| luis220413 | Is anyone here? | 13:10 |
|---|---|---|
| luis220413 | Can a member of the Ubuntu Security Team sponsor some of my updates? | 13:14 |
| amurray | hey luis220413 - I was just about to go eod when I saw this - so I haven't looked in detail but my last recollection is that we are still waiting on test results from you for a bunch of your updates | 13:15 |
| amurray | they fail for us so we are not happy to release them in that state - so without further info I don't think we can proceed at this time - for the others, I think folks are looking at those but you would have to ping those who have already responded on LP for more info | 13:15 |
| amurray | anyway, it's 10:46pm for me on friday night so I'm heading out but will take a look at scrollback on Monday morning if you are able to provide more details in the meantime - have a great friday/weekend :) | 13:17 |
| luis220413 | amurray: The update in bug 1982670 is ready, even though a difficult-to-fix CVE is unfixed. https://bugs.launchpad.net/ubuntu/+source/jupyter-notebook/+bug/1982670/comments/16 | 13:17 |
| ubottu | Bug 1982670 in jupyter-notebook (Debian) "Multiple vulnerabilities in Bionic, Focal, Jammy and Kinetic" [Unknown, Confirmed] https://launchpad.net/bugs/1982670 | 13:17 |
| luis220413 | The link is to a comment explaining my testing. | 13:17 |
| luis220413 | For bug 1986627 I will perform testing now. | 13:18 |
| ubottu | Bug 1986627 in varnish (Ubuntu) "Incomplete fix for CVE-2020-11653" [Undecided, New] https://launchpad.net/bugs/1986627 | 13:18 |
| amurray | ok - thanks - builds tests are good but better would be some integration level tests - we have had cases in the past where a package builds fine and its unit tests all pass but then it breaks some other package which depends on it | 13:19 |
| amurray | so any chance you could test some of the reverse-depends for jupyter-notebook to give some more confidence that this won't cause a regression for some package that depends on it? thanks | 13:20 |
| * amurray zzzz... | 13:20 | |
| luis220413 | The reverse dependencies in Ubuntu 18.04 are built from 3 source packages: jupyter-notebook itself, ipywidgets and sagemath. I am running autopkgtest locally with a schroot for Ubuntu 18.04 amd64 on these source packages. | 13:54 |
| luis220413 | The runs for ipywidgets and sagemath result in PASS and SKIP (package does not have tests), respectively. | 13:55 |
| luis220413 | I will return in 45 minutes but remain online. | 13:57 |
| luis220413 | List of my security bugs with patches: https://bugs.launchpad.net/%7Eluis220413/+bugs?field.searchtext=&orderby=-importance&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.information_type%3Alist=PUBLICSECURITY&assignee_opti | 14:04 |
| luis220413 | on=any&field.assignee=&field.bug_reporter=&field.bug_commenter=&field.subscriber=&field.structural_subscriber=&field.tag=&field.tags_combinator=ANY&field.status_upstream-empty-marker=1&field.has_cve.used=&field.omit_dupes.used=&field.omit_dupes=on&field.affects_me.used=&field.has_patch.used=&field.has_patch=on&field.has_branches.used=&field.has_branches=on&field.has_no_branches.used=&field.has_no_branches=on&field.has | 14:04 |
| luis220413 | _blueprints.used=&field.has_blueprints=on&field.has_no_blueprints.used=&field.has_no_blueprints=on&search=Search | 14:04 |
| luis220413 | I will return in 45 minutes but remain online. | 14:08 |
| luis220413 | I am back. | 15:24 |
| luis220413_ | Please set the status of CVE-2022-38150 for bionic, focal, jammy and trusty as not vulnerable, because only versions >= 7.0.0 are affected, according to the upstream advisory: https://varnish-cache.org/security/VSV00009.html#vsv00009 | 15:59 |
| ubottu | In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38150> | 15:59 |
| luis220413_ | And set the status for devel to "pending (7.1.1-1)". There is a build failure on ppc64el due to a new warning that is turned into an error, discussed in bug 1971504. My solution is to disable -Werror. | 16:00 |
| ubottu | Bug 1971504 in varnish (Ubuntu Focal) "Multiple vulnerabilities in Bionic, Focal, Impish, Jammy and Kinetic" [Medium, In Progress] https://launchpad.net/bugs/1971504 | 16:00 |
| luis220413_ | The build does not fail on Debian: https://buildd.debian.org/status/package.php?p=varnish | 16:03 |
| === luis220413_ is now known as luis220413 | ||
| luis220413 | Is anyone from the Ubuntu Security Team here? | 16:04 |
| ebarretto | we don't usually use pending status for non-kernel packages | 16:16 |
| mdeslaur | ebarretto: we do for the dev release | 16:18 |
| mdeslaur | luis220413: ok, CVE-2022-38150 updated, thanks | 16:20 |
| ubottu | In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38150> | 16:20 |
| luis220413 | The local autopkgtest run on Ubuntu 18.04 for jupyter-notebook succeeded. (bug 1982670) | 18:04 |
| ubottu | Bug 1982670 in jupyter-notebook (Debian) "Multiple vulnerabilities in Bionic, Focal, Jammy and Kinetic" [Unknown, Confirmed] https://launchpad.net/bugs/1982670 | 18:05 |
| luis220413 | Please mark CVE-2022-38150 as not affecting trusty/esm and CVE-2021-32798 as not affecting jammy. | 18:05 |
| ubottu | In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38150> | 18:05 |
| ubottu | The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker t... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32798> | 18:05 |
| luis220413 | I mean: Please set the status of CVE-2022-38150 for trusty/esm and CVE-2021-32798 for jammy as "not affected (6.4.8-2)". | 18:07 |
| ubottu | In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38150> | 18:07 |
| ubottu | The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker t... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32798> | 18:07 |
| luis220413 | *not-affected | 18:07 |
| luis220413 | I mean: Please set the status of CVE-2022-38150 for trusty/esm to not-affected (code not present) and of CVE-2021-32798 for jammy to not-affected (6.4.8-2). | 18:07 |
| luis220413 | I will leave now. I would like you to sponsor my update in bug 1982670 after I perform integration testing for Ubuntu 20.04 and 22.04. | 18:11 |
| ubottu | Bug 1982670 in jupyter-notebook (Debian) "Multiple vulnerabilities in Bionic, Focal, Jammy and Kinetic" [Unknown, Confirmed] https://launchpad.net/bugs/1982670 | 18:11 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!