<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Bonjour Roland et Xavier,</p>
<p>Une faille critique affecte notre version actuelle de jupyterlab
4.0. La version 4.2.5 apporte une correction.</p>
<p>Plusieurs solutions se profilent:</p>
<ol>
<li>on porte le fix de jupyterlab 4.2.5 dans la version actuelle
4.0 debian (donc en patch)<br>
</li>
<li>on upgrade vers l'upstream 4.2.5</li>
<li>on attend que quelqu'un dans la communauté (y compris Ubuntu)
s'en occupe...</li>
</ol>
<p>Qu'en pensez-vous ?</p>
<p>Emmanuel.<br>
</p>
<p><br>
</p>
<div class="moz-forward-container"><br>
<br>
-------- Message transféré --------
<table class="moz-email-headers-table" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Sujet :
</th>
<td>[Debian-pan-maintainers] Bug#1082871: jupyterlab:
CVE-2024-43805</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Date de
renvoi : </th>
<td>Fri, 27 Sep 2024 13:30:01 +0000</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">De
(renvoi) : </th>
<td>Moritz Mühlenhoff <a class="moz-txt-link-rfc2396E" href="mailto:jmm@inutil.org"><jmm@inutil.org></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Pour
(renvoi) : </th>
<td><a class="moz-txt-link-abbreviated" href="mailto:debian-bugs-dist@lists.debian.org">debian-bugs-dist@lists.debian.org</a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Copie
(renvoi) : </th>
<td><a class="moz-txt-link-abbreviated" href="mailto:team@security.debian.org">team@security.debian.org</a>, Debian Javascript Maintainers
<a class="moz-txt-link-rfc2396E" href="mailto:debian-pan-maintainers@alioth-lists.debian.net"><debian-pan-maintainers@alioth-lists.debian.net></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Date : </th>
<td>Fri, 27 Sep 2024 15:26:40 +0200</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">De : </th>
<td>Moritz Mühlenhoff <a class="moz-txt-link-rfc2396E" href="mailto:jmm@inutil.org"><jmm@inutil.org></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Répondre
à : </th>
<td>Moritz Mühlenhoff <a class="moz-txt-link-rfc2396E" href="mailto:jmm@inutil.org"><jmm@inutil.org></a>,
<a class="moz-txt-link-abbreviated" href="mailto:1082871@bugs.debian.org">1082871@bugs.debian.org</a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Pour : </th>
<td><a class="moz-txt-link-abbreviated" href="mailto:submit@bugs.debian.org">submit@bugs.debian.org</a></td>
</tr>
</tbody>
</table>
<br>
<br>
Package: jupyterlab<br>
X-Debbugs-CC: <a class="moz-txt-link-abbreviated" href="mailto:team@security.debian.org">team@security.debian.org</a><br>
Severity: grave<br>
Tags: security<br>
<br>
Hi,<br>
<br>
The following vulnerability was published for jupyterlab.<br>
<br>
CVE-2024-43805[0]:<br>
| jupyterlab is an extensible environment for interactive and<br>
| reproducible computing, based on the Jupyter Notebook
Architecture.<br>
| This vulnerability depends on user interaction by opening a<br>
| malicious notebook with Markdown cells, or Markdown file using<br>
| JupyterLab preview feature. A malicious user can access any data<br>
| that the attacked user has access to as well as perform
arbitrary<br>
| requests acting as the attacked user. JupyterLab v3.6.8, v4.2.5
and<br>
| Jupyter Notebook v7.2.2 have been patched to resolve this issue.<br>
| Users are advised to upgrade. There is no workaround for the<br>
| underlying DOM Clobbering susceptibility. However, select
plugins<br>
| can be disabled on deployments which cannot update in a timely<br>
| fashion to minimise the risk. These are: 1.
`@jupyterlab/mathjax-<br>
| extension:plugin` - users will loose ability to preview
mathematical<br>
| equations. 2. `@jupyterlab/markdownviewer-extension:plugin` -
users<br>
| will loose ability to open Markdown previews. 3.<br>
| `@jupyterlab/mathjax2-extension:plugin` (if installed with
optional<br>
| `jupyterlab-mathjax2` package) - an older version of the mathjax<br>
| plugin for JupyterLab 4.x. To disable these extensions run:<br>
| ```jupyter labextension disable @jupyterlab/markdownviewer-<br>
| extension:plugin && jupyter labextension disable<br>
| @jupyterlab/mathjax-extension:plugin && jupyter
labextension disable<br>
| @jupyterlab/mathjax2-extension:plugin ``` in bash.<br>
<br>
<a class="moz-txt-link-freetext" href="https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2">https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2</a><br>
<br>
<br>
If you fix the vulnerability please also make sure to include the<br>
CVE (Common Vulnerabilities & Exposures) id in your changelog
entry.<br>
<br>
For further information see:<br>
<br>
[0] <a class="moz-txt-link-freetext" href="https://security-tracker.debian.org/tracker/CVE-2024-43805">https://security-tracker.debian.org/tracker/CVE-2024-43805</a><br>
<a class="moz-txt-link-freetext" href="https://www.cve.org/CVERecord?id=CVE-2024-43805">https://www.cve.org/CVERecord?id=CVE-2024-43805</a><br>
<br>
Please adjust the affected versions in the BTS as needed.<br>
<br>
<pre class="moz-signature">--
Debian-pan-maintainers mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Debian-pan-maintainers@alioth-lists.debian.net">Debian-pan-maintainers@alioth-lists.debian.net</a>
<a class="moz-txt-link-freetext" href="https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-pan-maintainers">https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-pan-maintainers</a>
</pre>
</div>
</body>
</html>