Debian Package Tracker - jupyter-notebook

general

source: jupyter-notebook (main)
version: 5.7.8-1
maintainer: Debian Python Modules Team (archive) (DMD)
uploaders: Gordon Ball [DMD] [DM] – Jerome Benoit [DMD]
arch: all
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 4.2.3-4
stable: 5.7.8-1
testing: 5.7.8-1
unstable: 5.7.8-1

versioned links

4.2.3-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.7.8-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

jupyter-notebook (3 bugs: 0, 3, 0, 0)
python-notebook
python-notebook-doc
python3-notebook (1 bugs: 0, 1, 0, 0)

action needed

A new upstream version is available: 6.0.1 high

A new upstream version 6.0.1 is available, you should consider packaging it.

Created: 2019-07-19 Last update: 2019-09-18 14:41

5 security issues in stretch high

There are 5 open security issues in stretch.

4 important issues:

CVE-2018-19352: Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.
CVE-2019-10255: An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.7 and some browsers (Chrome, Firefox) in JupyterHub before 0.9.5 allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a base_url prefix are not affected.
CVE-2019-9644: An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by users who are authenticated with a Jupyter server. Access to the content of resources has been demonstrated with Internet Explorer through capturing of error messages, though not reproduced with other browsers. This occurs because Internet Explorer's error messages can include the content of any invalid JavaScript that was encountered.
CVE-2018-19351: Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this.

1 issue skipped by the security teams:

CVE-2018-8768: In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.

Please fix them.

Created: 2018-03-18 Last update: 2019-07-07 09:00

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2019-08-28 Last update: 2019-09-18 17:02

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 6.0.0-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit caf3d4204789f3ce3bcf837905a1a11bc1ad12b5
Author: Gordon Ball <gordon@chronitis.net>
Date:   Wed Aug 21 14:29:35 2019 +0000

    Patch create-react-class bundle for webpack4
    
    The bundled copy of create-react-class was designed for webpack 3,
    whereas debian now has webpack 4. The documentation for version 4
    indicates that the Uglify and Define plugins as used here have been
    deprecated (and are now built-in defaults), so they need to be removed
    from the configuration.

commit d5cbc7ca436ba9443a85dfba76cabf6d267cdc7c
Author: Gordon Ball <gordon@chronitis.net>
Date:   Tue Jul 23 14:16:16 2019 +0000

    Debhelper compat 12

commit 91f2708ed604792e32306b08231be62b000ff3e6
Author: Gordon Ball <gordon@chronitis.net>
Date:   Tue Jul 23 14:14:32 2019 +0000

    Remove redundant lintian override

commit ca2489846c85ad0f8d1ccaa74726dd4be5cecdc1
Author: Gordon Ball <gordon@chronitis.net>
Date:   Tue Jul 23 14:13:44 2019 +0000

    Remove redundant d/copyright section

commit 09894b873982d9042049d226460feadcb0b5e6f8
Author: Gordon Ball <gordon@chronitis.net>
Date:   Tue Jul 23 13:49:34 2019 +0000

    Add https_proxy to sphinx invocation

commit 07d717651ed2e78386e0709fc21efe4e827e9ca0
Author: Gordon Ball <gordon@chronitis.net>
Date:   Tue Jul 23 12:10:17 2019 +0000

    Version dependency on jupyter-client

commit 5cf8c01482d036c152b8768f9236e73b8b75982f
Author: Gordon Ball <gordon@chronitis.net>
Date:   Tue Jul 23 11:50:55 2019 +0000

    Patch out sphinxcontrib_github_alt from sphinx config

commit 7e41cf263568229330aae09a8676d980c031d8aa
Author: Gordon Ball <gordon@chronitis.net>
Date:   Tue Jul 23 10:56:22 2019 +0000

    Add react to dependencies, copy of create-react-class

commit c08bf6565c746f00bd6c737738d8a3d0c01d482b
Author: Gordon Ball <gordon@chronitis.net>
Date:   Tue Jul 23 08:57:44 2019 +0000

    Drop maintscripts to use section.d directories instead

commit 87521d5370e753d1fedb24ece5c6606cc490c8f9
Author: Gordon Ball <gordon@chronitis.net>
Date:   Mon Jul 22 14:54:14 2019 +0000

    Drop python 2.7 support

commit 338c1ba592ec4434fac9dab49096f2962c275664
Author: Gordon Ball <gordon@chronitis.net>
Date:   Mon Jul 22 14:40:52 2019 +0000

    New upstream: 6.0.0

commit bb399422e57aafa14f1d1060871497b166ad2da8
Merge: 8a17b98 999e960
Author: Gordon Ball <gordon@chronitis.net>
Date:   Mon Jul 22 14:39:10 2019 +0000

    Update upstream source from tag 'upstream/6.0.0'
    
    Update to upstream version '6.0.0'
    with Debian dir 01fbbc2ba496aab5c9b3d38ef66c2c8b23307887

commit 999e96091512a11fbeb240949357aa17594d4de2
Author: Gordon Ball <gordon@chronitis.net>
Date:   Mon Jul 22 14:38:43 2019 +0000

    New upstream version 6.0.0

commit 8a17b9849f0326add14527a0388ed740b75a9cb6
Author: Ondřej Nový <onovy@debian.org>
Date:   Sat Jul 20 00:26:23 2019 +0200

    Bump Standards-Version to 4.4.0

commit 4712b00e50a873097f61188e9c01c395d7ee102b
Author: Ondřej Nový <onovy@debian.org>
Date:   Sat Jul 20 00:26:22 2019 +0200

    Use debhelper-compat instead of debian/compat

Created: 2019-07-20 Last update: 2019-09-12 15:03

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.0 instead of 4.3.0).

Created: 2019-07-08 Last update: 2019-07-08 20:07

news

[rss feed]

[2019-05-12] jupyter-notebook 5.7.8-1 MIGRATED to testing (Debian testing watch)
[2019-05-06] Accepted jupyter-notebook 5.7.8-1 (source all) into unstable (Gordon Ball)
[2019-04-05] jupyter-notebook 5.7.4-2.1 MIGRATED to testing (Debian testing watch)
[2019-03-30] Accepted jupyter-notebook 5.7.4-2.1 (source) into unstable (Sébastien Villemot)
[2019-03-20] jupyter-notebook 5.7.4-2 MIGRATED to testing (Debian testing watch)
[2019-03-09] Accepted jupyter-notebook 5.7.4-2 (source) into unstable (Andrej Shadura)
[2019-02-24] jupyter-notebook 5.7.4-1 MIGRATED to testing (Debian testing watch)
[2019-02-14] Accepted jupyter-notebook 5.7.4-1 (source all) into unstable (Gordon Ball)
[2018-04-09] jupyter-notebook 5.4.1-1 MIGRATED to testing (Debian testing watch)
[2018-04-03] Accepted jupyter-notebook 5.4.1-1 (source all) into unstable (Gordon Ball)
[2018-03-11] jupyter-notebook 5.4.0-1 MIGRATED to testing (Debian testing watch)
[2018-03-11] jupyter-notebook 5.4.0-1 MIGRATED to testing (Debian testing watch)
[2018-03-05] Accepted jupyter-notebook 5.4.0-1 (source all) into unstable (Gordon Ball)
[2017-12-12] jupyter-notebook 5.2.2-1 MIGRATED to testing (Debian testing watch)
[2017-12-06] Accepted jupyter-notebook 5.2.2-1 (source all) into unstable (Gordon Ball)
[2017-11-29] jupyter-notebook 5.2.1-2 MIGRATED to testing (Debian testing watch)
[2017-11-23] Accepted jupyter-notebook 5.2.1-2 (source all) into unstable (Gordon Ball)
[2017-11-22] jupyter-notebook 5.2.1-1 MIGRATED to testing (Debian testing watch)
[2017-11-16] Accepted jupyter-notebook 5.2.1-1 (source all) into unstable (Gordon Ball)
[2017-11-14] jupyter-notebook 5.1.0-2 MIGRATED to testing (Debian testing watch)
[2017-11-08] Accepted jupyter-notebook 5.1.0-2 (all source) into unstable, unstable (Gordon Ball) (signed by: Ximin Luo)
[2017-11-05] Accepted jupyter-notebook 5.1.0-1 (source) into unstable (Gordon Ball)
[2017-03-31] Accepted jupyter-notebook 4.2.3-4~bpo8+1 (source all) into jessie-backports->backports-policy, jessie-backports (Andreas Tille)
[2017-01-18] jupyter-notebook 4.2.3-4 MIGRATED to testing (Debian testing watch)
[2017-01-07] Accepted jupyter-notebook 4.2.3-4 (source) into unstable (Gordon Ball)
[2016-12-23] jupyter-notebook 4.2.3-3 MIGRATED to testing (Debian testing watch)
[2016-12-12] Accepted jupyter-notebook 4.2.3-3 (source) into unstable (Ximin Luo)
[2016-12-07] Accepted jupyter-notebook 4.2.3-2 (source all) into unstable (Ximin Luo)
[2016-12-05] Accepted jupyter-notebook 4.2.3-1 (source all) into unstable (Gordon Ball) (signed by: "Tobias Hansen")

bugs [bug history graph]

all: 6
RC: 0
I&N: 6
M&W: 0
F&P: 0
patch: 1

links

homepage
lintian
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 5.7.8-1
2 bugs