Your message dated Sun, 09 Jun 2024 15:34:28 +0000 with message-id <e1sgkyu-00casi...@fasolo.debian.org> and subject line Bug#1070388: fixed in jupyterhub 5.0.0+ds1-1 has caused the Debian Bug report #1070388, regarding jupyterhub: CVE-2024-28233 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1070388: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070388 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jupyterhub X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for jupyterhub. CVE-2024-28233[0]: | JupyterHub is an open source multi-user server for Jupyter | notebooks. By tricking a user into visiting a malicious subdomain, | the attacker can achieve an XSS directly affecting the former's | session. More precisely, in the context of JupyterHub, this XSS | could achieve full access to JupyterHub API and user's single-user | server. The affected configurations are single-origin JupyterHub | deployments and JupyterHub deployments with user-controlled | applications running on subdomains or peer subdomains of either the | Hub or a single-user server. This vulnerability is fixed in 4.1.0. https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-7r3h-4ph8-w38g https://github.com/jupyterhub/jupyterhub/commit/e2798a088f5ad45340fe79cdf1386198e664f77f If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28233 https://www.cve.org/CVERecord?id=CVE-2024-28233 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: jupyterhub Source-Version: 5.0.0+ds1-1 Done: Roland Mas <lola...@debian.org> We believe that the bug you reported is fixed in the latest version of jupyterhub, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1070...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Roland Mas <lola...@debian.org> (supplier of updated jupyterhub package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 09 Jun 2024 17:00:34 +0200 Source: jupyterhub Architecture: source Version: 5.0.0+ds1-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Roland Mas <lola...@debian.org> Closes: 1070388 Changes: jupyterhub (5.0.0+ds1-1) unstable; urgency=medium . * New upstream release. * Includes fix for "CVE-2024-28233", thanks to Moritz Mühlenhoff (Closes: #1070388). Checksums-Sha1: 07dde73b9dc8d8ba8115bf8062ab92662e9194d8 2388 jupyterhub_5.0.0+ds1-1.dsc ea9048ae0da411d07d7a9852c9c6835c64dbe0fe 10795616 jupyterhub_5.0.0+ds1.orig.tar.xz 0a1472ba2db47e56824ae66f2f9ee901d91610c6 5532 jupyterhub_5.0.0+ds1-1.debian.tar.xz c50725456617874482e0c0cdedf4a1dbdd9cc445 8545 jupyterhub_5.0.0+ds1-1_source.buildinfo Checksums-Sha256: 5d1570bce6749c36335eb39885344ff9561c2d0f3fb1330b22528d07783d2af7 2388 jupyterhub_5.0.0+ds1-1.dsc 81cdf0fc20b67999326f8b26120e3578d0c73254b3f47a5c90eb379de7c0af28 10795616 jupyterhub_5.0.0+ds1.orig.tar.xz 4462c69d42a925a592009894858788c94a4a4325bc27bf78664156974e0cf52b 5532 jupyterhub_5.0.0+ds1-1.debian.tar.xz 237115e03942c4970ab570d9a65135d68e26fbc1bbaef971d28950569dd60b9c 8545 jupyterhub_5.0.0+ds1-1_source.buildinfo Files: 7ad0fe0d6bb1fff8f16c5579cbcd5fc7 2388 python optional jupyterhub_5.0.0+ds1-1.dsc 2604371ab871b758623155f1eb8eec36 10795616 python optional jupyterhub_5.0.0+ds1.orig.tar.xz abeb47bb8c931ae8092007d914de656d 5532 python optional jupyterhub_5.0.0+ds1-1.debian.tar.xz 71b542e2b19573222b6dd2ef19eacb4e 8545 python optional jupyterhub_5.0.0+ds1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtBU2D1kett1zr/uD0w3s0lmTIvwFAmZlxlkACgkQ0w3s0lmT IvyvUQ//T8ydH+uewVoXVyQSMMs/exltX5S9zJPG5wnJunAfcFrSCYKwB6v4bJw6 TNPo4rDKE0mpRoGgjQP/5CWhpgFkZuKbV4GwIcSGRzdtWoQSW+pUXvb1CW+Uz9LT ubd9+ItLVruwdaMIpA5UuQxSgURDDXbe8zrrH5D095llCOZwwBJwN67T7SUiyqKM c0sw8x8QLkujqbcEQG2/HD89ADygtodHExhYOmDdWq1gu7yLVe9y+hDGRPoWyTAs YCqB2Gu9NARMT/R1jhcT71bp04wpaUafknkTWPZwOh8AuSDXBE33TLm7BoTEdd/l 3u69UptPiY2ubbY8Tv1PixqKifC5I+CgZsW6Nfk5z/xgMWyBUWtIQXUkx3j4WgYL WaMHIG00nyrPMaDcoaY1UhgNfK4UemtohBg2AJFLOuPLLqBtEoyNZ1uZZsXRFLvV DBxuWAzbKxzgihW5PgNyIS1UXLgf5s01Cqpi8Lyanps5KzpY/s23yc0FavhnR4da z4VA57QKu4Bz5pX1ld0d3Vruxd1E89bCfWbkncW5e6TpEapIXIPM9m3g00S47UNk BdL//KK56an8RAv6cJzZ0MlrrF6teUMzk15xAWqDEUH/QnJylmD5mPVLichfbQjn CgWZX5wCDFaWSYLFejnAvgle/FgG6IrEMrRSsrpDY/wmTgadnQE= =nok5 -----END PGP SIGNATURE-----pgpDqP3M2rYpI.pgp
Description: PGP signature
--- End Message ---