Your message dated Fri, 16 Jun 2023 16:34:16 +0000 with message-id <e1qacou-002nyw...@fasolo.debian.org> and subject line Bug#1023361: fixed in jupyter-core 4.7.1-1+deb11u1 has caused the Debian Bug report #1023361, regarding jupyter-core: CVE-2022-39286: Execution with Unnecessary Privileges in JupyterApp to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1023361: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023361 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jupyter-core Version: 4.11.1-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for jupyter-core. CVE-2022-39286[0]: | Jupyter Core is a package for the core common functionality of Jupyter | projects. Jupyter Core prior to version 4.11.2 contains an arbitrary | code execution vulnerability in `jupyter_core` that stems from | `jupyter_core` executing untrusted files in CWD. This vulnerability | allows one user to run code as another. Version 4.11.2 contains a | patch for this issue. There are no known workarounds. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39286 https://www.cve.org/CVERecord?id=CVE-2022-39286 [1] https://github.com/jupyter/jupyter_core/security/advisories/GHSA-m678-f26j-3hrp [2] https://github.com/jupyter/jupyter_core/commit/1118c8ce01800cb689d51f655f5ccef19516e283 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: jupyter-core Source-Version: 4.7.1-1+deb11u1 Done: Aron Xu <a...@debian.org> We believe that the bug you reported is fixed in the latest version of jupyter-core, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1023...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Aron Xu <a...@debian.org> (supplier of updated jupyter-core package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 09 Jun 2023 10:08:24 +0800 Source: jupyter-core Architecture: source Version: 4.7.1-1+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Aron Xu <a...@debian.org> Closes: 1023361 Changes: jupyter-core (4.7.1-1+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2022-39286: Arbitrarycode execution while loading configuration files. (Closes: #1023361) Checksums-Sha1: e95e6a15e48c5987fdb704195a1ebd24a1e7a75d 2164 jupyter-core_4.7.1-1+deb11u1.dsc c8d2a15ac0c949af6170452e01bf6a096282ea1a 66942 jupyter-core_4.7.1.orig.tar.gz b8a65ca9518ceb8c0daf073c18cf9486b178b65c 7468 jupyter-core_4.7.1-1+deb11u1.debian.tar.xz 9f2da64edf784659467afda0462024443392d240 7330 jupyter-core_4.7.1-1+deb11u1_source.buildinfo Checksums-Sha256: de4cfca644b818c0191b85db411d38784feb43d0f59bf936e9f19596cb5a07d1 2164 jupyter-core_4.7.1-1+deb11u1.dsc dfdd5af7aceb79b41b4a57fef580f56d4ad5102bffdc723cb4f442926f0dc48f 66942 jupyter-core_4.7.1.orig.tar.gz 2968252362315b839f2120e6217ca4dc1b06988e6f255d703b132ba7adaf9e8f 7468 jupyter-core_4.7.1-1+deb11u1.debian.tar.xz 08838d56afdcdc9f31af2d25448d0961aa5ec1b1b5d437dff6d6e6c3f4f5233c 7330 jupyter-core_4.7.1-1+deb11u1_source.buildinfo Files: 7c7fe9ac712f7cc0cd1feb8aec2155d5 2164 python optional jupyter-core_4.7.1-1+deb11u1.dsc 5e3cb162ae51f2057031961329300839 66942 python optional jupyter-core_4.7.1.orig.tar.gz 4f32b6052dd1d38f74c72a0d094299e1 7468 python optional jupyter-core_4.7.1-1+deb11u1.debian.tar.xz 57fb29cd10012d1f6c41b0b9dd4188f6 7330 python optional jupyter-core_4.7.1-1+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmSCjHcACgkQO1LKKgqv 2VRP2wgAnmvwc98qcAr8vIkHVr/P4xQvKrA6019xwK5tOAYMTGiK5w0LeettN4Im Da5ndmkp2YHGrWyX6Xp4V+bwWP2FU5SrFNO7ak2GYLEqdwQQIbR9JzBU5DgPCWcK H9fmNXCKoTVYu7uxfCdB4zzU9WwQ8kv9Afu6itt1At1aMR/9C8m0qIaDn7vVRMPQ rKaTsA/l+rWhjSMzQLRf8Y+Vmiht/c3HSlFD2LD2aCcvaHMkp5kHZBA6zFDv6lBc YKu+u9vwA4y0LBpH49bXqbvJud+xop7KeHkBvcHTLVDoxuqKUZ794/AWNXoyaGwv AIOV/dF8vD5j46ffOGEI0dI4RF8o8Q== =Qe/q -----END PGP SIGNATURE-----
--- End Message ---
