Your message dated Wed, 15 Sep 2021 20:22:11 +0000 with message-id <e1mqbq3-000euy...@fasolo.debian.org> and subject line Bug#992704: fixed in jupyter-notebook 6.4.3-1 has caused the Debian Bug report #992704, regarding jupyter-notebook: CVE-2021-32798 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 992704: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992704 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jupyter-notebook Version: 6.2.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for jupyter-notebook. CVE-2021-32798[0]: | The Jupyter notebook is a web-based notebook environment for | interactive computing. In affected versions untrusted notebook can | execute code on load. Jupyter Notebook uses a deprecated version of | Google Caja to sanitize user inputs. A public Caja bypass can be used | to trigger an XSS when a victim opens a malicious ipynb document in | Jupyter Notebook. The XSS allows an attacker to execute arbitrary code | on the victim computer using Jupyter APIs. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32798 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32798 [1] https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797 [2] https://github.com/jupyter/notebook/commit/79fc76e890a8ec42f73a3d009e44ef84c14ef0d5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: jupyter-notebook Source-Version: 6.4.3-1 Done: Gordon Ball <gor...@chronitis.net> We believe that the bug you reported is fixed in the latest version of jupyter-notebook, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 992...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gordon Ball <gor...@chronitis.net> (supplier of updated jupyter-notebook package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 15 Sep 2021 19:31:54 +0000 Source: jupyter-notebook Architecture: source Version: 6.4.3-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Gordon Ball <gor...@chronitis.net> Closes: 992704 Changes: jupyter-notebook (6.4.3-1) unstable; urgency=medium . * d/watch: new github tarball URL * d/watch: accept leading v on tags, added from 6.4.2 * New upstream version 6.4.3 * d/rules: update custom changelog location * d/jupyter-notebook.install: include icon and desktop file * Drop vendored copy of google-caja, no longer used * Vendor multiple JS libraries needed for new html sanitizer, which is needed to fix CVE-2021-32798 / GHSA-hwvq-6gjx-j797 (Closes: #992704) + @jupyterlab/apputils + sanitize-html, @types/sanitize-html + parse-srcset + klona Checksums-Sha1: 507e19798fb1c3f4e3265d0d9517ef9a5d4c2561 3853 jupyter-notebook_6.4.3-1.dsc 6cee97264f183ab0c995a0939f6916a99ac03373 8509643 jupyter-notebook_6.4.3.orig.tar.gz 8dc814ba501068aca6876e3bd58efb76b8677ab6 78504 jupyter-notebook_6.4.3-1.debian.tar.xz 6868bf36d055f135e740d26f3cf8c99b7557e859 19066 jupyter-notebook_6.4.3-1_source.buildinfo Checksums-Sha256: 5cbfd407dc6d4bced58e33e13602cf16ace3444da7712b9171542c20b2a70b42 3853 jupyter-notebook_6.4.3-1.dsc 56e0f994b04708f7a5b49a15e36f75749886d375ddc8eba48ca611ae05ec9020 8509643 jupyter-notebook_6.4.3.orig.tar.gz 5564c5dae70a0016b2b7dd5db3b9b53527c1f5e6133501f2d3430b6bb650ddf6 78504 jupyter-notebook_6.4.3-1.debian.tar.xz 7197de95a0bbfb3187c5ad86356db3917883acae6fd471a559e6d65b4985ffa4 19066 jupyter-notebook_6.4.3-1_source.buildinfo Files: 91db38b20be802bc576f64a76ac36f7f 3853 python optional jupyter-notebook_6.4.3-1.dsc 7b53c6f25075e1e73decebc0b53d1e18 8509643 python optional jupyter-notebook_6.4.3.orig.tar.gz a8ede2611d8405aa91497cc16383c0af 78504 python optional jupyter-notebook_6.4.3-1.debian.tar.xz b070daae10d57d79c6f084c3fb51a774 19066 python optional jupyter-notebook_6.4.3-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE6PwpXIa418BJ+Xuno12v+60p6N4FAmFCT1UACgkQo12v+60p 6N5iihAAkmXwalJUxoQ2CmiJ4vAo0RBrXW2vZ8AUa1vLt3vglxQijVp/FhPG2wrb gaPWxGA1VWliQx8VZv958mNMRJ818ponXpMDJgQafhIm5WDrYFySE+mWNAdSvtky esLTpQQ0kmkaUcDIYKKG3zkcF6fORQHeltKMfXH6wpQ6ThjRXijGibBHVUYDzekY VOJf/EhQbtw+n3ZPKt9wcA+S9vaKnErYDuI541nmm6MsfxHR/cyunJQFmNv8/Q3v S2EFEcAWW8jEneZzXLxOY0psrTw6eLJsKhfycPIE4SUlHGC3dqFCUzCUHbzWDz1o zXS6sk4WxXKc9sY4qM+fk5Jle64GbL+gpBDX78xJvUacnW+Oh/8SztzZE4mk1T+A eCc/3sTnfFv6xIbcbgzVq9O217xEER9CplJztpgYlysiZn3g+d2t/omUiTkiUwmE +b55p2pyNENIlHYOzT0XFfJRoJJCquPtGIQORDaH9pF0rzFJbmTC7W1JXBBPZN4W ZS+mUQBcDABQEthLAUXO6j8eJ2Nwj6DFDACaow/xxnOXsLCxKIT3JZCpY/a3FKN3 KCTAdwXcbu9ok8rSyiGlY1PoDJjFNu3+Zy6dB9d2/HHJUXOvZTEnAnQDJjH/75I3 73H4HDYLCZj6/pSX0D/a0b/6Mjw6NdZ6YM4QibMUotSoe7qJEP4= =XZuJ -----END PGP SIGNATURE-----
--- End Message ---
