Your message dated Mon, 22 Jan 2024 13:34:54 +0000
with message-id <[email protected]>
and subject line Bug#1061221: fixed in jupyterlab 4.0.11+ds1-1
has caused the Debian Bug report #1061221,
regarding jupyterlab: CVE-2024-22420 CVE-2024-22421
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1061221: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061221
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jupyterlab
Version: 4.0.10+ds1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for jupyterlab.
CVE-2024-22420[0]:
| JupyterLab is an extensible environment for interactive and
| reproducible computing, based on the Jupyter Notebook and
| Architecture. This vulnerability depends on user interaction by
| opening a malicious Markdown file using JupyterLab preview feature.
| A malicious user can access any data that the attacked user has
| access to as well as perform arbitrary requests acting as the
| attacked user. JupyterLab version 4.0.11 has been patched. Users are
| advised to upgrade. Users unable to upgrade should disable the table
| of contents extension.
CVE-2024-22421[1]:
| JupyterLab is an extensible environment for interactive and
| reproducible computing, based on the Jupyter Notebook and
| Architecture. Users of JupyterLab who click on a malicious link may
| get their `Authorization` and `XSRFToken` tokens exposed to a third
| party when running an older `jupyter-server` version. JupyterLab
| versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has
| been identified, however users should ensure to upgrade `jupyter-
| server` to version 2.7.2 or newer which includes a redirect
| vulnerability fix.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-22420
https://www.cve.org/CVERecord?id=CVE-2024-22420
https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4
[1] https://security-tracker.debian.org/tracker/CVE-2024-22421
https://www.cve.org/CVERecord?id=CVE-2024-22421
https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jupyterlab
Source-Version: 4.0.11+ds1-1
Done: Roland Mas <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jupyterlab, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Mas <[email protected]> (supplier of updated jupyterlab package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 22 Jan 2024 13:52:19 +0100
Source: jupyterlab
Architecture: source
Version: 4.0.11+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team
<[email protected]>
Changed-By: Roland Mas <[email protected]>
Closes: 1061221
Changes:
jupyterlab (4.0.11+ds1-1) unstable; urgency=medium
.
* New upstream release.
* Bug fix: "CVE-2024-22420 CVE-2024-22421", thanks to Salvatore
Bonaccorso (Closes: #1061221).
Checksums-Sha1:
d7c361f17f2bae1cb9f46377ea0bef78f81d9f74 2725 jupyterlab_4.0.11+ds1-1.dsc
2e75d5fd9de72ff7bb71e122f44cf1862ea38159 16559832
jupyterlab_4.0.11+ds1.orig.tar.xz
d2458b6c8b7381f4bb8571e9cdb0ecb8a1a00471 5744
jupyterlab_4.0.11+ds1-1.debian.tar.xz
31158beb7dba6ead4d696c496f191d6140c17234 34914
jupyterlab_4.0.11+ds1-1_amd64.buildinfo
Checksums-Sha256:
8b1d4273022918a175b768fd9ad98b95aa080398410d2a206bde5d5e082fa6c2 2725
jupyterlab_4.0.11+ds1-1.dsc
cf93e3fe9f2ee1783565f3fe9cf56688fd032a9ad899990598aff1e3a0aa43eb 16559832
jupyterlab_4.0.11+ds1.orig.tar.xz
7cef6a9f1473112b9ae61c177c794fdf37312227bfea5344ea9ab8f5f46dfb57 5744
jupyterlab_4.0.11+ds1-1.debian.tar.xz
30c986bf4e85e546ab16d0727578746387efadba6f943a8bdc4021fc8fb0f389 34914
jupyterlab_4.0.11+ds1-1_amd64.buildinfo
Files:
c949a49b24357d196c01a0cb84348305 2725 python optional
jupyterlab_4.0.11+ds1-1.dsc
c767a8c68de394c85fb664f338adc99b 16559832 python optional
jupyterlab_4.0.11+ds1.orig.tar.xz
23291b2bf57d8f47c687286c657518e9 5744 python optional
jupyterlab_4.0.11+ds1-1.debian.tar.xz
58728f5ace4e990dc7aafec20471852c 34914 python optional
jupyterlab_4.0.11+ds1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtBU2D1kett1zr/uD0w3s0lmTIvwFAmWuau0ACgkQ0w3s0lmT
Ivx/pQ//QQ4pN5g1LSbnqqT8gsE4VdaQRuCb90n5/Z4rfUet/nXYZd0i7uQEASh9
16JnrUdJ8Ujm1FjhGe9PqzMrlj2qgRDWuoCiJTInMTdPqIR0kkdKW6ToTHx2Zk6v
ItTT9zjQjY1oSd5w06rMWCmMsL2gsiWqNNjvqirBV7RQHIymXlxzgrnIx1C0XgbJ
236K9jih2AjI5KBrjXk8bNz/a6sMRTV87macE+BvdYuGGGdZoYR6fl7anZFWYF9Z
J7yA/AfZ3rn3zyDaKiWOyKOVLdooUtgdC9wHJPiUzO13Xc+pcglDwkURX4Ltpfnt
cJc7lR97JoY4RfR+mOwjkJL1q3yogIZ+8GKjmhQEwaL63kR/c/BCe8DyCmj6oZBt
myz4KnvEgFRZKwLd18+sm0/LgYYmxozS80yav4icU3dvsewl8Zun743dSVEqOgSd
ZM4miETsdOmtzirU9dd5Lz3ua0Rx3KqZBi8+eXWlFXtekY5Gzc/Rl2OaDZm+JXPY
74fmaC+rBz07a0a5uo0BZ4aRwhASnMVyUkOFZoZVqkc39xqxiHgpxdSrNbG7RdVM
+iwF+WbVvSXlvrCUWvT+hiaY0Ld+EilaNDK2yb/7CmyFL7VfPVgXmzhMrWfteOVC
E9MLPSfK92l5OyqmxA4196XAJo5eiFiQC2gfE0Lp0ocLuBfnR8M=
=X652
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
