Bug 31156 - jupyter-core new security issue CVE-2022-39286
Summary: jupyter-core new security issue CVE-2022-39286
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-11-20 17:54 CET by David Walser
Modified: 2023-02-27 21:28 CET (History)
5 users (show)

See Also:
Source RPM: jupyter-core-4.9.2-1.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-11-20 17:54:50 CET
Debian-LTS has issued an advisory on November 17:
https://www.debian.org/lts/security/2022/dla-3195

The issue is fixed upstream in 4.11.2:
https://github.com/jupyter/jupyter_core/security/advisories/GHSA-m678-f26j-3hrp

Mageia 8 is also affected.
David Walser 2022-11-20 17:55:08 CET

Status comment: (none) => Fixed upstream in 4.11.2
Whiteboard: (none) => MGA8TOO

Comment 1 papoteur 2023-02-01 13:04:18 CET
Cauldron updated to 5.2.0
Import of 4.11.2 in Mageia 8 is not easy, because some modules need to be imported (hatchling) or upgraded.

CC: (none) => yves.brungard_mageia

papoteur 2023-02-01 13:15:29 CET

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 2 David Walser 2023-02-01 18:33:08 CET
Fedora has issued an advisory for this on January 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YIDN7JMLK6AOMBQI4QPSW4MBQGWQ5NIN/
Comment 3 papoteur 2023-02-06 23:11:22 CET
Update submitted
jupyter-core-4.7.0-1.1.mga8.noarch
python3-jupyter-core-4.7.0-1.1.mga8

Source:
jupyter-core-4.7.0-1.1.mga8.src.rpm

I just applied a part of the patch referenced here:
https://github.com/jupyter/jupyter_core/commit/1118c8ce01800cb689d51f655f5ccef19516e283
This part applied is only on the jupyter_core/application.py. The other part of the patch is for the test purpose, but we don't do the tests, thus it is not needed.

Assignee: python => qa-bugs
Status comment: Fixed upstream in 4.11.2 => (none)

Comment 4 Herman Viaene 2023-02-09 16:33:59 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
As far as I understand this, one would need the server to do something usefull, but bug 30699 is hanging on an issue with that.
So IMHO even passing this on as clean install is a futile exercise.

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2023-02-22 15:06:14 CET
MGA8-64 MATE on Acer Aspire 5253
Installed rpm's from bug 30699 plus these here and the dependencies.
Started from CLI as in bug 30699
$ jupyter-lab
[I 14:49:50.395 LabApp] Writing notebook server cookie secret to /home/tester8/.local/share/jupyter/runtime/notebook_cookie_secret
[I 14:49:59.624 LabApp] JupyterLab extension loaded from /usr/lib/python3.8/site-packages/jupyterlab
[I 14:49:59.625 LabApp] JupyterLab application directory is /usr/share/jupyter/lab
[I 14:49:59.646 LabApp] Serving notebooks from local directory: /home/tester8/Documents
[I 14:49:59.646 LabApp] Jupyter Notebook 6.4.12 is running at:
[I 14:49:59.646 LabApp] http://localhost:8888/?token=f2f29f11db21bd75be2e8760d9344b85fd4685b08c427018
[I 14:49:59.647 LabApp]  or http://127.0.0.1:8888/?token=f2f29f11db21bd75be2e8760d9344b85fd4685b08c427018
[I 14:49:59.647 LabApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).
[C 14:49:59.917 LabApp] 
    
    To access the notebook, open this file in a browser:
        file:///home/tester8/.local/share/jupyter/runtime/nbserver-5156-open.html
    Or copy and paste one of these URLs:
        http://localhost:8888/?token=f2f29f11db21bd75be2e8760d9344b85fd4685b08c427018
     or http://127.0.0.1:8888/?token=f2f29f11db21bd75be2e8760d9344b85fd4685b08c427018

(firefox:5242): Gtk-WARNING **: 14:50:00.249: Theme parsing error: gtk.css:2:33: Failed to import: Error opening file /home/tester8/.config/gtk-3.0/window_decorations.css: No such file or directory

Jupyterlab opened in Firefox. I created a new text file, with some rubbish, saved it in the lab. Checked the existence of the file in the pwd, opened with pluma, contents is OK. Back in the Jupyterlab site, downloaded the file, checked its existence in the ~/Downloads, and the contents is correct.
So, as far as this test goes, it works.

Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2023-02-23 23:51:45 CET
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-25 19:49:46 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2023-02-27 21:28:58 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0062.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.