| Summary: | jupyter-notebook new security issues CVE-2022-24785 and CVE-2022-31129 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, bruno, davidwhodgins, eatdirt, joequant, mageia, marja11, nicolas.salguero, pkg-bugs, sysadmin-bugs, tarazed25, yochenhsieh, yvesbrungard |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.mageia.org/show_bug.cgi?id=30677 | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | jupyter-notebook-6.4.12-1.mga8.src.rpm | CVE: | CVE-2022-24785, CVE-2022-31129 |
| Status comment: | |||
| Bug Depends on: | 30789 | ||
| Bug Blocks: | |||
|
Description
David Walser
2022-07-23 17:40:17 CEST
David Walser
2022-07-23 17:40:35 CEST
Status comment:
(none) =>
Patches available from Fedora (In reply to David Walser from comment #0) > Fedora has issued an advisory today (July 23): > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/ > > Mageia 8 is also affected. > > The following other packages may also be affected: > ceph > cockpit > couchdb > ipyparallel > workrave > cldr-emoji-annotation > pgadmin4 Assigning to the registered maintainer of jupyter-notebook, who also maintains ipyparallel CC'ing: eatdirt for ceph, colin for cockpit, in case his loved ones want him to spend some time on Mageia :-) yochenhsieh (haven't seen you for a long time, either, hope you and Colin are fine!) for cldr-emoji-annotation joequant for pgadmin4 and all packagers collectively for the rest. Please clone this report for each package (apart from jupyter-notebook) that is affected and assign it to yourself. Assignee:
bugsquad =>
makowski.mageia Sorry, could you help explain why cldr-emoji-annotation is affected. Fedora didn't rebuild or patch it after python-notebook is fixed. Fedora patched python-notebook because it included moment, but cldr-emoji-annotation does not use moment. (In reply to You-Cheng Hsieh from comment #2) > Sorry, could you help explain why cldr-emoji-annotation is affected. Fedora > didn't rebuild or patch it after python-notebook is fixed. > > Fedora patched python-notebook because it included moment, but > cldr-emoji-annotation does not use moment. Only python-notebook has been addressed, they haven't gotten to the other ones yet. Apparently they ran some sort of scanner and found moment bundled in other packages: https://bugzilla.redhat.com/show_bug.cgi?id=2105075#c17 Thanks David! This comment confirmed it's a false positive: https://bugzilla.redhat.com/show_bug.cgi?id=2105075#c8 "The package is considered to include moment because of moment being listed in tools/cldr-apps/js/package-lock.json (in sources). However, moment does not seem to be included in the srpm and also in any binary rpm, hence this looks like false positive." And I checked cldr-emoji-annotation of MGA8 does have that json. Sorry for correction: cldr-emoji-annotation of MGA8 does not have that json. This package is not affected.
David Walser
2022-07-27 18:42:49 CEST
See Also:
(none) =>
https://bugs.mageia.org/show_bug.cgi?id=30677 Ubuntu has issued an advisory for moment on August 10: https://ubuntu.com/security/notices/USN-5559-1
David Walser
2022-08-30 23:33:45 CEST
Depends on:
(none) =>
30789 Nevermind. Read the above more carefully. Patches related to bugs: CVE-2022-24785: https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5 CVE-2022-31129: https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3 CC:
(none) =>
bruno Papoteur made an update since tht BR in august to 6.4.12. I'm not finding any reference to the code impatce in these patches into the code, so I assume it has been fixed. Could someone else confirm ? CC:
(none) =>
yves.brungard_mageia Debian-LTS has issued an advisory for nodejs-moment on January 31: https://www.debian.org/lts/security/2023/dla-3295 Jupyter-notebook is already updated. See https://bugs.mageia.org/show_bug.cgi?id=30789 Source RPM:
jupyter-notebook-6.3.0-3.mga9.src.rpm =>
(none)
papoteur
2023-02-02 13:13:35 CET
Summary:
jupyter-notebook new security issues CVE-2022-24785 and CVE-2022-31129 =>
moment new security issues CVE-2022-24785 and CVE-2022-31129 Hi, I don't think ceph is affected, we don't build high level tools, java is explicitly disabled and I don't find any reference, or bundle moment.js, file in our package. The only occurrence could be in the mgr dashboard python module, that we also explicitly disabled, on purpose. Cheers, Chris.
David Walser
2023-02-02 15:30:22 CET
Summary:
moment new security issues CVE-2022-24785 and CVE-2022-31129 =>
jupyter-notebook new security issues CVE-2022-24785 and CVE-2022-31129
David Walser
2023-02-02 15:34:45 CET
Source RPM:
(none) =>
jupyter-notebook-6.4.12-1.mga8.src.rpm Suggested advisory: ======================== The updated packages fix security vulnerabilities: Path traversal in moment.locale. (CVE-2022-24785) Inefficient parsing algorithim resulting in DoS. (CVE-2022-31129) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/ https://ubuntu.com/security/notices/USN-5559-1 https://www.debian.org/lts/security/2023/dla-3295 ======================== Updated packages in core/updates_testing: ======================== jupyter-notebook-6.4.12-1.1.mga9 python3-jupyter-notebook-6.4.12-1.1.mga9 from SRPM: jupyter-notebook-6.4.12-1.1.mga9.src.rpm Assignee:
makowski.mageia =>
qa-bugs mga9, x64 The PoC trail led nowhere. Reference bug 22780. $ jupyter-notebook --generate-config Writing default config to: /home/lcl/.jupyter/jupyter_notebook_config.py $ jupyter-notebook [I 16:35:00.817 NotebookApp] Writing notebook server cookie secret to /home/lcl/ .local/share/jupyter/runtime/notebook_cookie_secret [I 16:35:01.616 NotebookApp] Serving notebooks from local directory: /run/media/lcl/Toshiba/qa/jupyter-notebook [I 16:35:01.616 NotebookApp] Jupyter Notebook 6.4.12 is running at: [I 16:35:01.616 NotebookApp] http://localhost:8888/?token=1dc484af9c62f68a11e77d2252509af9e93126dca69d2d65 The application opened in a browser at localhost:8088/ Cut and pasted a ruby script into the page - used the menu to rename it and select ruby as the language and it applied the usual colour coding to the text. Downloaded the script using the menu again. Having to wait just now for the mirror to sync. CC:
(none) =>
tarazed25 Updated the two packages and removed the jupyter branch from ~/.local/share/.
$ jupyter-notebook --generate-config
Overwrite /home/lcl/.jupyter/jupyter_notebook_config.py with default config? [y/N]y
Writing default config to: /home/lcl/.jupyter/jupyter_notebook_config.py
$ jupyter-notebook[I 18:09:36.662 NotebookApp] Writing notebook server cookie secret to /home/lcl/.local/share/jupyter/runtime/notebook_cookie_secret
[I 18:09:36.771 NotebookApp] Serving notebooks from local directory: /run/media/lcl/Toshiba/qa/jupyter-notebook
[...]
To access the notebook, open this file in a browser:
file:///home/lcl/.local/share/jupyter/runtime/nbserver-2421968-open.html
Or copy and paste one of these URLs:
http://localhost:8888/?token=c79f51f4e12bff77825f773d68d2314ef7083d6cb66221b3
or http://127.0.0.1:8888/?token=c79f51f4e12bff77825f773d68d2314ef7083d6cb66221b3
That opened the notebook in the browser.
Quit from the browser:
[I 18:11:58.238 NotebookApp] Shutting down on /api/shutdown request.
[I 18:11:58.239 NotebookApp] Shutting down 0 kernels
[I 18:11:58.239 NotebookApp] Shutting down 0 terminals
The file method did not reopen the notebook nor did the URL.
$ jupyter-notebook
[I 18:17:03.269 NotebookApp] Serving notebooks from local directory: /run/media/lcl/Toshiba/qa/jupyter-notebook
[I 18:17:03.269 NotebookApp] Jupyter Notebook 6.4.12 is running at:
[I 18:17:03.269 NotebookApp] http://localhost:8888/?token=b1c68ba7e30a4f30147da86531aa628d387d8c1589a21b04
[I 18:17:03.269 NotebookApp] or http://127.0.0.1:8888/?token=b1c68ba7e30a4f30147da86531aa628d387d8c1589a21b04
[I 18:17:03.269 NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).
[C 18:17:03.301 NotebookApp]
...
Home page displayed in browser.
Created a new page with some code on it then another. All three pages available via tabs. Downloaded one of them and checked that it did arrive. Colour coding working correctly.
Back to the home page where all the pages were indexed and accessible through the index.
So, at the simple level the notebook works fine.
Shut down the server.
$ curl -O https://raw.githubusercontent.com/jupyter/notebook/master/docs/source/examples/Notebook/Running%20Code.ipynb
$ jupyter-notebook Running%20Code.ipynb
This showed a page with snippets of python code and an additional Run button. Highlighted code snippets and pressed run. Seemed to work.
Collapsed long lists with a click of the mouse.
Giving this the go-ahead for 644-bits.Whiteboard:
(none) =>
MGA9-64-OK s/644/64. !! 644-bits, eh? Wow. I'll have to look for one of those on eBay... Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs Or maybe in AI labs?
katnatek
2024-03-16 02:02:26 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0067.html Status:
ASSIGNED =>
RESOLVED |