(In reply to David Walser from comment #0)
> Fedora has issued an advisory today (July 23):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/
> 
> Mageia 8 is also affected.
> 
> The following other packages may also be affected:
> ceph
> cockpit
> couchdb
> ipyparallel
> workrave
> cldr-emoji-annotation
> pgadmin4

Assigning to the registered maintainer of jupyter-notebook, who also maintains ipyparallel

CC'ing:
eatdirt for ceph,
colin for cockpit, in case his loved ones want him to spend some time on Mageia :-)
yochenhsieh (haven't seen you for a long time, either, hope you and Colin are fine!) for cldr-emoji-annotation
joequant for pgadmin4
and all packagers collectively for the rest.

Please clone this report for each package (apart from jupyter-notebook) that is affected and assign it to yourself.

Assignee: bugsquad => makowski.mageia
CC: (none) => eatdirt, joequant, mageia, marja11, pkg-bugs, yochenhsieh

Sorry, could you help explain why cldr-emoji-annotation is affected. Fedora didn't rebuild or patch it after python-notebook is fixed.

Fedora patched python-notebook because it included moment, but cldr-emoji-annotation does not use moment.

(In reply to You-Cheng Hsieh from comment #2)
> Sorry, could you help explain why cldr-emoji-annotation is affected. Fedora
> didn't rebuild or patch it after python-notebook is fixed.
> 
> Fedora patched python-notebook because it included moment, but
> cldr-emoji-annotation does not use moment.

Only python-notebook has been addressed, they haven't gotten to the other ones yet.  Apparently they ran some sort of scanner and found moment bundled in other packages:
https://bugzilla.redhat.com/show_bug.cgi?id=2105075#c17

Thanks David!
This comment confirmed it's a false positive:
https://bugzilla.redhat.com/show_bug.cgi?id=2105075#c8
"The package is considered to include moment because of moment being listed in tools/cldr-apps/js/package-lock.json (in sources).  However, moment does not seem to be included in the srpm and also in any binary rpm, hence this looks like false positive."

And I checked cldr-emoji-annotation of MGA8 does have that json.

Sorry for correction:
cldr-emoji-annotation of MGA8 does not have that json. This package is not affected.

Ubuntu has issued an advisory for moment on August 10:
https://ubuntu.com/security/notices/USN-5559-1

Nevermind. Read the above more carefully.

Patches related to bugs:
CVE-2022-24785: https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
CVE-2022-31129: https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3

Status: NEW => ASSIGNED
CC: (none) => bruno

Papoteur made an update since tht BR in august to 6.4.12. I'm not finding any reference to the code impatce in these patches into the code, so I assume it has been fixed.

Could someone else confirm ?

CC: (none) => yves.brungard_mageia

Debian-LTS has issued an advisory for nodejs-moment on January 31:
https://www.debian.org/lts/security/2023/dla-3295

Jupyter-notebook is already updated. See https://bugs.mageia.org/show_bug.cgi?id=30789

Source RPM: jupyter-notebook-6.3.0-3.mga9.src.rpm => (none)

Hi, I don't think ceph is affected, we don't build high level tools, java is explicitly disabled and I don't find any reference, or bundle moment.js, file in our package.
The only occurrence could be in the mgr dashboard python module, that we also explicitly disabled, on purpose.


Cheers,
Chris.