fs/fuse-3.17.2 ~arm64 =sys-libs/libsemanage-3.7 ~arm64 =sys-process/audit-4.0.2-r1 ~arm64 From 08909d1daacca18a9edcc9b4d7bc1ec3c8072528 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 28 Apr 2025 11:29:23 +0200 Subject: [PATCH 03/11] overlay profiles: Drop accept keywords for dev-lang/perl --- .../profiles/coreos/base/package.accept_keywords | 3 --- 1 file changed, 3 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 43c14ced69..a0108b5856 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -41,9 +41,6 @@ # arm64, and fix a segfault concerning vgetrandom. =dev-lang/go-1.24.2-r2 ~amd64 ~arm64 -# Needed to address CVE-2024-56406. -=dev-lang/perl-5.40.2 ~amd64 ~arm64 - # Keep versions on both arches in sync. =dev-lang/python-3.11.12 ~amd64 =dev-lang/yasm-1.3.0-r1 ~arm64 From 4c279cc87e42c7068fa728e898904323d29b5ecf Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 28 Apr 2025 11:30:35 +0200 Subject: [PATCH 04/11] overlay profiles: Drop accept keywords for dev-lang/python --- .../coreos-overlay/profiles/coreos/base/package.accept_keywords | 1 - 1 file changed, 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index a0108b5856..eb19ed0c64 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -42,7 +42,6 @@ =dev-lang/go-1.24.2-r2 ~amd64 ~arm64 # Keep versions on both arches in sync. -=dev-lang/python-3.11.12 ~amd64 =dev-lang/yasm-1.3.0-r1 ~arm64 =dev-libs/ding-libs-0.6.2-r1 ~arm64 From 2afbfd4646776752e006f92119993789f179fed0 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 28 Apr 2025 13:05:28 +0200 Subject: [PATCH 05/11] overlay coreos/config: Update handling of rndc.key for net-dns/bind --- .../coreos/config/env/net-dns/bind | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind index 1affd99df9..b7c8dd0b88 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind @@ -39,26 +39,13 @@ fowners() { # of the script. Thus we fool the phase function by putting an empty # key file there, so the function won't trigger the generation. We # drop the key file later too. -# -# TODO: The paths ought to be prefixed with ${EROOT}, but the -# 9.18.29-r2 ebuild is botched in this regard. This was fixed in -# 9.18.31-r1, so when we update to that version, the ${EROOT} prefix -# will need to be added. cros_pre_pkg_postinst_add_fake_rndc_key() { - local dir='/etc/bind' + local dir="${EROOT}/etc/bind" if [[ ! -d "${dir}" ]]; then mkdir "${dir}" || die fi touch "${dir}/rndc.key" || die } -# TODO: This function should just do: -# -# rm -rf "${EROOT}/etc/bind" || die cros_post_pkg_postinst_drop_fake_rndc_key() { - # Remove the file only if it exists and is empty. - local dir='/etc/bind' file="${dir}/rndc.key" - if [[ -f "${file}" && ! -s "${file}" ]]; then - rm -f "${file}" || die - fi - rmdir "${dir}" # it's fine if it fails + rm -rf "${EROOT}/etc/bind" || die } From 7e8c58c2c2c157aade5a85b9026e7f3722d502d5 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 28 Apr 2025 13:15:12 +0200 Subject: [PATCH 06/11] overlay profiles: Drop accept keywords for net-misc/socat --- .../profiles/coreos/base/package.accept_keywords | 3 --- 1 file changed, 3 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index eb19ed0c64..18d8dc5c61 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -77,9 +77,6 @@ # Needed to address CVE-2024-53580. =net-misc/iperf-3.18 ~amd64 ~arm64 -# Needed to address CVE-2024-54661 -=net-misc/socat-1.8.0.3 ~amd64 ~arm64 - # Package has not been stabilised yet. Nothing is using it in Gentoo, # so it will never be stabilized. Thus an unusual form is used to pick # up the latest version of the package with the unstable keywords. From 8af0639ae27d1e720720ad2ef6a32898d4cb0e26 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 28 Apr 2025 13:24:39 +0200 Subject: [PATCH 07/11] overlay profiles: Mask USE=X for app-emulation/qemu --- .../coreos-overlay/profiles/coreos/base/package.use.mask | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.mask index 0e3644833e..96f8b16618 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.mask +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.mask @@ -25,3 +25,9 @@ sys-fs/btrfs-progs man # put anywhere. Thus avoid pulling more dependencies than necessary # for throw-away things. dev-python/pillow jpeg + +# Gentoo force-enables X for app-emulation/qemu, because qemu is doing +# some automagic detection of gtk ignoring whether we want to use gtk +# or not. We don't have gtk on Flatcar, so it is not an issue here, +# but we need to mask X, so we won't try pulling gtk package. +app-emulation/qemu X From b509b63e1dc54d07903e5f2f4aeeafd5510dfad0 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 28 Apr 2025 14:55:25 +0200 Subject: [PATCH 08/11] sys-kernel/coreos-{kernel,modules}: Add sys-apps/azure-vm-utils to deps The package has a dracut module we want to make available at the time we build initrd. --- ...oreos-kernel-6.6.88.ebuild => coreos-kernel-6.6.88-r1.ebuild} | 1 + ...eos-modules-6.6.88.ebuild => coreos-modules-6.6.88-r1.ebuild} | 0 2 files changed, 1 insertion(+) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-6.6.88.ebuild => coreos-kernel-6.6.88-r1.ebuild} (99%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-6.6.88.ebuild => coreos-modules-6.6.88-r1.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.88.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.88-r1.ebuild similarity index 99% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.88.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.88-r1.ebuild index 43910e4500..7037847738 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.88.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.88-r1.ebuild @@ -24,6 +24,7 @@ DEPEND=" app-shells/bash coreos-base/afterburn coreos-base/coreos-init:= + sys-apps/azure-vm-utils[dracut] sys-apps/baselayout sys-apps/coreutils sys-apps/findutils diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.88.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.88-r1.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.88.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.88-r1.ebuild From bb8e9af8a656d7cc57eeb0197e8f7a3ece9aafc4 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 28 Apr 2025 14:57:14 +0200 Subject: [PATCH 09/11] overlay profiles: Enable dracut in sys-apps/azure-vm-utils --- .../coreos-overlay/profiles/coreos/base/package.use | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index 94311fbd4c..37925ec487 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -173,3 +173,6 @@ sys-kernel/dracut -dracut-cpio # Avoid initrd bloat by using OpenSSL instead of gcrypt in systemd. # systemd-journal's FSS feature requires gcrypt, but Flatcar doesn't need it. sys-apps/systemd -gcrypt + +# Make dracut module available for initrd build. +sys-apps/azure-vm-utils dracut From 769518f90fe20df4fe80c37a1e718bbe37f68d61 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 28 Apr 2025 16:10:56 +0200 Subject: [PATCH 10/11] overlay profiles: Add some security-related accept keywords --- .../profiles/coreos/base/package.accept_keywords | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 18d8dc5c61..ae9366ceda 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -7,6 +7,9 @@ # Gentoo upstream package stabilisation # (the following packages are "unstable" upstream; we're stabilising these) +# Needed to address CVE-2024-40635. +=app-containers/containerd-2.0.4 ~amd64 ~arm64 + # Keep versions on both arches in sync. =app-containers/cri-tools-1.32.0 ~arm64 @@ -62,6 +65,11 @@ # Keep versions on both arches in sync. =net-dns/bind-9.18.31-r1 ~arm64 + +# Needed to address CVE-2025-31498. +=net-dns/c-ares-1.34.5 ~amd64 ~arm64 + +# Keep versions on both arches in sync. =net-firewall/conntrack-tools-1.4.8-r1 ~arm64 # Needed to address CVE-2025-2312. From c6321c91dc18136e155a7921541d0c478977ff7e Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 28 Apr 2025 16:46:00 +0200 Subject: [PATCH 11/11] changelog: Add entries --- .../security/2025-04-38-weekly-updates.md | 2 ++ .../updates/2025-04-28-weekly-updates.md | 33 +++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 changelog/security/2025-04-38-weekly-updates.md create mode 100644 changelog/updates/2025-04-28-weekly-updates.md diff --git a/changelog/security/2025-04-38-weekly-updates.md b/changelog/security/2025-04-38-weekly-updates.md new file mode 100644 index 0000000000..5c36d5e0f1 --- /dev/null +++ b/changelog/security/2025-04-38-weekly-updates.md @@ -0,0 +1,2 @@ +- c-ares ([CVE-2025-31498](https://www.cve.org/CVERecord?id=CVE-2025-31498)) +- containerd ([CVE-2024-40635](https://www.cve.org/CVERecord?id=CVE-2024-40635)) diff --git a/changelog/updates/2025-04-28-weekly-updates.md b/changelog/updates/2025-04-28-weekly-updates.md new file mode 100644 index 0000000000..ce3a468e2e --- /dev/null +++ b/changelog/updates/2025-04-28-weekly-updates.md @@ -0,0 +1,33 @@ +- SDK: rust ([1.85.1](https://github.com/rust-lang/rust/releases/tag/1.85.1) (includes [1.85.0](https://github.com/rust-lang/rust/releases/tag/1.85.0))) +- azure, dev, gce, sysext-python: gdbm ([1.25](https://lists.gnu.org/archive/html/info-gnu/2025-03/msg00010.html)) +- base, dev: azure-vm-utils ([0.6.0](https://github.com/Azure/azure-vm-utils/releases/tag/v0.6.0) (includes [0.5.2](https://github.com/Azure/azure-vm-utils/releases/tag/v0.5.2), [0.5.1](https://github.com/Azure/azure-vm-utils/releases/tag/v0.5.1), [0.5.0](https://github.com/Azure/azure-vm-utils/releases/tag/v0.5.0))) +- base, dev: bind ([9.18.31](https://bind9.readthedocs.io/en/v9.18.31/notes.html#notes-for-bind-9-18-31) (includes [9.18.30](https://bind9.readthedocs.io/en/v9.18.30/notes.html#notes-for-bind-9-18-30))) +- base, dev: elfutils ([0.192](https://inbox.sourceware.org/elfutils-devel/CAJDtP-T3+gXqHWp3T0mejWWbPr0_1tHetEXwfB67-o+zz7ShiA@mail.gmail.com/T/)) +- base, dev: ethtool ([6.11](https://git.kernel.org/pub/scm/network/ethtool/ethtool.git/tree/NEWS?h=v6.11)) +- base, dev: iproute2 ([6.14.0](https://lore.kernel.org/all/20250324092319.28d39f2f@hermes.local/)) +- base, dev: libnvme ([1.12](https://github.com/linux-nvme/libnvme/releases/tag/v1.12)) +- base, dev: libxcrypt ([4.4.38](https://github.com/besser82/libxcrypt/releases/tag/v4.4.38) (includes [4.4.37](https://github.com/besser82/libxcrypt/releases/tag/v4.4.37))) +- base, dev: nvme-cli ([2.12](https://github.com/linux-nvme/nvme-cli/releases/tag/v2.12)) +- base, dev: open-iscsi ([2.1.11](https://github.com/open-iscsi/open-iscsi/blob/2.1.11/Changelog)) +- base, dev: open-isns ([0.103](https://github.com/open-iscsi/open-isns/releases/tag/v0.103)) +- base, dev: pkgconf ([2.4.3](https://github.com/pkgconf/pkgconf/blob/pkgconf-2.4.3/NEWS) (includes [2.4.2](https://github.com/pkgconf/pkgconf/blob/pkgconf-2.4.2/NEWS), [2.4.1](https://github.com/pkgconf/pkgconf/blob/pkgconf-2.4.1/NEWS), [2.4.0](https://github.com/pkgconf/pkgconf/blob/pkgconf-2.4.0/NEWS))) +- base, dev: rpcbind ([1.2.7](http://git.linux-nfs.org/?p=steved/rpcbind.git;a=shortlog;h=refs/tags/rpcbind-1_2_7)) +- base, dev: timezone-data ([2025b](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/6JVHNHLB6I2WAYTQ75L6KEPEQHFXAJK3/)) +- base, dev: xfsprogs ([6.13.0](https://web.git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/tree/doc/CHANGES?h=v6.13.0)) +- dev: eselect ([1.4.30](https://gitweb.gentoo.org/proj/eselect.git/tree/NEWS?h=eselect-1.4.30)) +- dev: mpfr ([4.2.2](https://www.mpfr.org/mpfr-4.2.2/)) +- sysext-docker: docker-buildx ([0.21.2](https://github.com/docker/buildx/releases/tag/v0.21.2) (includes [0.21.1](https://github.com/docker/buildx/releases/tag/v0.21.1), [0.21.0](https://github.com/docker/buildx/releases/tag/v0.21.0))) +- sysext-podman, vmware: fuse ([3.17.2](https://github.com/libfuse/libfuse/releases/tag/fuse-3.17.2) (includes [3.17.1](https://github.com/libfuse/libfuse/releases/tag/fuse-3.17.1))) +- sysext-podman: aardvark-dns ([1.14.0](https://github.com/containers/aardvark-dns/releases/tag/v1.14.0) (includes [1.13.1](https://github.com/containers/aardvark-dns/releases/tag/v1.13.1), [1.13.0](https://github.com/containers/aardvark-dns/releases/tag/v1.13.0))) +- sysext-podman: conmon ([2.1.13](https://github.com/containers/conmon/releases/tag/v2.1.13) (includes [2.1.12](https://github.com/containers/conmon/releases/tag/v2.1.12))) +- sysext-podman: containers-common ([0.62.2](https://github.com/containers/common/releases/tag/v0.62.2) (includes [0.62.1](https://github.com/containers/common/releases/tag/v0.62.1), [0.62.0](https://github.com/containers/common/releases/tag/v0.62.0), [0.61.0](https://github.com/containers/common/releases/tag/v0.61.0))) +- sysext-podman: containers-image ([5.34.2](https://github.com/containers/image/releases/tag/v5.34.2) (includes [5.34.1](https://github.com/containers/image/releases/tag/v5.34.1), [5.34.0](https://github.com/containers/image/releases/tag/v5.34.0), [5.33.0](https://github.com/containers/image/releases/tag/v5.33.0))) +- sysext-podman: containers-shortnames ([2025.03.19](https://github.com/containers/shortnames/releases/tag/v2025.03.19)) +- sysext-podman: containers-storage ([1.57.2](https://github.com/containers/storage/releases/tag/v1.57.2) (includes [1.57.1](https://github.com/containers/storage/releases/tag/v1.57.1), [1.57.0](https://github.com/containers/storage/releases/tag/v1.57.0), [1.56.0](https://github.com/containers/storage/releases/tag/v1.56.0))) +- sysext-podman: netavark ([1.14.1](https://github.com/containers/netavark/releases/tag/v1.14.1) (includes [1.14.0](https://github.com/containers/netavark/releases/tag/v1.14.0), [1.13.1](https://github.com/containers/netavark/releases/tag/v1.13.1), [1.13.0](https://github.com/containers/netavark/releases/tag/v1.13.0))) +- sysext-podman: passt ([2025.02.17](https://archives.passt.top/passt-user/20250217101614.561b23bc@elisabeth/T/#u)) +- sysext-python: rich ([14.0.0](https://github.com/Textualize/rich/releases/tag/v14.0.0)) +- sysext-python: trove-classifiers ([2025.4.11.15](https://github.com/pypa/trove-classifiers/releases/tag/2025.4.11.15)) +- sysext-python: typing-extensions ([4.13.2](https://github.com/python/typing_extensions/releases/tag/4.13.2) (includes [4.13.1](https://github.com/python/typing_extensions/releases/tag/4.13.1), [4.13.0](https://github.com/python/typing_extensions/releases/tag/4.13.0))) +- sysext-python: urllib3 ([2.4.0](https://github.com/urllib3/urllib3/releases/tag/2.4.0)) +- sysext-python: wheel ([0.46.1](https://github.com/pypa/wheel/releases/tag/0.46.1) (includes [0.46.0](https://github.com/pypa/wheel/releases/tag/0.46.0)))