Debian Bug report logs -
#917409
jupyter-notebook: CVE-2018-19351
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 27 Dec 2018 13:33:04 UTC
Severity: important
Tags: patch, security, upstream
Found in version jupyter-notebook/5.4.1-1
Fixed in version jupyter-notebook/5.7.4-1
Done: Tobias Hansen <thansen@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#917409
; Package src:jupyter-notebook
.
(Thu, 27 Dec 2018 13:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Thu, 27 Dec 2018 13:33:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jupyter-notebook
Version: 5.4.1-1
Severity: important
Tags: patch security upstream
Hi,
The following vulnerability was published for jupyter-notebook.
CVE-2018-193521[0]:
No description was found (try on a search engine)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-193521
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-193521
[1] https://github.com/jupyter/notebook/commit/107a89fce5f413fb5728c1c5d2c7788e1fb17491
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#917409
; Package src:jupyter-notebook
.
(Thu, 27 Dec 2018 13:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Thu, 27 Dec 2018 13:39:02 GMT) (full text, mbox, link).
Message #10 received at 917409@bugs.debian.org (full text, mbox, reply):
Hi,
Sorry I misstyped the CVE for the report:
Here the correct information:
CVE-2018-19351[0]:
| Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook
| because nbconvert responses are considered to have the same origin as
| the notebook server. In other words, nbconvert endpoints can execute
| JavaScript with access to the server API. In
| notebook/nbconvert/handlers.py, NbconvertFileHandler and
| NbconvertPostHandler do not set a Content Security Policy to prevent
| this.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-19351
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19351
[1] https://github.com/jupyter/notebook/commit/107a89fce5f413fb5728c1c5d2c7788e1fb17491
Regards,
Salvatore
Marked as fixed in versions jupyter-notebook/5.7.4-1.
Request was from Gordon Ball <gordon@chronitis.net>
to control@bugs.debian.org
.
(Mon, 18 Feb 2019 15:54:04 GMT) (full text, mbox, link).
Reply sent
to Tobias Hansen <thansen@debian.org>
:
You have taken responsibility.
(Fri, 08 Mar 2019 15:12:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 08 Mar 2019 15:12:06 GMT) (full text, mbox, link).
Message #17 received at 917409-done@bugs.debian.org (full text, mbox, reply):
This was fixed by updating to jupyter-notebook 5.7.4.
Best,
Tobias
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 03 May 2019 07:25:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:07:29 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.