Hi,
On Sat, 19 Oct 2024 16:35:58 +0200 "Michael R. Crusoe"
<cru...@debian.org> wrote:
None of the CVE-2024-43805 affected versions of jupyter-notebook
(>=7.0.0,<=7.2.1)
are in the Debian archive.
o-o-stable: 5.7.8-1
oldstable: 6.2.0-1
stable: 6.4.12-2.2
testing: 6.4.13-2
unstable: 6.4.13-2
I'm part of the Debian LTS Team and I'm trying to figure out if/how
we're affected by this CVE.
It's common for upstream to only issue version recommendations for
supported releases (here 7.x), but this is rarely exhaustive information
and often doesn't cover past/EOL'd releases. So to be sure I'd like to
better identify the vulnerability and its fix.
I couldn't identify any fix in jupyter-notebook itself:
https://github.com/jupyter/notebook/commits/7.2.x/
The only commit for 7.2.2 is bumping various dependencies from
jupyterlab to 4.2.5, hinting the actual vulnerability is only in jupyterlab.
Though, perhaps the same code is present directly in jupyter-notebook<7?
I'm not sure how exactly jupyter-notebook and the trixie-specific
jupyterlab packages interact with each others, so I'd welcome insights
in that regard :)
Cheers!
Sylvain Beucler
Debian LTS Team
