Multiple vulnerabilities in Bionic, Focal, Jammy and Kinetic

In Ubuntu 18.04 (bionic), jupyter-notebook has a large test suite (with 252 tests that run on both Python 2 and Python 3) that runs at build time and fails the build if it fails.

This patch does not fix CVE-2021-32798.

The attachment "jupyter-notebook_bionic.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

A patched package for Focal is in my PPA, but the tests interrupt very quickly, causing the build to fail: https://launchpad.net/~luis220413/+archive/ubuntu/security-updates/+packages

Is an upgrade to 6.4.12 acceptable for a security update for Jammy, given that the package has an extensive testsuite?

Today I reported to the upstream project that CVE-2019-10856 is unfixed in the 6.x series.

I will file a Debian bug tomorrow.

The package builds successfully with this patch.

The Debian bug was filed by another person on July 21.

In response to comment #4, no, bumping the version isn't acceptable as a security update. Please backport the minimum fixes required to solve the security issues. Thanks!

CVE-2019-10856 is unfixed in Kinetic and is pending on a new upstream release including the fix or a security fix by the Debian maintainer. I have filed a bug in the upstream project for this CVE, linked in this bug.

Patched source and binary packages are available in my PPA (https://launchpad.net/~luis220413/+archive/ubuntu/security-updates).

Hi Luis,

could you please provide test results, test plan and instructions?

An extensive test suite is run during the build on Ubuntu 18.04, 20.04 and 22.04, and fails the build if it fails. All tests pass or are skipped in these Ubuntu versions.

If anyone wants to test this package, please use a version of libjs-moment patched for CVE-2022-24785, that can be obtained from my PPA (https://launchpad.net/~luis220413/+archive/ubuntu/security-updates) and that I expect to be uploaded to the Ubuntu archive soon.

Please release the package for Jammy after releasing those in bug #1982617.

Note that CVE-2021-32798 is still unpatched in Bionic and Focal. Can we discuss it in the #ubuntu-motu channel in Libera.Chat?

Please release the packages for Ubuntu Bionic and Focal, even though CVE-2021-32798 is unfixed for those releases.

This is a partial log, but that contains full test results, of running autopkgtest locally with an Ubuntu 22.04 amd64 schroot for the sagemath source package with updated packages from my PPA (https://launchpad.net/~luis220413/+archive/ubuntu/security-updates).

The same run for the metakernel source package fails. It is possible that this is not a regression. I am attaching all result files from this run.

I have rerun the autopkgtest for the sagemath source package in Ubuntu 22.04. I will attach its logs now.

Hi Luis, I will be checking debdiffs and start working on this sponsoring
Thanks

> Please release the packages for Ubuntu Bionic and Focal, even though CVE-2021-32798 is unfixed
> for those releases.

Hi Luis,

Since CVE-2021-32798 is unfixed in focal and bionic, can you please upload the new debdiffs for these two releases without mentioning this CVE in the changelog, since we don't usually mention anything in the changelog which is **not fixed**

Thanks

Could the USN for this update mention that CVE-2021-32798 is unfixed, given its severity?

USNs only mention fixed CVEs, if CVE-2021-32798 is not mentioned there, you consider it unfixed.
Mentioning it would be more confusing than helpful.

This bug was fixed in the package jupyter-notebook - 6.4.8-1ubuntu0.1

---------------
jupyter-notebook (6.4.8-1ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Crafted link to login page redirects to malicious site
    (LP: #1982670)
    - debian/patches/CVE-2019-10856.patch: Handle empty netloc being
      interpreted as first path part being the netloc by buggy browsers.
    - CVE-2019-10856
  * SECURITY UPDATE: Sensitive information disclosure leading to unauthorized
    access (LP: #1982670)
    - debian/patches/CVE-2022-24758.patch: Log only a non-sensitive subset of
      the headers when a HTTP 5xx error other than HTTP 502 is triggered.
    - CVE-2022-24758
  * SECURITY UPDATE: Access to hidden files or to files in hidden directories
    (LP: #1982670)
    - debian/patches/CVE-2022-29238-1.patch: Add checks for hidden file or path on
      file get.
    - debian/patches/CVE-2022-29238-2.patch: added hidden checks on
      FileContentsManager and accompanying tests.
    - debian/patches/CVE-2022-29238-3.patch: Added hidden checks on
      notebook/services/contents/handlers.py and accompanying tests.
    - debian/patches/CVE-2022-29238-4.patch: Update log message to mention
      hidden directories.
    - debian/patches/CVE-2022-29238-5.patch: Update error messages to not
      mention hidden files.
    - CVE-2022-29238
  * debian/source/lintian-overrides: Update to fix Lintian warnings.

 -- Luís Infante da Câmara <email address hidden> Fri, 29 Jul 2022 21:35:10 +0100