Bug 30789 - jupyter-notebook new security issues CVE-2022-24758 and CVE-2022-29238
Summary: jupyter-notebook new security issues CVE-2022-24758 and CVE-2022-29238
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 30664
  Show dependency treegraph
Reported: 2022-08-30 23:33 CEST by David Walser
Modified: 2022-09-10 22:28 CEST (History)
5 users (show)

See Also:
Source RPM: jupyter-notebook-6.3.0-3.mga9.src.rpm
Status comment:


Description David Walser 2022-08-30 23:33:15 CEST
Ubuntu has issued an advisory today (August 30):

The issues are fixed upstream in 6.4.12.

Mageia 8 is also affected.
David Walser 2022-08-30 23:33:45 CEST

Blocks: (none) => 30664
Status comment: (none) => Fixed upstream in 6.4.12
Whiteboard: (none) => MGA8TOO

Comment 2 papoteur 2022-08-31 09:21:56 CEST
Updated in cauldron

Whiteboard: MGA8TOO => (none)
QA Contact: security => yves.brungard_mageia
Version: Cauldron => 8
CC: (none) => yves.brungard_mageia

Comment 3 papoteur 2022-08-31 13:05:44 CEST
I applied patches:
and https://github.com/jupyter/notebook/commit/a161ffac6bfff2491fe5c4e9f6111256b8b57f08


Comment 4 David Walser 2022-08-31 23:29:08 CEST
Thanks.  Bug 30664 still needs to be addressed (at least for this package).

Status comment: Fixed upstream in 6.4.12 => (none)

Comment 5 papoteur 2022-09-06 08:44:35 CEST
The release 6.4.12 needs to import 2 new python modules in Mageia 8. This is why I had a preference to just patch 6.1.6.
But now,  Bug 30664 is not so easy to correct with patch.
Is the import of new modules a valid way?
Comment 6 David Walser 2022-09-06 13:18:56 CEST
As long as the update isn't too disruptive a change for users, yes, it can be.
Comment 7 papoteur 2022-09-07 08:38:33 CEST
Thus I updated to 6.4.12:

Assignee: python => qa-bugs

Comment 8 David Walser 2022-09-07 14:48:25 CEST
Comment 9 Len Lawrence 2022-09-07 20:01:52 CEST
mga8, x64
Checked report for bug 27705.
Installed the release packages and made sure that the notebook server started OK.  Running the command `jupyter-notebook` opened a page in the browser pointing at the user's start directory (under Files).  The Running tab said that no terminals were running and no notebooks.  The server was running in a terminal though.

Updated the four packages.
$ jupyter-notebook
[I 18:13:58.575 NotebookApp] Serving notebooks from local directory: /home/lcl/qa/jupyter-notebook
[I 18:13:58.575 NotebookApp] Jupyter Notebook 6.4.12 is running at:
[I 18:13:58.575 NotebookApp] http://localhost:8888/?token=3a455569767287e5a19731dde452dde89d0ccae45057e07c
[I 18:13:58.575 NotebookApp]  or
[I 18:13:58.575 NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).
[C 18:13:58.595 NotebookApp] 
    To access the notebook, open this file in a browser:
    Or copy and paste one of these URLs:

This opens the user directory in a browser..
Using the suggested link from above opens the same directory under the Files tab and so does the token URL at localhost:8088.

It is all consistent.
The Youtube tutorial is unintelligble, running at breakneck speed without any subtitles (for the hard of hearing like me) so it is impossible to follow.  The text is illegible as well.

There is an untitled.txt file here with this content:

var cell = Jupyter.notebook.get_selected_cell();
var config = cell.config;
var patch = {

which looks like it is supposed to run within the notebook framework.  There is also Untitled.ipynb which seems to contain the same code with a notebook harness.  Clicking on it opens another browser page displaying the file with runtime diagnostics.  A menu bar appears with various symbols and the directive 'run' and 'code' offering some options.

It is all meaningless without a proper background but looks like it might be working so this can go out.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

David Walser 2022-09-07 20:08:19 CEST

QA Contact: yves.brungard_mageia => security

Comment 10 David Walser 2022-09-07 20:08:58 CEST
Advisory note: this update fixes this bug and Bug 30664 for this package.
Comment 11 Thomas Andrews 2022-09-08 02:34:23 CEST

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-09-08 18:36:53 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 12 Mageia Robot 2022-09-10 22:28:03 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.