Your message dated Fri, 11 Nov 2022 21:49:50 +0000
with message-id <e1otbui-00dwyp...@fasolo.debian.org>
and subject line Bug#1023361: fixed in jupyter-core 4.11.2-1
has caused the Debian Bug report #1023361,
regarding jupyter-core: CVE-2022-39286: Execution with Unnecessary Privileges
in JupyterApp
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1023361: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023361
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: jupyter-core
Version: 4.11.1-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for jupyter-core.
CVE-2022-39286[0]:
| Jupyter Core is a package for the core common functionality of Jupyter
| projects. Jupyter Core prior to version 4.11.2 contains an arbitrary
| code execution vulnerability in `jupyter_core` that stems from
| `jupyter_core` executing untrusted files in CWD. This vulnerability
| allows one user to run code as another. Version 4.11.2 contains a
| patch for this issue. There are no known workarounds.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-39286
https://www.cve.org/CVERecord?id=CVE-2022-39286
[1]
https://github.com/jupyter/jupyter_core/security/advisories/GHSA-m678-f26j-3hrp
[2]
https://github.com/jupyter/jupyter_core/commit/1118c8ce01800cb689d51f655f5ccef19516e283
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jupyter-core
Source-Version: 4.11.2-1
Done: Gordon Ball <gor...@chronitis.net>
We believe that the bug you reported is fixed in the latest version of
jupyter-core, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1023...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gordon Ball <gor...@chronitis.net> (supplier of updated jupyter-core package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 11 Nov 2022 21:06:00 +0000
Source: jupyter-core
Architecture: source
Version: 4.11.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Gordon Ball <gor...@chronitis.net>
Closes: 1023361
Changes:
jupyter-core (4.11.2-1) unstable; urgency=medium
.
* New upstream version 4.11.2
* Fixes CVE-2022-39286 (Closes: #1023361)
Checksums-Sha1:
9f6c5949498bb8ecc84ce96ad7c89bbf788c8a22 2488 jupyter-core_4.11.2-1.dsc
79c817a1a5a21f655b4ecf5618411c0c64ddb1f6 73776 jupyter-core_4.11.2.orig.tar.gz
3823e21b7ff3820d3085d6ebe3a6b7c6925de1cb 7128
jupyter-core_4.11.2-1.debian.tar.xz
c9653ff4dcfeaa5ed0af631f503687ba2b3b6b1b 9696
jupyter-core_4.11.2-1_amd64.buildinfo
Checksums-Sha256:
6970e5ff9a8e27152978f219458d9c66bfebb225ede05d58eba0263df0f00d7f 2488
jupyter-core_4.11.2-1.dsc
11aeeb2ab3d84fd91b3016dfeae20ea153bb35df426e955925af3abff2040650 73776
jupyter-core_4.11.2.orig.tar.gz
71cb95939c19ec4f562882ba478b3712c3861b19aae3f4a5c4be0e3afbb0e276 7128
jupyter-core_4.11.2-1.debian.tar.xz
4f792068bb4350c3e2e7e1e8c7e210d3e536fc7666fb7384c0dce0b04413d43d 9696
jupyter-core_4.11.2-1_amd64.buildinfo
Files:
510947aacb2babec5bacec414534c41e 2488 python optional jupyter-core_4.11.2-1.dsc
fb0d8b7ae857a5ac66fb6ecec438637c 73776 python optional
jupyter-core_4.11.2.orig.tar.gz
d01134a2ac2eff2bdfb35e8a9202a346 7128 python optional
jupyter-core_4.11.2-1.debian.tar.xz
50c5d9341494ce199aa827c8c8b634ed 9696 python optional
jupyter-core_4.11.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE6PwpXIa418BJ+Xuno12v+60p6N4FAmNuvn4ACgkQo12v+60p
6N4WVxAAjzfxgRGHWIhGIB3RQRtD4wuPgUpLNCa5UGkAIppRPytQHpfNPNx2hD1E
jroqLIuDgH34iqCBzydU7w0PPlSKxBwRn/RPjYxNXf+YA6dgQKHnivEKAlI/JhfL
TJV4TRcdOxkCexJ4OH3ZiwifBczGJazC7OszvJAxhqBI43E8I/v4lyqgO+74GrWf
TbpEyMKHQ80ztDLrUcMOLObUtbid08k+par4Ld+fcoakdZGtdIHYg9zN/NAUN6ta
+LFWBkzqYFDsxRNKVJDnPbgpa/5zkKaygsJQNn5OsaHcHkKVGf7pgAguw9L7OxGz
yqqNV/L2i3cS/POA6YsEHYRSGFPqtfsE6RhbznJJtSnkYkToN0WnWiaZBgjC4A6i
PtNBfNBkq542DuW5OU1EFA1gVpElXLQv78rQa12dAmJIs6qAyFdPaMbulyFSfC+9
q5fJ9aaI1jCKi46r5LZjNzixCzv3gLzVacUpnzVNkzCmQ3arcQgoF7oTe293P6bE
Qo9NPS5TjL7HB6lYts9KUP7CMR+jc9SRcOvIorLECxRZ90fT1dctsNSxZzpLwn/d
ZlO+cCBcWQDD8KR/pfc5HwRCGnviwsA+4yWGPsc0cY2zPrI4zTh390qRN29a2Z5X
UFiZ4e4bi81SnvVxI0+xkAdf60vItnjGKOGS9k3Z0NNEocO3lv4=
=WUpT
-----END PGP SIGNATURE-----
--- End Message ---
