[13:10] <luis220413> Is anyone here?
[13:14] <luis220413> Can a member of the Ubuntu Security Team sponsor some of my updates?
[13:15] <amurray> hey luis220413 - I was just about to go eod when I saw this - so I haven't looked in detail but my last recollection is that we are still waiting on test results from you for a bunch of your updates
[13:15] <amurray> they fail for us so we are not happy to release them in that state - so without further info I don't think we can proceed at this time - for the others, I think folks are looking at those but you would have to ping those who have already responded on LP for more info
[13:17] <amurray> anyway, it's 10:46pm for me on friday night so I'm heading out but will take a look at scrollback on Monday morning if you are able to provide more details in the meantime - have a great friday/weekend :)
[13:17] <luis220413> amurray: The update in bug 1982670 is ready, even though a difficult-to-fix CVE is unfixed. https://bugs.launchpad.net/ubuntu/+source/jupyter-notebook/+bug/1982670/comments/16
[13:17] <ubottu> Bug 1982670 in jupyter-notebook (Debian) "Multiple vulnerabilities in Bionic, Focal, Jammy and Kinetic" [Unknown, Confirmed] https://launchpad.net/bugs/1982670
[13:17] <luis220413> The link is to a comment explaining my testing.
[13:18] <luis220413> For bug 1986627 I will perform testing now.
[13:18] <ubottu> Bug 1986627 in varnish (Ubuntu) "Incomplete fix for CVE-2020-11653" [Undecided, New] https://launchpad.net/bugs/1986627
[13:19] <amurray> ok - thanks - builds tests are good but better would be some integration level tests - we have had cases in the past where a package builds fine and its unit tests all pass but then it breaks some other package which depends on it
[13:20] <amurray> so any chance you could test some of the reverse-depends for jupyter-notebook to give some more confidence that this won't cause a regression for some package that depends on it? thanks
[13:20]  * amurray zzzz...
[13:54] <luis220413> The reverse dependencies in Ubuntu 18.04 are built from 3 source packages: jupyter-notebook itself, ipywidgets and sagemath. I am running autopkgtest locally with a schroot for Ubuntu 18.04 amd64 on these source packages.
[13:55] <luis220413> The runs for ipywidgets and sagemath result in PASS and SKIP (package does not have tests), respectively.
[13:57] <luis220413> I will return in 45 minutes but remain online.
[14:04] <luis220413> List of my security bugs with patches: https://bugs.launchpad.net/%7Eluis220413/+bugs?field.searchtext=&orderby=-importance&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.information_type%3Alist=PUBLICSECURITY&assignee_opti
[14:04] <luis220413> on=any&field.assignee=&field.bug_reporter=&field.bug_commenter=&field.subscriber=&field.structural_subscriber=&field.tag=&field.tags_combinator=ANY&field.status_upstream-empty-marker=1&field.has_cve.used=&field.omit_dupes.used=&field.omit_dupes=on&field.affects_me.used=&field.has_patch.used=&field.has_patch=on&field.has_branches.used=&field.has_branches=on&field.has_no_branches.used=&field.has_no_branches=on&field.has
[14:04] <luis220413> _blueprints.used=&field.has_blueprints=on&field.has_no_blueprints.used=&field.has_no_blueprints=on&search=Search
[14:08] <luis220413> I will return in 45 minutes but remain online.
[15:24] <luis220413> I am back.
[15:59] <luis220413_> Please set the status of CVE-2022-38150 for bionic, focal, jammy and trusty as not vulnerable, because only versions >= 7.0.0 are affected, according to the upstream advisory: https://varnish-cache.org/security/VSV00009.html#vsv00009
[15:59] <ubottu> In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38150>
[16:00] <luis220413_> And set the status for devel to "pending (7.1.1-1)". There is a build failure on ppc64el due to a new warning that is turned into an error, discussed in bug 1971504. My solution is to disable -Werror.
[16:00] <ubottu> Bug 1971504 in varnish (Ubuntu Focal) "Multiple vulnerabilities in Bionic, Focal, Impish, Jammy and Kinetic" [Medium, In Progress] https://launchpad.net/bugs/1971504
[16:03] <luis220413_> The build does not fail on Debian: https://buildd.debian.org/status/package.php?p=varnish
=== luis220413_ is now known as luis220413
[16:04] <luis220413> Is anyone from the Ubuntu Security Team here?
[16:16] <ebarretto> we don't usually use pending status for non-kernel packages 
[16:18] <mdeslaur> ebarretto: we do for the dev release
[16:20] <mdeslaur> luis220413: ok, CVE-2022-38150 updated, thanks
[16:20] <ubottu> In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38150>
[18:04] <luis220413> The local autopkgtest run on Ubuntu 18.04 for jupyter-notebook succeeded. (bug 1982670)
[18:05] <ubottu> Bug 1982670 in jupyter-notebook (Debian) "Multiple vulnerabilities in Bionic, Focal, Jammy and Kinetic" [Unknown, Confirmed] https://launchpad.net/bugs/1982670
[18:05] <luis220413> Please mark CVE-2022-38150 as not affecting trusty/esm and CVE-2021-32798 as not affecting jammy.
[18:05] <ubottu> In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38150>
[18:05] <ubottu> The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker t... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32798>
[18:07] <luis220413> I mean: Please set the status of CVE-2022-38150 for trusty/esm and CVE-2021-32798 for jammy as "not affected (6.4.8-2)".
[18:07] <ubottu> In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38150>
[18:07] <ubottu> The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker t... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32798>
[18:07] <luis220413> *not-affected
[18:07] <luis220413> I mean: Please set the status of CVE-2022-38150 for trusty/esm to not-affected (code not present) and of CVE-2021-32798 for jammy to not-affected (6.4.8-2).
[18:11] <luis220413> I will leave now. I would like you to sponsor my update in bug 1982670 after I perform integration testing for Ubuntu 20.04 and 22.04.
[18:11] <ubottu> Bug 1982670 in jupyter-notebook (Debian) "Multiple vulnerabilities in Bionic, Focal, Jammy and Kinetic" [Unknown, Confirmed] https://launchpad.net/bugs/1982670