<html>

    <head>

      <base href="https://bugzilla.rosalinux.ru/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Platform</th>

          <td>2021.1

          </td>

        </tr>

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_CONFIRMED "

   title="CONFIRMED - [CVE 21] ipython 7.34.0 CVEs found"

   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13543">13543</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[CVE 21] ipython 7.34.0  CVEs found

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>ROSA-based products

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>ROSA Fresh

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>URL</th>

          <td>CVE-2023-24816,

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>CONFIRMED

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>System (kernel, glibc, systemd, bash, PAM...)

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>QA Contact</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>e.kosachev&#64;rosalinux.ru, s.matveev&#64;rosalinux.ru, y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Target Milestone</th>

          <td>---

          </td>

        </tr>

        <tr>

          <th>Flags</th>

          <td>secteam_verified?

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Please patch CVEs for package ipython version 7.34.0

INFO (CVEs are): ipython 7.34.0

 cves found

CVE-2023-24816

Desc: IPython (Interactive Python) is a command shell for interactive computing

in multiple programming languages, originally developed for the Python

programming language. Versions prior to 8.1.0 are subject to a command

injection vulnerability with very specific prerequisites. This vulnerability

requires that the function `IPython.utils.terminal.set_term_title` be called on

Windows in a Python environment where ctypes is not available. The dependency

on `ctypes` in `IPython.utils._process_win32` prevents the vulnerable code from

ever being reached in the ipython binary. However, as a library that could be

used by another tool `set_term_title` could be called and hence introduce a

vulnerability. Should an attacker get untrusted input to an instance of this

function they would be able to inject shell commands as current process and

limited to the scope of the current process. Users of ipython as a library are

advised to upgrade. Users unable to upgrade should ensure that any calls to the

`IPython.utils.terminal.set_term_title` function are done with trusted or

filtered input.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-24816">https://nvd.nist.gov/vuln/detail/CVE-2023-24816</a>

Severity: HIGH</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the QA Contact for the bug.</li>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>