Source: jupyterlab
Version: 4.0.10+ds1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerabilities were published for jupyterlab.
CVE-2024-22420[0]:
| JupyterLab is an extensible environment for interactive and
|
Control: reopen -1
Note that the change in 4.7 does not fix the issue, cf.:
https://github.com/sybrenstuvel/python-rsa/issues/165#issuecomment-727580521
Can you please double-check with upstream on the status?
Regards,
Salvatore
___
On Fri, Jan 15, 2021 at 08:59:31PM +0100, Salvatore Bonaccorso wrote:
[...]
> Admitelly the CVE description currently on MITRE is quite confusing
> reffering to Flask-Security-Too package. But the other references
> pointed out and reviewing the changes seem to apply to the original
Source: flask-security
Version: 3.4.2-2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/Flask-Middleware/flask-security/issues/421
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for
Source: python-rsa
Version: 4.0-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/sybrenstuvel/python-rsa/issues/165
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Control: found -1 4.0-2
Hi,
The following vulnerability was published for python-rsa.
Source: djangorestframework
Version: 3.11.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for djangorestframework.
CVE-2020-25626[0]:
| A flaw was found in Django REST Framework versions before
Source: pyzmq
Version: 17.1.2-2
Severity: serious
Tags: upstream,patch,fixed-upstream
Justification: FTBFS
Forwarded: https://github.com/zeromq/pyzmq/issues/1418
X-Debbugs-Cc:
car...@debian.org,t...@security.debian.org,bl...@debian.org,g...@debian.org
Control: fixed -1 19.0.2-2
Control: affects
Source: python-uvicorn
Version: 0.11.5-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/encode/uvicorn/issues/723
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Control: found -1 0.11.3-1
Hi,
The following vulnerability was published for python-uvicorn.
Source: python-uvicorn
Version: 0.11.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Control: found -1 0.11.3-1
Hi,
The following vulnerability was published for python-uvicorn.
CVE-2020-7695[0]:
| Uvicorn before 0.11.7 is vulnerable to
Source: python-django-celery-results
Version: 1.0.4-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/celery/django-celery-results/issues/142
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for
Source: pyyaml
Version: 5.3.1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/yaml/pyyaml/issues/420
X-Debbugs-Cc: Debian Security Team
Hi,
The following vulnerability was published for pyyaml.
CVE-2020-14343[0]:
| .load() and FullLoader still vulnerable to fairly
Source: python-rsa
Version: 4.0-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/sybrenstuvel/python-rsa/issues/146
Control: found -1 4.0-2
Hi,
The following vulnerability was published for python-rsa.
CVE-2020-13757[0]:
| Python-RSA 4.0 ignores leading '\0' bytes
Source: python-markdown2
Version: 2.3.7-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/trentm/python-markdown2/issues/348
Hi,
The following vulnerability was published for python-markdown2.
CVE-2020-11888[0]:
| python-markdown2 through 2.3.8 allows XSS because
Hi Cyril,
On Wed, Apr 01, 2020 at 05:01:22AM +0200, Cyril Brulebois wrote:
> Hi,
>
> Salvatore Bonaccorso (2020-03-06):
> > [disclaimer not part of maintainers of fail2ban but was looking as
> > issues in fail2ban and stumpbled over this bug]
>
> Noted.
>
>
Hi Scott,
On Fri, Mar 20, 2020 at 01:57:25PM -0400, Scott Kitterman wrote:
> On Thursday, March 19, 2020 6:24:22 PM EDT Salvatore Bonaccorso wrote:
> > Hi Scott,
> >
> > On Thu, Mar 19, 2020 at 12:20:25AM -0400, Scott Kitterman wrote:
> > > Upstream's 3.1.2 rel
Hi Scott,
On Thu, Mar 19, 2020 at 12:20:25AM -0400, Scott Kitterman wrote:
> Upstream's 3.1.2 release had just the security fix in it. I propose updating
> buster with it (I put 3.1.3 in unstable, but it had non-security fixes in it.
>
> I'm not 100% sure about if we need to modify the import
Source: twisted
Version: 18.9.0-6
Severity: important
Tags: security upstream
Control: found -1 19.10.0~rc1-1
Control: found -1 18.9.0-3
Control: found -1 16.6.0-2
Hi,
The following vulnerabilities were published for twisted.
CVE-2020-10108[0]:
| In Twisted Web through 19.10.0, there was an
Hi Scott,
On Sat, Mar 07, 2020 at 01:52:36AM -0500, Scott Kitterman wrote:
> On Tuesday, March 3, 2020 11:41:26 AM EST Salvatore Bonaccorso wrote:
> > Hi Scott,
> >
> > On Tue, Mar 03, 2020 at 09:19:06AM -0500, Scott Kitterman wrote:
> > > On Tuesday, March 3,
Hi
[disclaimer not part of maintainers of fail2ban but was looking as
issues in fail2ban and stumpbled over this bug]
On Fri, Aug 02, 2019 at 11:01:46PM +0200, Cyril Brulebois wrote:
> Package: fail2ban
> Version: 0.10.2-2.1
> Severity: serious
> Justification: filing up filesystem, slow startup
Source: python-django
Version: 2:2.2.10-1
Severity: important
Tags: security upstream
Control: found -1 2:3.0.2-1
Control: found -1 1:1.11.28-1~deb10u1
Control: found -1 1:1.11.27-1~deb10u1
Control: found -1 1:1.10.7-2+deb9u8
Control: found -1 1:1.10.7-2+deb9u7
Control: found -1 1:1.10.7-1
Hi,
Hi Scott,
On Tue, Mar 03, 2020 at 09:19:06AM -0500, Scott Kitterman wrote:
> On Tuesday, March 3, 2020 2:29:51 AM EST Salvatore Bonaccorso wrote:
> > Source: pyyaml
> > Version: 5.3-1
> > Severity: important
> > Tags: security upstream
> > Forwarded: https:
Source: pyyaml
Version: 5.3-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/yaml/pyyaml/pull/386
Hi,
The following vulnerability was published for pyyaml.
CVE-2020-1747[0]:
|arbitrary command execution through python/object/new when FullLoader
|is used
If you fix
Hi Scott,
On Fri, Feb 28, 2020 at 03:30:01PM -0500, Scott Kitterman wrote:
> On Thursday, February 27, 2020 8:11:32 AM EST Salvatore Bonaccorso wrote:
> > Hi Scott,
> >
> > On Thu, Feb 27, 2020 at 01:41:44PM +0100, Salvatore Bonaccorso wrote:
> > > Hi,
> > &g
Hi Scott,
On Thu, Feb 27, 2020 at 01:05:58PM +, Scott Kitterman wrote:
[...]
> ...
>
> I'll see if I can figure something out. In the older versions it's
> all passed to html5lib in a glob of kw args. I'm not sure if that
> means the problem in html5lib (bad defaults) or if there is a way
Hi Scott,
On Thu, Feb 27, 2020 at 01:41:44PM +0100, Salvatore Bonaccorso wrote:
> Hi,
>
> On Thu, Feb 27, 2020 at 01:18:55PM +0100, Salvatore Bonaccorso wrote:
> > I think though we mgiht need to revisit the assessment that older
> > versions are not affected. Look at the
Hi,
On Thu, Feb 27, 2020 at 01:18:55PM +0100, Salvatore Bonaccorso wrote:
> I think though we mgiht need to revisit the assessment that older
> versions are not affected. Look at the this quick and dirty test
> deduced from the testsuite:
So I think versions before are as well v
Hi Scott,
On Thu, Feb 27, 2020 at 06:24:09AM -0500, Scott Kitterman wrote:
> On Thursday, February 27, 2020 2:44:48 AM EST Salvatore Bonaccorso wrote:
> > Hi Scott,
> >
> > On Sat, Feb 22, 2020 at 07:20:34PM -0500, Scott Kitterman wrote:
> > > Debdiff for proposed s
Hi Scott,
On Sat, Feb 22, 2020 at 07:20:34PM -0500, Scott Kitterman wrote:
> Debdiff for proposed stable security update attached.
>
> The first hunk of the patch has the actual fix. I would prefer to use the
> new
> ustream release rather than just patch the one line because of the test
>
Source: python-django
Version: 2:2.2.9-2
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 1:1.11.27-1~deb10u1
Hi,
The following vulnerability was published for python-django.
CVE-2020-7471[0]:
| Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0
Source: waitress
Version: 1.3.1-4
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for waitress, filling a
distinct bug for that as the already filled #947306 for two other CVEs
as this one is only fixed in 1.4.1 upstream.
CVE-2019-16789[0]:
| In Waitress
Source: waitress
Version: 1.3.1-4
Severity: grave
Tags: security upstream
Hi,
The following vulnerabilities were published for waitress, both are
fixed in new upstream version 1.4.0.
CVE-2019-16785[0]:
| Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230
| which states:
Hi Chris,
On Tue, Dec 03, 2019 at 09:25:42PM +0100, Chris Lamb wrote:
> Dear Salvatore,
>
> > > Security team, would you like an upload for stable?
> >
> > As far I can see this issue has been introduced around 2.1 where the
> > search support for view permissions and a read-only admin support
Hi Chris,
On Mon, Dec 02, 2019 at 09:30:49PM +0100, Chris Lamb wrote:
> Chris Lamb wrote:
>
> > Package: python-django
> > Version: 1.7.11-1+deb8u7
> […]
> > CVE-2019-19118[0]:
> > | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
> > | editing. A Django model admin
Source: python-werkzeug
Version: 0.14.1+dfsg1-4
Severity: normal
Tags: security upstream
Hi,
The following vulnerability was published for python-werkzeug.
CVE-2019-14806[0]:
| Pallets Werkzeug before 0.15.3, when used with Docker, has
| insufficient debugger PIN randomness because Docker
Hi Chris,
On Mon, Sep 02, 2019 at 02:07:55PM +0100, Chris Lamb wrote:
> Chris Lamb wrote:
>
> > > > +python-django (1:1.11.23-1~deb10u1) buster-security; urgency=high
> > >
> > > Thanks, these both look good; please upload to security-master.
> >
> > Both uploaded to security-master.
>
>
Hi,
On Thu, Aug 08, 2019 at 02:16:29PM +0100, Chris Lamb wrote:
> Hi Moritz,
>
> > > > > Security team (added to CC), would you be interested in uploads for
> > > > > buster (currently 1:1.11.22-1~deb10u1) and stretch (currently
> > > > > 1:1.10.7-2+deb9u5)?
> […]
> > I just realised that
Control: retitle -1 python-django: CVE-2019-12781: Incorrect HTTP detection
with reverse-proxy connecting via HTTPS
On Mon, Jul 01, 2019 at 08:36:06PM +0200, Salvatore Bonaccorso wrote:
> Source: python-django
> Version: 1:1.11.21-1
> Severity: grave
> Tags: security upstream
>
Source: python-django
Version: 1:1.11.21-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 2:2.2.1-1
Control: found -1 1:1.10.7-2+deb9u4
Control: found -1 1:1.10.7-1
Hi,
The following vulnerability was published for python-django.
CVE-2019-12308[0]:
|
Source: twisted
Version: 18.9.0-3
Severity: important
Tags: security upstream
Forwarded: https://twistedmatrix.com/trac/ticket/9561
Hi,
The following vulnerability was published for twisted.
CVE-2019-12855[0]:
| In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP
| support did
Source: twisted
Version: 18.9.0-3
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for twisted.
CVE-2019-12387[0]:
| In Twisted before 19.2.1, twisted.web did not validate or sanitize
| URIs or HTTP methods, allowing an attacker to inject invalid
|
Source: pyxdg
Version: 0.25-5
Severity: normal
Tags: security upstream
Control: found -1 0.25-4
Hi,
The following vulnerability was published for pyxdg, as far I
understand though the impact would be limited as one would need to use
pyxdg with untrusted menu files?
CVE-2019-12761[0]:
| A code
Source: python-django
Version: 1:1.11.20-1
Severity: important
Tags: security upstream
Control: found -1 2:2.2.1-1
Hi,
The following vulnerability was published for python-django.
CVE-2019-12308[0]:
AdminURLFieldWidget XSS
If you fix the vulnerability please also make sure to include the
CVE
Source: python-urllib3
Version: 1.24.1-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for python-urllib3,
additionally to the one already reported in the BTS earlier. It was
posted at [1].
CVE-2019-11324[0]:
| The urllib3 library before 1.24.2 for
Source: python-urllib3
Version: 1.24.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/urllib3/urllib3/issues/1553
Hi,
The following vulnerability was published for python-urllib3.
CVE-2019-11236[0]:
| In the urllib3 library through 1.24.1 for Python, CRLF injection
On Thu, Mar 28, 2019 at 10:54:17PM +0100, Salvatore Bonaccorso wrote:
> Source: jupyter-notebook
> Version: 5.7.4-2
> Severity: important
> Tags: patch security upstream
>
> Hi,
>
> The following vulnerability was published for jupyter-notebook.
>
> CVE-2019-
Source: jupyter-notebook
Version: 5.7.4-2
Severity: important
Tags: patch security upstream
Hi,
The following vulnerability was published for jupyter-notebook.
CVE-2019-10255[0]:
| An Open Redirect vulnerability for all browsers in Jupyter Notebook
| before 5.7.7 and some browsers (Chrome,
Source: jupyter-notebook
Version: 5.7.4-2
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for jupyter-notebook.
CVE-2019-9644[0]:
| An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before
| 5.7.6 allows inclusion of resources on
Hi Chris,
On Sun, Jan 06, 2019 at 09:39:30AM +0100, Chris Lamb wrote:
> Hi Salvatore,
>
> > With the 0017-CVE-2019-3498.patch patch there is something strange.
> > While it touches correctly the files django/views/defaults.py and the
> > tests, it touches and modifies files in debian/*, other
Hi Chris,
Thanks for working on the update.
[disclaimer: not a full review, but something jumped on while i was
reading the debdiff]
On Sat, Jan 05, 2019 at 09:39:38PM +0100, Chris Lamb wrote:
> Hi Moritz,
>
> > > This also affects stable from my reading of the code. Shall I
> > > prepare an
Source: python-django
Version: 1:1.11.17-2
Severity: grave
Tags: patch security upstream
Justification: user security hole
Control: found -1 2:2.1.4-2
Hi,
The following vulnerability was published for python-django.
CVE-2019-3498[0]:
Content spoofing possibility in the default 404 page
If you
Hi,
Sorry I misstyped the CVE for the report:
Here the correct information:
CVE-2018-19351[0]:
| Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook
| because nbconvert responses are considered to have the same origin as
| the notebook server. In other words, nbconvert endpoints
Source: jupyter-notebook
Version: 5.4.1-1
Severity: important
Tags: patch security upstream
Hi,
The following vulnerability was published for jupyter-notebook.
CVE-2018-193521[0]:
No description was found (try on a search engine)
If you fix the vulnerability please also make sure to include
Source: jupyter-notebook
Version: 5.4.1-1
Severity: important
Tags: patch security upstream
Hi,
The following vulnerability was published for jupyter-notebook.
CVE-2018-19352[0]:
| Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name
| because
Hi Chris,
On Fri, Aug 03, 2018 at 07:24:20AM +0100, Chris Lamb wrote:
> [adding 874...@bugs.debian.org to CC]
>
> Hi Salvatore,
>
> > > > There is as well a no-dsa tagged entry (CVE-2017-12794), which is only
> > > > relevant when "DEBUG = true". But as we do an update now via a DSA, we
> > > >
Hi Chris,
On Thu, Aug 02, 2018 at 06:42:59AM +0100, Chris Lamb wrote:
> Hi Salvatore,
>
> > > I've attached the following diff for a proposed 1:1.10.7-2+deb9u2
> > > update for Django:
> […]
> > The debdiff looks good so far, were you able to test the resulting
> > package
>
> I believe that is
Hi Chris,
On Thu, Aug 02, 2018 at 03:42:41AM +0100, Chris Lamb wrote:
> Hi security team,
>
> > python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware
>
> I've attached the following diff for a proposed 1:1.10.7-2+deb9u2
> update for Django:
>
> Source: python-django
>
Source: pyyaml
Version: 3.12-1
Severity: normal
Tags: security upstream
Forwarded: https://github.com/yaml/pyyaml/pull/74
Hi,
The following vulnerability was published for pyyaml. Please see the
notes in the security tracker to see why this got a CVE assigned now.
The bug is filled to track the
57 matches
Mail list logo