Bug 30664 - jupyter-notebook new security issues CVE-2022-24785 and CVE-2022-31129
Summary: jupyter-notebook new security issues CVE-2022-24785 and CVE-2022-31129
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: Philippe Makowski
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO
Keywords:
Depends on: 30789
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-23 17:40 CEST by David Walser
Modified: 2023-02-02 15:34 CET (History)
9 users (show)

See Also:
Source RPM: jupyter-notebook-6.4.12-1.mga8.src.rpm
CVE:
Status comment: Patches available from Fedora


Attachments

Description David Walser 2022-07-23 17:40:17 CEST
Fedora has issued an advisory today (July 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/

Mageia 8 is also affected.

The following other packages may also be affected:
ceph
cockpit
couchdb
ipyparallel
workrave
cldr-emoji-annotation
pgadmin4
David Walser 2022-07-23 17:40:35 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from Fedora

Comment 1 Marja Van Waes 2022-07-24 22:42:22 CEST
(In reply to David Walser from comment #0)
> Fedora has issued an advisory today (July 23):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/
> 
> Mageia 8 is also affected.
> 
> The following other packages may also be affected:
> ceph
> cockpit
> couchdb
> ipyparallel
> workrave
> cldr-emoji-annotation
> pgadmin4

Assigning to the registered maintainer of jupyter-notebook, who also maintains ipyparallel

CC'ing:
eatdirt for ceph,
colin for cockpit, in case his loved ones want him to spend some time on Mageia :-)
yochenhsieh (haven't seen you for a long time, either, hope you and Colin are fine!) for cldr-emoji-annotation
joequant for pgadmin4
and all packagers collectively for the rest.

Please clone this report for each package (apart from jupyter-notebook) that is affected and assign it to yourself.

Assignee: bugsquad => makowski.mageia
CC: (none) => eatdirt, joequant, mageia, marja11, pkg-bugs, yochenhsieh

Comment 2 You-Cheng Hsieh 2022-07-25 06:04:35 CEST
Sorry, could you help explain why cldr-emoji-annotation is affected. Fedora didn't rebuild or patch it after python-notebook is fixed.

Fedora patched python-notebook because it included moment, but cldr-emoji-annotation does not use moment.
Comment 3 David Walser 2022-07-25 16:49:55 CEST
(In reply to You-Cheng Hsieh from comment #2)
> Sorry, could you help explain why cldr-emoji-annotation is affected. Fedora
> didn't rebuild or patch it after python-notebook is fixed.
> 
> Fedora patched python-notebook because it included moment, but
> cldr-emoji-annotation does not use moment.

Only python-notebook has been addressed, they haven't gotten to the other ones yet.  Apparently they ran some sort of scanner and found moment bundled in other packages:
https://bugzilla.redhat.com/show_bug.cgi?id=2105075#c17
Comment 4 You-Cheng Hsieh 2022-07-26 02:53:10 CEST
Thanks David!
This comment confirmed it's a false positive:
https://bugzilla.redhat.com/show_bug.cgi?id=2105075#c8
"The package is considered to include moment because of moment being listed in tools/cldr-apps/js/package-lock.json (in sources).  However, moment does not seem to be included in the srpm and also in any binary rpm, hence this looks like false positive."

And I checked cldr-emoji-annotation of MGA8 does have that json.
Comment 5 You-Cheng Hsieh 2022-07-26 02:55:13 CEST
Sorry for correction:
cldr-emoji-annotation of MGA8 does not have that json. This package is not affected.
David Walser 2022-07-27 18:42:49 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=30677

Comment 6 David Walser 2022-08-12 18:37:22 CEST
Ubuntu has issued an advisory for moment on August 10:
https://ubuntu.com/security/notices/USN-5559-1
David Walser 2022-08-30 23:33:45 CEST

Depends on: (none) => 30789

Comment 7 Dave Hodgins 2022-09-08 18:23:26 CEST Comment hidden (obsolete)

CC: (none) => davidwhodgins

Comment 8 Dave Hodgins 2022-09-08 18:31:06 CEST
Nevermind. Read the above more carefully.
Comment 9 Bruno Cornec 2022-11-21 22:44:01 CET
Patches related to bugs:
CVE-2022-24785: https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
CVE-2022-31129: https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3

Status: NEW => ASSIGNED
CC: (none) => bruno

Comment 10 Bruno Cornec 2022-11-21 22:51:48 CET
Papoteur made an update since tht BR in august to 6.4.12. I'm not finding any reference to the code impatce in these patches into the code, so I assume it has been fixed.

Could someone else confirm ?

CC: (none) => yves.brungard_mageia

Comment 11 David Walser 2023-02-01 17:43:53 CET
Debian-LTS has issued an advisory for nodejs-moment on January 31:
https://www.debian.org/lts/security/2023/dla-3295
Comment 12 papoteur 2023-02-02 13:12:55 CET
Jupyter-notebook is already updated. See https://bugs.mageia.org/show_bug.cgi?id=30789

Source RPM: jupyter-notebook-6.3.0-3.mga9.src.rpm => (none)

papoteur 2023-02-02 13:13:35 CET

Summary: jupyter-notebook new security issues CVE-2022-24785 and CVE-2022-31129 => moment new security issues CVE-2022-24785 and CVE-2022-31129

Comment 13 Chris Denice 2023-02-02 13:26:15 CET
Hi, I don't think ceph is affected, we don't build high level tools, java is explicitly disabled and I don't find any reference, or bundle moment.js, file in our package.
The only occurrence could be in the mgr dashboard python module, that we also explicitly disabled, on purpose.


Cheers,
Chris.
David Walser 2023-02-02 15:30:22 CET

Summary: moment new security issues CVE-2022-24785 and CVE-2022-31129 => jupyter-notebook new security issues CVE-2022-24785 and CVE-2022-31129

David Walser 2023-02-02 15:34:45 CET

Source RPM: (none) => jupyter-notebook-6.4.12-1.mga8.src.rpm


Note You need to log in before you can comment on or make changes to this bug.