Bug 32021 - jupyter-nbconvert new security issue CVE-2021-32862
Summary: jupyter-nbconvert new security issue CVE-2021-32862
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: David GEIGER
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-16 00:13 CEST by David Walser
Modified: 2024-01-12 10:54 CET (History)
1 user (show)

See Also:
Source RPM: jupyter-nbconvert-5.6.1-2.mga8.src.rpm
CVE:
Status comment: Fixed upstream in 6.5.1

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-06-16 00:13:35 CEST 
Debian-LTS has issued an advisory on June 3:
https://www.debian.org/lts/security/2023/dla-3442

The issue is fixed upstream in 5.6.1 (with regression fixes in 5.6.2 and 5.6.3):
https://github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq
Comment 1 David Walser 2023-06-16 00:14:33 CEST 
Oops, we already have 5.6.1, but are probably missing the regression fixes.

Severity: critical => normal
QA Contact: security => (none)
Component: Security => RPM Packages
Summary: jupyter-nbconvert new security issue CVE-2021-32862 => jupyter-nbconvert regressions fixed upstream in 5.6.3

Comment 2 David GEIGER 2023-06-16 06:28:46 CEST 
I don't found any 5.6.2 nor 5.6.3 release!

CC: (none) => geiger.david68210

Comment 3 David Walser 2023-06-16 15:58:11 CEST 
That's odd.  From Debian, it looks like it just needs these two commits:
https://github.com/jupyter/nbconvert/commit/c289e0a61660e612920397799169ed2c5ed35516
https://github.com/jupyter/nbconvert/commit/1652aa73b0f4900af97c0f1ac08e9573e00155bd

The releases are here:
https://github.com/jupyter/nbconvert/releases/tag/6.5.2
https://github.com/jupyter/nbconvert/releases/tag/6.5.3

And now I just noticed I went a bit dyslexic here.  We do have a security bug.

Which is fixed upstream in 6.5.1:
https://github.com/jupyter/nbconvert/releases/tag/6.5.1

Summary: jupyter-nbconvert regressions fixed upstream in 5.6.3 => jupyter-nbconvert new security issue CVE-2021-32862
Component: RPM Packages => Security
QA Contact: (none) => security
Status comment: (none) => Fixed upstream in 6.5.1

Comment 4 Lewis Smith 2023-06-16 20:51:55 CEST 
(In reply to David Walser from comment #3)
> And now I just noticed I went a bit dyslexic here
I imagine in saying "5.6.x" in lieu of "6.5.x". Explains comment 2.

In reply to David Walser from comment #1)
> Oops, we already have 5.6.1, but are probably missing the regression fixes.
Over 3 years old...

David, this is yet another fix you have taken on board. Given that various packagers have done the most recent commits, I would otherwise have assigned this to pkg-bugs. Do that if you feel (justifiably) that you have too much on your plate.

Assignee: bugsquad => geiger.david68210
CC: geiger.david68210 => (none)

Comment 5 Nicolas Salguero 2024-01-12 10:54:45 CET 
Mageia 8 EOL

Resolution: (none) => OLD
CC: (none) => nicolas.salguero
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.