- Package:
- src:jupyter-server
- Source:
- src:jupyter-server
- Submitter:
- Date:
- 2026-06-28 23:49:08 UTC
- Severity:
- normal
- Tags:
Dear maintainer, According to https://ci.debian.net data, your package jupyter-server has an autopkgtest regression with pytest. The following architectures failed: amd64, arm64, i386, loong64, ppc64el, riscv64, s390x. Hopefully relevant excerpt from https://ci.debian.net/packages/j/jupyter-server/testing/amd64/72542051/ follows: 105s ==================================== ERRORS ==================================== 105s ________________ ERROR collecting tests/auth/test_authorizer.py ________________ 105s ERROR tests/auth/test_authorizer.py - Failed: tests/auth/test_authorizer.py::... 106s pytest FAIL non-zero exit status 2 106s pytest FAIL non-zero exit status 2
Source: jupyter-server
Source-Version: 2.20.0-1
This already seems to be fixed in the version in unstable. (Some tests
might still be flaky, but this particular pytest incompatibility has
been fixed as far as I can tell.)
jupyter-server (2.20.0-1) unstable; urgency=medium
* Team upload.
* New upstream release (closes: #1136022):
- CVE-2025-61669: Open redirection vulnerability in `next` query
parameter.
- CVE-2026-35397: Path traversal via jupyter-server REST API allows
access to a subset of directories sibling to the `root_dir`.
- CVE-2026-40110: CORS Origin validation bypass via `re.match()` in
`allow_origin_pat`.
- CVE-2026-40934: Authentication cookies remain valid after password
reset and server restart.
* Skip failing restart_kernel test on all architectures.
* Standards-Version: 4.7.4.