[07:44] <mainek00n> The upstream package statuses do not seem to meet the format(`<release>_<source-package>: <status> (<version/notes>)`), what should these statuses be set to?
[07:44] <mainek00n> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-33503
[07:44] <mainek00n> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2022-0085
[07:44] <mainek00n> https://git.launchpad.net/ubuntu-cve-tracker/tree/retired/CVE-2021-28363
[07:44] <ubottu> An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503>
[07:44] <ubottu> Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0085>
[07:44] <ubottu> The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContex... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28363>
[19:49] <luis220413> Please release the fix for jupyter-notebook in bug 1982670, even though CVE-2021-32798 is unfixed (it requires at least 5 new packages in Bionic and 3 in Focal, and one of the packages has no tests and I had to lower the versions of 4 dependencies in Bionic).
[19:49] <ubottu> Bug 1982670 in jupyter-notebook (Debian) "Multiple vulnerabilities in Bionic, Focal, Jammy and Kinetic" [Unknown, Confirmed] https://launchpad.net/bugs/1982670
[19:49] <ubottu> The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker t... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32798>
[19:50] <luis220413> However, the fix for bug 1982617 should be released first.
[19:50] <ubottu> Bug 1982617 in node-moment (Ubuntu Jammy) "Versions in Bionic, Focal and Jammy are vulnerable to CVE-2022-24785 and CVE-2022-31129" [Undecided, Confirmed] https://launchpad.net/bugs/1982617