Your message dated Mon, 25 Nov 2024 17:06:11 +0000
with message-id <[email protected]>
and subject line Bug#1082871: fixed in jupyterlab 4.0.11+ds1+~cs11.25.27-3
has caused the Debian Bug report #1082871,
regarding jupyterlab: CVE-2024-43805
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1082871: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082871
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: jupyterlab
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for jupyterlab.
CVE-2024-43805[0]:
| jupyterlab is an extensible environment for interactive and
| reproducible computing, based on the Jupyter Notebook Architecture.
| This vulnerability depends on user interaction by opening a
| malicious notebook with Markdown cells, or Markdown file using
| JupyterLab preview feature. A malicious user can access any data
| that the attacked user has access to as well as perform arbitrary
| requests acting as the attacked user. JupyterLab v3.6.8, v4.2.5 and
| Jupyter Notebook v7.2.2 have been patched to resolve this issue.
| Users are advised to upgrade. There is no workaround for the
| underlying DOM Clobbering susceptibility. However, select plugins
| can be disabled on deployments which cannot update in a timely
| fashion to minimise the risk. These are: 1. `@jupyterlab/mathjax-
| extension:plugin` - users will loose ability to preview mathematical
| equations. 2. `@jupyterlab/markdownviewer-extension:plugin` - users
| will loose ability to open Markdown previews. 3.
| `@jupyterlab/mathjax2-extension:plugin` (if installed with optional
| `jupyterlab-mathjax2` package) - an older version of the mathjax
| plugin for JupyterLab 4.x. To disable these extensions run:
| ```jupyter labextension disable @jupyterlab/markdownviewer-
| extension:plugin && jupyter labextension disable
| @jupyterlab/mathjax-extension:plugin && jupyter labextension disable
| @jupyterlab/mathjax2-extension:plugin ``` in bash.
https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-43805
https://www.cve.org/CVERecord?id=CVE-2024-43805
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: jupyterlab
Source-Version: 4.0.11+ds1+~cs11.25.27-3
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jupyterlab, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated jupyterlab package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 25 Nov 2024 15:00:57 +0100
Source: jupyterlab
Architecture: source
Version: 4.0.11+ds1+~cs11.25.27-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 1082871
Changes:
jupyterlab (4.0.11+ds1+~cs11.25.27-3) unstable; urgency=medium
.
* Fix CVE-2024-43805 (Closes: #1082871)
Checksums-Sha1:
21b18b90328100152edf4b453589a901ed75f27c 6007
jupyterlab_4.0.11+ds1+~cs11.25.27-3.dsc
2aae8afafa3b35980539ab020874e7ec2d2c6f07 16964
jupyterlab_4.0.11+ds1+~cs11.25.27-3.debian.tar.xz
Checksums-Sha256:
bbd07d9f577cb331b6733acffc8fb8e83859998b8f81fe56386df5e31cd5c616 6007
jupyterlab_4.0.11+ds1+~cs11.25.27-3.dsc
08c438e5394b6d376655980e89ff97795b3c0024a5cb42f5163e1f6911e20220 16964
jupyterlab_4.0.11+ds1+~cs11.25.27-3.debian.tar.xz
Files:
fa0951212c994153082c0d56774dcb6d 6007 javascript optional
jupyterlab_4.0.11+ds1+~cs11.25.27-3.dsc
69a00d362e336368763db14b19647dbd 16964 javascript optional
jupyterlab_4.0.11+ds1+~cs11.25.27-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmdEq1sACgkQ9tdMp8mZ
7umSSw//X0wv8mvJIz20nA/XQe+r0SzQu0MUiIKwJhcQuxIhT5gmTFff61ENWmRE
Rputnu/ofXrLWm2K2uMKbE9jc/tjPZznE7k+53E3zM9VDiEIFQWZ/3e5amWVefj3
orLYx3lwHoivg8z7MWAsUxY4P7mhoTHmT197wFW5w23KTrmqmFgsC6mLwKbqIdnc
0DFC6Kax73nQ5pzjbSYfcYr7xS6jsx6q6xtEcYlNaowE5JvqbTApYeHlB4x33dUq
paEhPRXrCUcS9WtuLvgciwLJ5cGKVqr7vuZvGNbYGF9Wi67QG+r/nCs1+2E76cu1
R4s9VTvQV6xMvdEE1UV4oa+QcodzFTBCSx06CF0R6GejtsL+4NbsJguOqwpMY5bM
ZKZAwVK3LLGh4TH75OJDArXUif1W2J3mK/Z4q/Y9CGrDHsCQpXPlPA66EYQTf/71
qY77g1bLZKNn8VRagJpK0d5s6g2r44++6KY3UFLzwOAhajtKqGdZhUYvLEwHZXF2
Lh7FR/mXIcApUb5xO6UtJLTCydN8MTpjyeOnrR6wkFmDGYm/dwDSuH1MTOymH0sK
prhq9EpRldlWckXttqWSiFxfWSR0o8vZuI6v9JYERv8EQ0nsBMDc1h7Qeuhs3AGg
E3U70/sWcEXcRvGwtr/yjN6ivx31Sk4apTfpTyHVfmv5DqoyDkc=
=Pe1e
-----END PGP SIGNATURE-----
pgpehEGoI_UhZ.pgp
Description: PGP signature
--- End Message ---
