Fedora has issued an advisory today (July 23):
Mageia 8 is also affected.
The following other packages may also be affected:
Patches available from Fedora
(In reply to David Walser from comment #0)
> Fedora has issued an advisory today (July 23):
> Mageia 8 is also affected.
> The following other packages may also be affected:
Assigning to the registered maintainer of jupyter-notebook, who also maintains ipyparallel
eatdirt for ceph,
colin for cockpit, in case his loved ones want him to spend some time on Mageia :-)
yochenhsieh (haven't seen you for a long time, either, hope you and Colin are fine!) for cldr-emoji-annotation
joequant for pgadmin4
and all packagers collectively for the rest.
Please clone this report for each package (apart from jupyter-notebook) that is affected and assign it to yourself.
eatdirt, joequant, mageia, marja11, pkg-bugs, yochenhsieh
Sorry, could you help explain why cldr-emoji-annotation is affected. Fedora didn't rebuild or patch it after python-notebook is fixed.
Fedora patched python-notebook because it included moment, but cldr-emoji-annotation does not use moment.
(In reply to You-Cheng Hsieh from comment #2)
> Sorry, could you help explain why cldr-emoji-annotation is affected. Fedora
> didn't rebuild or patch it after python-notebook is fixed.
> Fedora patched python-notebook because it included moment, but
> cldr-emoji-annotation does not use moment.
Only python-notebook has been addressed, they haven't gotten to the other ones yet. Apparently they ran some sort of scanner and found moment bundled in other packages:
This comment confirmed it's a false positive:
"The package is considered to include moment because of moment being listed in tools/cldr-apps/js/package-lock.json (in sources). However, moment does not seem to be included in the srpm and also in any binary rpm, hence this looks like false positive."
And I checked cldr-emoji-annotation of MGA8 does have that json.
Sorry for correction:
cldr-emoji-annotation of MGA8 does not have that json. This package is not affected.
Ubuntu has issued an advisory for moment on August 10:
If mga8 is not affected, how can this bug depend on bug 30789?
Nevermind. Read the above more carefully.
Patches related to bugs:
Papoteur made an update since tht BR in august to 6.4.12. I'm not finding any reference to the code impatce in these patches into the code, so I assume it has been fixed.
Could someone else confirm ?
Debian-LTS has issued an advisory for nodejs-moment on January 31:
Jupyter-notebook is already updated. See https://bugs.mageia.org/show_bug.cgi?id=30789
jupyter-notebook new security issues CVE-2022-24785 and CVE-2022-31129 =>
moment new security issues CVE-2022-24785 and CVE-2022-31129
Hi, I don't think ceph is affected, we don't build high level tools, java is explicitly disabled and I don't find any reference, or bundle moment.js, file in our package.
The only occurrence could be in the mgr dashboard python module, that we also explicitly disabled, on purpose.
moment new security issues CVE-2022-24785 and CVE-2022-31129 =>
jupyter-notebook new security issues CVE-2022-24785 and CVE-2022-31129