Your message dated Sat, 04 Jul 2026 15:47:27 +0000
with message-id <[email protected]>
and subject line Bug#1134890: fixed in nbconvert 7.16.6-1+deb13u1
has caused the Debian Bug report #1134890,
regarding nbconvert: CVE-2026-39378
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134890: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134890
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nbconvert
Version: 7.17.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for nbconvert.
CVE-2026-39378[0]:
| The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to
| various other formats via Jinja templates. In versions 6.5 through
| 7.17.0, when `HTMLExporter.embed_images=True`, nbconvert's markdown
| renderer allows arbitrary file read via path traversal in image
| references. A malicious notebook can exfiltrate sensitive files from
| the conversion host by embedding them as base64 data URIs in the
| output HTML. nbconvert 7.17.1 contains a fix. As a workaround, do
| not enable `HTMLExporter.embed_images`; it is not enabled by
| default.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-39378
https://www.cve.org/CVERecord?id=CVE-2026-39378
[1] https://github.com/jupyter/nbconvert/security/advisories/GHSA-7jqv-fw35-gmx9
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: nbconvert
Source-Version: 7.16.6-1+deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nbconvert, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated nbconvert package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 20 Jun 2026 16:39:11 +0300
Source: nbconvert
Architecture: source
Version: 7.16.6-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1134889 1134890
Changes:
nbconvert (7.16.6-1+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* CVE-2026-39377: Arbitrary File Write via Path Traversal in
Cell Attachment Filenames (Closes: #1134889)
* CVE-2026-39378: Arbitrary File Read via Path Traversal in
HTMLExporter Image Embedding (Closes: #1134890)
Checksums-Sha1:
6eefda77a3ea1976cf77e72f0615dd1cffd0c6d1 2928 nbconvert_7.16.6-1+deb13u1.dsc
9a8b08de964f85f034c955ec35bf6dc9408a4460 761246 nbconvert_7.16.6.orig.tar.gz
badd443048c5893d3eb14483bd69707a415b04ba 63572
nbconvert_7.16.6-1+deb13u1.debian.tar.xz
Checksums-Sha256:
0cbeab8bb4cfa40ea67524b057037b7f41062ee39521b3659f2afcca557df5bc 2928
nbconvert_7.16.6-1+deb13u1.dsc
45e3819cc8bd85543a83180bf7606b8fcf4b8e5a4b3fdfc4481a0baf96656d98 761246
nbconvert_7.16.6.orig.tar.gz
51e7b6ff130651df876b36e1805833083f3d14d5460ba44b4cf83e43e714fa4a 63572
nbconvert_7.16.6-1+deb13u1.debian.tar.xz
Files:
05bfc6e59b5c02f0c1b9962d5b18a4df 2928 python optional
nbconvert_7.16.6-1+deb13u1.dsc
79d03a03e839bf199a1a0d65dadc7567 761246 python optional
nbconvert_7.16.6.orig.tar.gz
b56a778a02d0a670e50a9237032f79b8 63572 python optional
nbconvert_7.16.6-1+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo2wmQACgkQiNJCh6LY
mLF7VQ//fWTKI8VW8wbP0YARH9A2UX4eN3FTB6W5rzSbHwpQaFeG23ZaYKcGYEbS
hE1AcEt8HyAzHMdIEuTHLfkTgd7Byg01m3jgi+hlqxr1dwPI0jkdhRzOzqtW3EKN
UCnyGZu4Gz373KUOPPa4BZ+r1pFiEuxUAdrzKdyvHF7xcz94hHp9nI6ZwKRAiI0E
ciSAE2dogGqoW+I+T6cgWvcPm9etY+skK4ERk7rYC0iSfJBSdtra7L2E3mjbZrxh
rcsCDF+W+qGYqvje/3P5voer2xVKM2urWpvBHHGbfUBrfTNYYo9ZLolB1uWD/TtL
vRAmn1y4G4qIB5KVIcmv9LyTCCNdU0q+DcwBPEvacD32iAe7tufLeKYxy2Z5Ymr7
PPUCQVbkaDEMIHbahUNlXH7QpC26eQSszEP4pxGSDri4jFhUU1wKyx2uKNRr+1yf
7ESts05w/Zse7OH2wqPxPhYEt4T9o4qr1Dwvki9tqOt/eYEhblFktF11Y3lXPkKQ
B+GfTMWO0j7HMS6/FmOAGMypeb5Ano0I3AlVYWydjfEcVGP0nvcRdmbsYWJWUYro
k22JbNRmpT4MxaFLYDJxv8NC8bztWxQwn6iZ2bafP70cgGPA/t0VoPD8n8ekExhm
9TIFNZBXxcpT4xg0hRh9bD3DQk4oS4padsCB45jAYDVc/gIcnTw=
=zUYh
-----END PGP SIGNATURE-----
pgpzZNwpigcYd.pgp
Description: PGP signature
--- End Message ---