[Python-modules-team] Bug#1061221: jupyterlab: CVE-2024-22420 CVE-2024-22421
Source: jupyterlab Version: 4.0.10+ds1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for jupyterlab. CVE-2024-22420[0]: | JupyterLab is an extensible environment for interactive and | reproducible computing, based on the Jupyter Notebook and | Architecture. This vulnerability depends on user interaction by | opening a malicious Markdown file using JupyterLab preview feature. | A malicious user can access any data that the attacked user has | access to as well as perform arbitrary requests acting as the | attacked user. JupyterLab version 4.0.11 has been patched. Users are | advised to upgrade. Users unable to upgrade should disable the table | of contents extension. CVE-2024-22421[1]: | JupyterLab is an extensible environment for interactive and | reproducible computing, based on the Jupyter Notebook and | Architecture. Users of JupyterLab who click on a malicious link may | get their `Authorization` and `XSRFToken` tokens exposed to a third | party when running an older `jupyter-server` version. JupyterLab | versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has | been identified, however users should ensure to upgrade `jupyter- | server` to version 2.7.2 or newer which includes a redirect | vulnerability fix. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22420 https://www.cve.org/CVERecord?id=CVE-2024-22420 https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4 [1] https://security-tracker.debian.org/tracker/CVE-2024-22421 https://www.cve.org/CVERecord?id=CVE-2024-22421 https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947 Regards, Salvatore ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#974685: closed by Debian FTP Masters (reply to TANIGUCHI Takaki ) (Bug#974685: fixed in python-rsa 4.7.2-1)
Control: reopen -1 Note that the change in 4.7 does not fix the issue, cf.: https://github.com/sybrenstuvel/python-rsa/issues/165#issuecomment-727580521 Can you please double-check with upstream on the status? Regards, Salvatore ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#980189: flask-security: CVE-2021-21241
On Fri, Jan 15, 2021 at 08:59:31PM +0100, Salvatore Bonaccorso wrote: [...] > Admitelly the CVE description currently on MITRE is quite confusing > reffering to Flask-Security-Too package. But the other references > pointed out and reviewing the changes seem to apply to the original > project as well (I might miss something here). I can answer this part myself "Flask-Security-Too" is the "upstream". flask-security (3.4.2-1) unstable; urgency=medium [...] * Switch upstream to Flask-Security-Too. [...] Regards, Salvatore ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#980189: flask-security: CVE-2021-21241
Source: flask-security Version: 3.4.2-2 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/Flask-Middleware/flask-security/issues/421 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for flask-security. CVE-2021-21241[0]: | The Python "Flask-Security-Too" package is used for adding security | features to your Flask application. It is an is a independently | maintained version of Flask-Security based on the 3.0.0 version of | Flask-Security. In Flask-Security-Too from version 3.3.0 and before | version 3.4.5, the /login and /change endpoints can return the | authenticated user's authentication token in response to a GET | request. Since GET requests aren't protected with a CSRF token, this | could lead to a malicious 3rd party site acquiring the authentication | token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, | if you aren't using authentication tokens - you can set the | SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token | unusable. Admitelly the CVE description currently on MITRE is quite confusing reffering to Flask-Security-Too package. But the other references pointed out and reviewing the changes seem to apply to the original project as well (I might miss something here). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-21241 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21241 [1] https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpv [2] https://github.com/Flask-Middleware/flask-security/pull/422 [3] https://github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1f [4] https://github.com/Flask-Middleware/flask-security/issues/421 Please adjust the affected versions in the BTS as needed. Regards, Salvatore ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#974685: python-rsa: CVE-2020-25658
Source: python-rsa Version: 4.0-4 Severity: important Tags: security upstream Forwarded: https://github.com/sybrenstuvel/python-rsa/issues/165 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 4.0-2 Hi, The following vulnerability was published for python-rsa. CVE-2020-25658[0]: | It was found that python-rsa is vulnerable to Bleichenbacher timing | attacks. An attacker can use this flaw via the RSA decryption API to | decrypt parts of the cipher text encrypted with RSA. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-25658 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25658 [1] https://github.com/sybrenstuvel/python-rsa/issues/165 Regards, Salvatore ___ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#971554: djangorestframework: CVE-2020-25626
Source: djangorestframework Version: 3.11.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for djangorestframework. CVE-2020-25626[0]: | A flaw was found in Django REST Framework versions before 3.12.0 and | before 3.11.2. When using the browseable API viewer, Django REST | Framework fails to properly escape certain strings that can come from | user input. This allows a user who can control those strings to inject | malicious