[Debian-pan-maintainers] Fwd: Bug#1082871: jupyterlab: CVE-2024-43805

Yadd yadd at debian.org
Tue Oct 1 18:05:30 BST 2024


On 10/1/24 11:40, Emmanuel FARHI wrote:
> Bonjour Roland et Xavier,

Bonjour,

> Une faille critique affecte notre version actuelle de jupyterlab 4.0. La 
> version 4.2.5 apporte une correction.
> 
> Plusieurs solutions se profilent:
> 
>  1. on porte le fix de jupyterlab 4.2.5 dans la version actuelle 4.0
>     debian (donc en patch)

C'est la piste que je suis actuellement

>  2. on upgrade vers l'upstream 4.2.5

C'est plus compliqué car il y a des dépendances nouvelles et pas faciles 
telles Microsoft-Fast (que j'ai déjà poussé)

>  3. on attend que quelqu'un dans la communauté (y compris Ubuntu) s'en
>     occupe...

Aucune chance de ce côté à mon avis. Le support Ubuntu ne s'occupe que 
de quelques paquets core. L'essentiel de la distribution (universe et 
multiverse) est "community-maintained" (communuaté quasi vide) et ils ne 
prennent même pas la peine de rétroporter les patches disponibles dans 
Debian même quand la version correspond exactement. En pratique les 
piles JS et Perl ne voient jamais aucune contribution de la part 
d'Ubuntu. Peut-être un peu plus de chance côté Python

> Qu'en pensez-vous ?

Piste 1 à mon avis

> Emmanuel.

Cordialement,
Xavier

> -------- Message transféré --------
> Sujet : 	[Debian-pan-maintainers] Bug#1082871: jupyterlab: CVE-2024-43805
> Date de renvoi : 	Fri, 27 Sep 2024 13:30:01 +0000
> De (renvoi) : 	Moritz Mühlenhoff <jmm at inutil.org>
> Pour (renvoi) : 	debian-bugs-dist at lists.debian.org
> Copie (renvoi) : 	team at security.debian.org, Debian Javascript 
> Maintainers <debian-pan-maintainers at alioth-lists.debian.net>
> Date : 	Fri, 27 Sep 2024 15:26:40 +0200
> De : 	Moritz Mühlenhoff <jmm at inutil.org>
> Répondre à : 	Moritz Mühlenhoff <jmm at inutil.org>, 1082871 at bugs.debian.org
> Pour : 	submit at bugs.debian.org
> 
> 
> 
> Package: jupyterlab
> X-Debbugs-CC: team at security.debian.org
> Severity: grave
> Tags: security
> 
> Hi,
> 
> The following vulnerability was published for jupyterlab.
> 
> CVE-2024-43805[0]:
> | jupyterlab is an extensible environment for interactive and
> | reproducible computing, based on the Jupyter Notebook Architecture.
> | This vulnerability depends on user interaction by opening a
> | malicious notebook with Markdown cells, or Markdown file using
> | JupyterLab preview feature. A malicious user can access any data
> | that the attacked user has access to as well as perform arbitrary
> | requests acting as the attacked user. JupyterLab v3.6.8, v4.2.5 and
> | Jupyter Notebook v7.2.2 have been patched to resolve this issue.
> | Users are advised to upgrade. There is no workaround for the
> | underlying DOM Clobbering susceptibility. However, select plugins
> | can be disabled on deployments which cannot update in a timely
> | fashion to minimise the risk. These are: 1. `@jupyterlab/mathjax-
> | extension:plugin` - users will loose ability to preview mathematical
> | equations. 2. `@jupyterlab/markdownviewer-extension:plugin` - users
> | will loose ability to open Markdown previews. 3.
> | `@jupyterlab/mathjax2-extension:plugin` (if installed with optional
> | `jupyterlab-mathjax2` package) - an older version of the mathjax
> | plugin for JupyterLab 4.x. To disable these extensions run:
> | ```jupyter labextension disable @jupyterlab/markdownviewer-
> | extension:plugin && jupyter labextension disable
> | @jupyterlab/mathjax-extension:plugin && jupyter labextension disable
> | @jupyterlab/mathjax2-extension:plugin ``` in bash.
> 
> https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39- 
> rmj3-p4r2
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2024-43805
> https://www.cve.org/CVERecord?id=CVE-2024-43805
> 
> Please adjust the affected versions in the BTS as needed.
> 
> -- 
> Debian-pan-maintainers mailing list
> Debian-pan-maintainers at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-pan- 
> maintainers
> 
> 




More information about the Debian-pan-maintainers mailing list