Your message dated Tue, 23 Jun 2026 11:34:22 +0000
with message-id <[email protected]>
and subject line Bug#1136022: fixed in jupyter-server 2.20.0-1
has caused the Debian Bug report #1136022,
regarding jupyter-server: CVE-2025-61669 CVE-2026-40110 CVE-2026-35397
CVE-2026-40934
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136022: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136022
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jupyter-server
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for jupyter-server.
CVE-2025-61669[0]:
| Jupyter Server is the backend for Jupyter web applications. In
| jupyter_server versions through 2.17.0, the next query parameter in
| the login flow is insufficiently validated in
| `LoginFormHandler._redirect_safe()`, which allows redirects to
| arbitrary external domains via values such as `///example.com`. An
| attacker can use a crafted login URL to redirect users to a
| malicious site and facilitate phishing attacks. This issue is fixed
| in version 2.18.0.
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w
CVE-2026-40110[1]:
| Jupyter Server is the backend for Jupyter web applications. In
| versions 2.17.0 and earlier, the Origin header validation uses
| Python's re.match() to check incoming origins against the
| allow_origin_pat configuration value. Because re.match() only
| anchors at the start of the string and does not require a full
| match, a pattern intended to match only a trusted domain (e.g.,
| trusted.example.com) will also match any origin that begins with
| that domain followed by additional characters (e.g.,
| trusted.example.com.evil.com). An attacker who controls such a
| domain can bypass the CORS origin restriction and make cross-origin
| requests to the Jupyter Server API from an untrusted site. This
| issue has been fixed in version 2.18.0.
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p
https://github.com/jupyter-server/jupyter_server/pull/603
https://github.com/jupyter-server/jupyter_server/commit/057869a327c46730afede3eab0ca2d2e3e74acea
(v2.18.0)
https://github.com/jupyter-server/jupyter_server/commit/49b34392feaa97735b3b777e3baf8f22f2a14ed8
(v2.18.0)
CVE-2026-35397[2]:
| Jupyter Server is the backend for Jupyter web applications. In
| versions 2.17.0 and earlier, a path traversal vulnerability in the
| REST API allows an authenticated user to escape the configured
| root_dir and access sibling directories whose names begin with the
| same prefix as the root_dir. For example, with a root_dir named
| "test", the API permits access to a sibling directory named
| "testtest" through a crafted request to the /api/contents endpoint
| using encoded path components. An attacker can read, write, and
| delete files in affected sibling directories. Multi-tenant
| deployments using predictable naming schemes are particularly at
| risk, as a user with a directory named "user1" could access
| directories for user10 through user19 and beyond. A user who can
| choose a single-character folder name could gain access to a
| significant number of sibling directories. Version 2.18.0 contains
| a fix. As a workaround, ensure folder names do not share a common
| prefix with any sibling directory.
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3
CVE-2026-40934[3]:
| Jupyter Server is the backend for Jupyter web applications. In
| versions 2.17.0 and earlier, the secret used to sign authentication
| cookies is persisted to a static file at
| ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never
| rotated when a user changes their password. After a password reset
| and server restart, any previously issued authentication cookie
| remains cryptographically valid because the signing key has not
| changed. An attacker who has captured a session cookie through any
| means retains full authenticated access to the server regardless of
| subsequent password changes. This affects deployments using
| password-based authentication, particularly shared or public-facing
| servers where credential rotation is expected to revoke existing
| sessions. This issue has been fixed in version 2.18.0.
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-61669
https://www.cve.org/CVERecord?id=CVE-2025-61669
[1] https://security-tracker.debian.org/tracker/CVE-2026-40110
https://www.cve.org/CVERecord?id=CVE-2026-40110
[2] https://security-tracker.debian.org/tracker/CVE-2026-35397
https://www.cve.org/CVERecord?id=CVE-2026-35397
[3] https://security-tracker.debian.org/tracker/CVE-2026-40934
https://www.cve.org/CVERecord?id=CVE-2026-40934
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: jupyter-server
Source-Version: 2.20.0-1
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jupyter-server, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated jupyter-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 23 Jun 2026 12:08:04 +0100
Source: jupyter-server
Architecture: source
Version: 2.20.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1136022
Changes:
jupyter-server (2.20.0-1) unstable; urgency=medium
.
* Team upload.
* New upstream release (closes: #1136022):
- CVE-2025-61669: Open redirection vulnerability in `next` query
parameter.
- CVE-2026-35397: Path traversal via jupyter-server REST API allows
access to a subset of directories sibling to the `root_dir`.
- CVE-2026-40110: CORS Origin validation bypass via `re.match()` in
`allow_origin_pat`.
- CVE-2026-40934: Authentication cookies remain valid after password
reset and server restart.
* Skip failing restart_kernel test on all architectures.
* Standards-Version: 4.7.4.
Checksums-Sha1:
6d59bd8c12b14c54e1537ba3135698f16a34dbe3 3756 jupyter-server_2.20.0-1.dsc
792059f9fe0713adf7baa01343a6933f8f7ef7bc 641174
jupyter-server_2.20.0.orig.tar.gz
d6dfa9ee4c73a1b74523895c56db7b77088e17c4 7600
jupyter-server_2.20.0-1.debian.tar.xz
Checksums-Sha256:
29b40e88cc9aef184f008693d22f6cbc02040adc6b2154f73787d9cfc55cb64f 3756
jupyter-server_2.20.0-1.dsc
d6f1614e53fe3918c311c4221174faad3e0359a690df21da1a923a86b5a28aaa 641174
jupyter-server_2.20.0.orig.tar.gz
cb813a5f1ae64a5d97fd6309ce9792cccd9a33c07c715baa66c9251472aa2f60 7600
jupyter-server_2.20.0-1.debian.tar.xz
Files:
105e1cac9380ac55aae8b77121d81f60 3756 python optional
jupyter-server_2.20.0-1.dsc
851a1e9ee825de6cb286cc37723454f8 641174 python optional
jupyter-server_2.20.0.orig.tar.gz
5032f085f06320ebd253ddc5a26bbc46 7600 python optional
jupyter-server_2.20.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmo6aYoACgkQOTWH2X2G
UAu3tBAAl+PHxPEmozuFvAbzgt9MhT4qOmQm8Gwy3f/Qg3unS64ZdM1briJZ8GuA
rZh+nozbzbF0g0claixQZccQhAuXXEKPkN7YCiUAb9IyK7rZ1ybaYESMATVsuE31
27fifdofVDT0YPcQTwzTuJSC+zT2bsYpxcSBHM71PJRQShpRClrGnXcruB1DL1FL
DBHf8Ag3gwzDrHld88j6W6C/rrJkAIEe51uq9piw+o1Mx7UYOdjm8Zf8ZLD0H9NC
Nl/QyWdQUWXMKQl0ED9w1C6xZ9D7ix7Cp6GlIR08B8kFBvTWoOl8O17zmzt5n4UI
c6v7iE3BVjt/ui2idjxP30hzxW2edc4419RhogDT6QLj+YeTzfCPBd8okwi2llBX
TZqXd2w3gFxQ8ktDkuShdKeOgsQzS1sSiOjGC/yh0jsKwmldrQVOUc0LlerQUFIa
sCSZYMXaN6plYL1Gj7pdF9kCJ4PpXmDUFgGO48bmsIhkyxYqsPLPubJvW9q29ELc
B148nzE0zkxI7qMM/CvgD6bw+duRQPrzqdqZCbXH/MVBt/rjQgMWIIn8P0oDMJPB
v0g4ZB9AXazfyx3L84zECG/lMkIQj1dZoqlHKjKzuZfdG4htHaf/Eiypy9VtWOd2
59ZPwXb0HACKMvL1OkhXpAlXsfdGYfK3IkO4WH/pmwMZee/+CZQ=
=Pf4E
-----END PGP SIGNATURE-----
pgpmG8EkIzSEg.pgp
Description: PGP signature
--- End Message ---
