jupyter-notebook - Debian Package Tracker

general

source: jupyter-notebook (main)
version: 6.4.8-2
maintainer: Debian Python Team (DMD)
uploaders: Jerome Benoit [DMD] – Gordon Ball [DMD]
arch: all
std-ver: 4.6.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.2.3-4
o-o-sec: 4.2.3-4+deb9u2
oldstable: 5.7.8-1
stable: 6.2.0-1
testing: 6.4.8-2
unstable: 6.4.8-2

versioned links

4.2.3-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.2.3-4+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.7.8-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.2.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.4.8-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

jupyter-notebook (9 bugs: 2, 6, 1, 0)
python-notebook-doc
python3-notebook

action needed

A new upstream version is available: 7.0.0~a5 high

A new upstream version 7.0.0~a5 is available, you should consider packaging it.

Created: 2022-03-13 Last update: 2022-08-19 00:04

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2022-24758: The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds.
CVE-2022-29238: Jupyter Notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.12, authenticated requests to the notebook server with `ContentsManager.allow_hidden = False` only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed. Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. `~/.ssh` while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed. Version 6.4.12 contains a patch for this issue. There are currently no known workarounds.

Created: 2022-07-04 Last update: 2022-08-01 13:40

2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:

CVE-2022-24758: The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds.
CVE-2022-29238: Jupyter Notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.12, authenticated requests to the notebook server with `ContentsManager.allow_hidden = False` only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed. Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. `~/.ssh` while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed. Version 6.4.12 contains a patch for this issue. There are currently no known workarounds.

Created: 2022-07-04 Last update: 2022-08-01 13:40

lintian reports 2 errors and 8 warnings high

Lintian reports 2 errors and 8 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2022-01-01 Last update: 2022-07-30 12:14

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2020-09-27 Last update: 2022-08-19 00:10

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 6.4.12-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 375f8998246b79d1ebe75979423e5f6ed1f81f75
Author: Julien Puydt <jpuydt@debian.org>
Date:   Thu Aug 11 11:48:37 2022 +0200

    Add missing build depends

commit da1852f821a10888193b94e3c936f29b41f4003d
Author: Julien Puydt <jpuydt@debian.org>
Date:   Thu Aug 11 11:43:24 2022 +0200

    Add patch to drop dep on google caja

commit 28cf9eea241d82f7ff66afa169fee764e05bae1d
Author: Julien Puydt <jpuydt@debian.org>
Date:   Thu Aug 11 11:37:32 2022 +0200

    Refresh patches

commit 24472d4e52cb879050461a8eb0b3bf9d9a0087f7
Author: Julien Puydt <jpuydt@debian.org>
Date:   Thu Aug 11 11:33:45 2022 +0200

    Package upstream 6.4.12

commit 5c58fa7d603c0d16559ba810e637adf97ec83075
Merge: c7c8c2a 8bf79cd
Author: Julien Puydt <jpuydt@debian.org>
Date:   Thu Aug 11 11:33:03 2022 +0200

    Update upstream source from tag 'upstream/6.4.12'
    
    Update to upstream version '6.4.12'
    with Debian dir 0503dcd3dc31f41f7f185c16b19a305dd3f0147f

commit 8bf79cdb5ef1bc3f29f004b2700f0f79bea3dde9
Author: Julien Puydt <jpuydt@debian.org>
Date:   Thu Aug 11 11:32:47 2022 +0200

    New upstream version 6.4.12

commit c7c8c2a2d54dfe9a7ef69989a1b74bba33af8cf7
Author: Jerome Benoit <calculus@rezozer.net>
Date:   Sun May 8 16:41:11 2022 +0200

    Remove myself from Uploaders

Created: 2022-05-08 Last update: 2022-08-11 12:12

AppStream hints: 1 warning normal

AppStream found metadata issues for packages:

jupyter-notebook: 1 warning

You should get rid of them to provide more metadata about this software.

Created: 2021-09-16 Last update: 2021-09-16 14:34

3 low-priority security issues in bullseye low

There are 3 open security issues in bullseye.

3 issues left for the package maintainer to handle:

CVE-2021-32798: (needs triaging) The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to execute arbitrary code on the victim computer using Jupyter APIs.
CVE-2022-24758: (needs triaging) The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds.
CVE-2022-29238: (needs triaging) Jupyter Notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.12, authenticated requests to the notebook server with `ContentsManager.allow_hidden = False` only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed. Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. `~/.ssh` while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed. Version 6.4.12 contains a patch for this issue. There are currently no known workarounds.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2022-08-01 13:40

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-02-26 Last update: 2022-01-30 06:32

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.6.0).

Created: 2022-05-11 Last update: 2022-05-11 23:25

news

[rss feed]

[2022-05-09] jupyter-notebook 6.4.8-2 MIGRATED to testing (Debian testing watch)
[2022-05-03] Accepted jupyter-notebook 6.4.8-2 (source) into unstable (Julien Puydt)
[2022-01-31] jupyter-notebook 6.4.8-1 MIGRATED to testing (Debian testing watch)
[2022-01-28] Accepted jupyter-notebook 6.4.8-1 (source) into unstable (Gordon Ball)
[2022-01-20] jupyter-notebook 6.4.5-4 MIGRATED to testing (Debian testing watch)
[2022-01-17] Accepted jupyter-notebook 6.4.5-4 (source) into unstable (Gordon Ball)
[2022-01-13] jupyter-notebook 6.4.5-3 MIGRATED to testing (Debian testing watch)
[2022-01-13] jupyter-notebook 6.4.5-3 MIGRATED to testing (Debian testing watch)
[2022-01-10] Accepted jupyter-notebook 6.4.5-3 (source) into unstable (Gordon Ball)
[2021-11-09] jupyter-notebook 6.4.5-2 MIGRATED to testing (Debian testing watch)
[2021-11-06] Accepted jupyter-notebook 6.4.5-2 (source) into unstable (Gordon Ball)
[2021-10-26] jupyter-notebook 6.4.5-1 MIGRATED to testing (Debian testing watch)
[2021-10-22] Accepted jupyter-notebook 6.4.5-1 (source) into unstable (Gordon Ball)
[2021-10-08] Accepted jupyter-notebook 6.4.4-1 (source) into unstable (Gordon Ball)
[2021-09-15] Accepted jupyter-notebook 6.4.3-1 (source) into unstable (Gordon Ball)
[2021-01-20] jupyter-notebook 6.2.0-1 MIGRATED to testing (Debian testing watch)
[2021-01-17] Accepted jupyter-notebook 6.2.0-1 (source) into unstable (Gordon Ball)
[2021-01-16] jupyter-notebook 6.1.6-2 MIGRATED to testing (Debian testing watch)
[2021-01-16] jupyter-notebook 6.1.6-2 MIGRATED to testing (Debian testing watch)
[2021-01-12] Accepted jupyter-notebook 6.1.6-2 (source) into unstable (Gordon Ball)
[2021-01-12] jupyter-notebook 6.1.6-1 MIGRATED to testing (Debian testing watch)
[2020-12-26] Accepted jupyter-notebook 6.1.6-1 (source) into unstable (Gordon Ball)
[2020-12-02] Accepted jupyter-notebook 4.2.3-4+deb9u2 (source all) into oldstable (Chris Lamb)
[2020-11-18] Accepted jupyter-notebook 4.2.3-4+deb9u1 (source all) into oldstable (Abhijith PA)
[2020-11-13] jupyter-notebook 6.1.5-1 MIGRATED to testing (Debian testing watch)
[2020-11-13] jupyter-notebook 6.1.5-1 MIGRATED to testing (Debian testing watch)
[2020-11-07] Accepted jupyter-notebook 6.1.5-1 (source) into unstable (Gordon Ball)
[2020-09-27] jupyter-notebook 6.1.4-1 MIGRATED to testing (Debian testing watch)
[2020-09-24] Accepted jupyter-notebook 6.1.4-1 (source) into unstable (Gordon Ball)
[2020-09-03] jupyter-notebook 6.1.3-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 13
RC: 3
I&N: 9
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (2, 8)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 94)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 6.4.8-2
2 bugs (1 patch)