Your message dated Sun, 09 Jun 2024 15:34:28 +0000
with message-id <e1sgkyu-00casi...@fasolo.debian.org>
and subject line Bug#1070388: fixed in jupyterhub 5.0.0+ds1-1
has caused the Debian Bug report #1070388,
regarding jupyterhub: CVE-2024-28233
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1070388: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070388
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: jupyterhub
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for jupyterhub.
CVE-2024-28233[0]:
| JupyterHub is an open source multi-user server for Jupyter
| notebooks. By tricking a user into visiting a malicious subdomain,
| the attacker can achieve an XSS directly affecting the former's
| session. More precisely, in the context of JupyterHub, this XSS
| could achieve full access to JupyterHub API and user's single-user
| server. The affected configurations are single-origin JupyterHub
| deployments and JupyterHub deployments with user-controlled
| applications running on subdomains or peer subdomains of either the
| Hub or a single-user server. This vulnerability is fixed in 4.1.0.
https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-7r3h-4ph8-w38g
https://github.com/jupyterhub/jupyterhub/commit/e2798a088f5ad45340fe79cdf1386198e664f77f
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-28233
https://www.cve.org/CVERecord?id=CVE-2024-28233
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: jupyterhub
Source-Version: 5.0.0+ds1-1
Done: Roland Mas <lola...@debian.org>
We believe that the bug you reported is fixed in the latest version of
jupyterhub, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1070...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Mas <lola...@debian.org> (supplier of updated jupyterhub package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 09 Jun 2024 17:00:34 +0200
Source: jupyterhub
Architecture: source
Version: 5.0.0+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Roland Mas <lola...@debian.org>
Closes: 1070388
Changes:
jupyterhub (5.0.0+ds1-1) unstable; urgency=medium
.
* New upstream release.
* Includes fix for "CVE-2024-28233", thanks to Moritz Mühlenhoff
(Closes: #1070388).
Checksums-Sha1:
07dde73b9dc8d8ba8115bf8062ab92662e9194d8 2388 jupyterhub_5.0.0+ds1-1.dsc
ea9048ae0da411d07d7a9852c9c6835c64dbe0fe 10795616
jupyterhub_5.0.0+ds1.orig.tar.xz
0a1472ba2db47e56824ae66f2f9ee901d91610c6 5532
jupyterhub_5.0.0+ds1-1.debian.tar.xz
c50725456617874482e0c0cdedf4a1dbdd9cc445 8545
jupyterhub_5.0.0+ds1-1_source.buildinfo
Checksums-Sha256:
5d1570bce6749c36335eb39885344ff9561c2d0f3fb1330b22528d07783d2af7 2388
jupyterhub_5.0.0+ds1-1.dsc
81cdf0fc20b67999326f8b26120e3578d0c73254b3f47a5c90eb379de7c0af28 10795616
jupyterhub_5.0.0+ds1.orig.tar.xz
4462c69d42a925a592009894858788c94a4a4325bc27bf78664156974e0cf52b 5532
jupyterhub_5.0.0+ds1-1.debian.tar.xz
237115e03942c4970ab570d9a65135d68e26fbc1bbaef971d28950569dd60b9c 8545
jupyterhub_5.0.0+ds1-1_source.buildinfo
Files:
7ad0fe0d6bb1fff8f16c5579cbcd5fc7 2388 python optional
jupyterhub_5.0.0+ds1-1.dsc
2604371ab871b758623155f1eb8eec36 10795616 python optional
jupyterhub_5.0.0+ds1.orig.tar.xz
abeb47bb8c931ae8092007d914de656d 5532 python optional
jupyterhub_5.0.0+ds1-1.debian.tar.xz
71b542e2b19573222b6dd2ef19eacb4e 8545 python optional
jupyterhub_5.0.0+ds1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtBU2D1kett1zr/uD0w3s0lmTIvwFAmZlxlkACgkQ0w3s0lmT
IvyvUQ//T8ydH+uewVoXVyQSMMs/exltX5S9zJPG5wnJunAfcFrSCYKwB6v4bJw6
TNPo4rDKE0mpRoGgjQP/5CWhpgFkZuKbV4GwIcSGRzdtWoQSW+pUXvb1CW+Uz9LT
ubd9+ItLVruwdaMIpA5UuQxSgURDDXbe8zrrH5D095llCOZwwBJwN67T7SUiyqKM
c0sw8x8QLkujqbcEQG2/HD89ADygtodHExhYOmDdWq1gu7yLVe9y+hDGRPoWyTAs
YCqB2Gu9NARMT/R1jhcT71bp04wpaUafknkTWPZwOh8AuSDXBE33TLm7BoTEdd/l
3u69UptPiY2ubbY8Tv1PixqKifC5I+CgZsW6Nfk5z/xgMWyBUWtIQXUkx3j4WgYL
WaMHIG00nyrPMaDcoaY1UhgNfK4UemtohBg2AJFLOuPLLqBtEoyNZ1uZZsXRFLvV
DBxuWAzbKxzgihW5PgNyIS1UXLgf5s01Cqpi8Lyanps5KzpY/s23yc0FavhnR4da
z4VA57QKu4Bz5pX1ld0d3Vruxd1E89bCfWbkncW5e6TpEapIXIPM9m3g00S47UNk
BdL//KK56an8RAv6cJzZ0MlrrF6teUMzk15xAWqDEUH/QnJylmD5mPVLichfbQjn
CgWZX5wCDFaWSYLFejnAvgle/FgG6IrEMrRSsrpDY/wmTgadnQE=
=nok5
-----END PGP SIGNATURE-----
pgpDqP3M2rYpI.pgp
Description: PGP signature
--- End Message ---
