jupyter-notebook - Debian Package Tracker

general

source: jupyter-notebook (main)
version: 7.0.0-2
maintainer: Debian Python Team (DMD)
uploaders: Gordon Ball [DMD]
arch: all
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 6.2.0-1
oldstable: 6.4.12-2.2
stable: 6.4.13-5
testing: 6.4.13-5
unstable: 7.0.0-2

versioned links

6.2.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.4.12-2.2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.4.13-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.0.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

jupyter-notebook (8 bugs: 0, 6, 2, 0)
python-notebook-doc
python3-notebook (1 bugs: 0, 1, 0, 0)

action needed

Debci reports failed tests high

unstable: pass (log)
The tests ran in 0:01:45
Last run: 2026-04-28T21:10:41.000Z
Previous status: unknown

testing: fail (log)
The tests ran in 0:01:42
Last run: 2026-05-19T23:01:37.000Z
Previous status: unknown

stable: pass (log)
The tests ran in 0:01:19
Last run: 2025-11-09T10:11:57.000Z
Previous status: unknown

Created: 2025-12-10 Last update: 2026-05-21 02:01

A new upstream version is available: 7.6.0a5 high

A new upstream version 7.6.0a5 is available, you should consider packaging it.

Created: 2026-03-26 Last update: 2026-05-20 22:30

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2026-40171: In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration.

Created: 2026-05-17 Last update: 2026-05-17 15:03

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-40171: In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration.

Created: 2026-05-17 Last update: 2026-05-17 15:03

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-40171: In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration.

Created: 2026-05-17 Last update: 2026-05-17 15:03

4 security issues in bullseye high

There are 4 open security issues in bullseye.

1 important issue:

CVE-2026-40171: In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration.

3 issues postponed or untriaged:

CVE-2021-32798: (needs triaging) The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to execute arbitrary code on the victim computer using Jupyter APIs.
CVE-2022-24758: (needs triaging) The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds.
CVE-2022-29238: (needs triaging) Jupyter Notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.12, authenticated requests to the notebook server with `ContentsManager.allow_hidden = False` only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed. Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. `~/.ssh` while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed. Version 6.4.12 contains a patch for this issue. There are currently no known workarounds.

Created: 2026-05-17 Last update: 2026-05-17 15:03

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2026-40171: In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration.

Created: 2026-05-17 Last update: 2026-05-17 15:03

lintian reports 1 error and 56 warnings high

Lintian reports 1 error and 56 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-03-26 Last update: 2026-03-26 11:01

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2020-09-27 Last update: 2026-05-21 02:00

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 2-day delay is over. Check why.

Created: 2026-04-13 Last update: 2026-05-21 01:18

AppStream hints: 1 warning normal

AppStream found metadata issues for packages:

jupyter-notebook: 1 warning

You should get rid of them to provide more metadata about this software.

Created: 2021-09-16 Last update: 2021-09-16 14:34

debian/patches: 6 patches to forward upstream low

Among the 6 debian patches available in version 7.0.0-2 of the package, we noticed the following issues:

6 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-03-26 08:31

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-03-31 15:01

testing migrations

excuses:
- Migration status for jupyter-notebook (6.4.13-5 to 7.0.0-2): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating jupyter-notebook would introduce bugs in testing: #1134290
- Additional info (not blocking):
- ∙ ∙ Updating jupyter-notebook will fix bugs in testing: #1114158, #1134932
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/j/jupyter-notebook.html
- ∙ ∙ Autopkgtest for jupyter-notebook/7.0.0-2: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Not reproduced on amd64 (not a regression): python-notebook-doc
- ∙ ∙ Not reproduced on arm64 (not a regression): python-notebook-doc
- ∙ ∙ Not reproduced on armhf (not a regression): python-notebook-doc
- ∙ ∙ Not reproduced on i386 (not a regression): python-notebook-doc
- ∙ ∙ Required age reduced by 3 days because of autopkgtest
- ∙ ∙ 56 days old (needed 2 days)
- Not considered

news

[rss feed]

[2026-03-25] Accepted jupyter-notebook 7.0.0-2 (source) into unstable (Gordon Ball)
[2026-01-08] Accepted jupyter-notebook 7.0.0-1 (source) into experimental (Gordon Ball)
[2024-11-30] jupyter-notebook 6.4.13-5 MIGRATED to testing (Debian testing watch)
[2024-11-28] Accepted jupyter-notebook 6.4.13-5 (source) into unstable (Julian Gilbey)
[2024-11-22] Accepted jupyter-notebook 6.4.13-4 (source) into unstable (Julian Gilbey)
[2024-11-21] jupyter-notebook 6.4.13-3 MIGRATED to testing (Debian testing watch)
[2024-11-18] Accepted jupyter-notebook 6.4.13-3 (source) into unstable (Michael R. Crusoe)
[2024-09-05] jupyter-notebook 6.4.13-2 MIGRATED to testing (Debian testing watch)
[2024-08-30] Accepted jupyter-notebook 6.4.13-2 (source) into unstable (Diane Trout)
[2024-08-30] Accepted jupyter-notebook 6.4.13-1 (source) into unstable (Diane Trout)
[2023-05-30] jupyter-notebook 6.4.12-2.2 MIGRATED to testing (Debian testing watch)
[2023-05-27] Accepted jupyter-notebook 6.4.12-2.2 (source) into unstable (Andreas Beckmann)
[2022-10-17] jupyter-notebook 6.4.12-2.1 MIGRATED to testing (Debian testing watch)
[2022-10-15] Accepted jupyter-notebook 6.4.12-2.1 (source) into unstable (Michael Biebl)
[2022-10-03] jupyter-notebook 6.4.12-2 MIGRATED to testing (Debian testing watch)
[2022-09-30] Accepted jupyter-notebook 6.4.12-2 (source) into unstable (Gordon Ball)
[2022-09-30] Accepted jupyter-notebook 6.4.12-1 (source) into unstable (Gordon Ball)
[2022-05-09] jupyter-notebook 6.4.8-2 MIGRATED to testing (Debian testing watch)
[2022-05-03] Accepted jupyter-notebook 6.4.8-2 (source) into unstable (Julien Puydt)
[2022-01-31] jupyter-notebook 6.4.8-1 MIGRATED to testing (Debian testing watch)
[2022-01-28] Accepted jupyter-notebook 6.4.8-1 (source) into unstable (Gordon Ball)
[2022-01-20] jupyter-notebook 6.4.5-4 MIGRATED to testing (Debian testing watch)
[2022-01-17] Accepted jupyter-notebook 6.4.5-4 (source) into unstable (Gordon Ball)
[2022-01-13] jupyter-notebook 6.4.5-3 MIGRATED to testing (Debian testing watch)
[2022-01-13] jupyter-notebook 6.4.5-3 MIGRATED to testing (Debian testing watch)
[2022-01-10] Accepted jupyter-notebook 6.4.5-3 (source) into unstable (Gordon Ball)
[2021-11-09] jupyter-notebook 6.4.5-2 MIGRATED to testing (Debian testing watch)
[2021-11-06] Accepted jupyter-notebook 6.4.5-2 (source) into unstable (Gordon Ball)
[2021-10-26] jupyter-notebook 6.4.5-1 MIGRATED to testing (Debian testing watch)
[2021-10-22] Accepted jupyter-notebook 6.4.5-1 (source) into unstable (Gordon Ball)

bugs [bug history graph]

all: 13
RC: 1
I&N: 8
M&W: 4
F&P: 0
patch: 0

links

homepage
lintian (1, 56)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 6.4.13-5ubuntu0.1
1 bug
patches for 6.4.13-5ubuntu0.1