Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ipython: CVE-2015-4707: XSS in JSON error responses

Related Vulnerabilities: CVE-2015-4707   CVE-2015-6938  

Source

Debian Bug report logs - #789824
ipython: CVE-2015-4707: XSS in JSON error responses

version graph

Package: src:ipython; Maintainer for src:ipython is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 24 Jun 2015 20:33:02 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in version ipython/2.1.0-1

Fixed in version ipython/2.4.1-1

Done: Julian Taylor <jtaylor.debian@googlemail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#789824; Package src:ipython. (Wed, 24 Jun 2015 20:33:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Wed, 24 Jun 2015 20:33:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ipython: CVE-2015-4707: XSS in JSON error responses
Date: Wed, 24 Jun 2015 22:29:20 +0200
Source: ipython
Version: 2.1.0-1
Severity: important
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for ipython.

CVE-2015-4707[0]:
IPython XSS in JSON error responses -- /api/notebooks path

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-4707
[1] http://www.openwall.com/lists/oss-security/2015/06/22/4
[2] http://www.openwall.com/lists/oss-security/2015/06/22/7

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#789824; Package src:ipython. (Tue, 14 Jul 2015 22:12:10 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Tue, 14 Jul 2015 22:12:10 GMT) (full text, mbox, link).

Message #10 received at 789824@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: 789824@bugs.debian.org, piotr@debian.org, jtaylor.debian@googlemail.com
Cc: team@security.debian.org
Subject: Re: ipython: CVE-2015-4707: XSS in JSON error responses
Date: Wed, 15 Jul 2015 00:08:36 +0200
On Wed, Jun 24, 2015 at 10:29:20PM +0200, Salvatore Bonaccorso wrote:
> Source: ipython
> Version: 2.1.0-1
> Severity: important
> Tags: security upstream fixed-upstream
> 
> Hi,
> 
> the following vulnerability was published for ipython.
> 
> CVE-2015-4707[0]:
> IPython XSS in JSON error responses -- /api/notebooks path
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2015-4707
> [1] http://www.openwall.com/lists/oss-security/2015/06/22/4
> [2] http://www.openwall.com/lists/oss-security/2015/06/22/7

There's an additional vulnerability (currently without a CVE ID):
http://www.openwall.com/lists/oss-security/2015/07/12/4

Patches:
https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0 (2.x)
https://github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816 (3.x)

Both of these vulnerabilities don't warrant a DSA, but it would still
be good if you would fix them through a point update:
https://www.debian.org/doc/manuals/developers-reference/ch05.de.html#upload-stable

Cheers,
        Moritz

Reply sent to Julian Taylor <jtaylor.debian@googlemail.com>:
You have taken responsibility. (Thu, 07 Jan 2016 22:21:24 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 07 Jan 2016 22:21:25 GMT) (full text, mbox, link).

Message #15 received at 789824-close@bugs.debian.org (full text, mbox, reply):

From: Julian Taylor <jtaylor.debian@googlemail.com>
To: 789824-close@bugs.debian.org
Subject: Bug#789824: fixed in ipython 2.4.1-1
Date: Thu, 07 Jan 2016 22:19:32 +0000
Source: ipython
Source-Version: 2.4.1-1

We believe that the bug you reported is fixed in the latest version of
ipython, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 789824@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Taylor <jtaylor.debian@googlemail.com> (supplier of updated ipython package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 06 Jan 2016 15:47:58 +0100
Source: ipython
Binary: ipython ipython3 ipython-qtconsole ipython3-qtconsole ipython-notebook-common ipython-notebook ipython3-notebook ipython-doc
Architecture: source all
Version: 2.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Julian Taylor <jtaylor.debian@googlemail.com>
Description:
 ipython    - enhanced interactive Python shell
 ipython-doc - enhanced interactive Python shell - Documentation
 ipython-notebook - interactive Python html notebook
 ipython-notebook-common - interactive Python html notebook data package
 ipython-qtconsole - enhanced interactive Python shell - Qt console
 ipython3   - enhanced interactive Python 3 shell
 ipython3-notebook - interactive Python 3 html notebook
 ipython3-qtconsole - enhanced interactive Python 3 shell - Qt console
Closes: 789824 798886 803082
Changes:
 ipython (2.4.1-1) unstable; urgency=medium
 .
   * New upstream release (Closes: #803082)
   * add backported patches to support python3.5
   * fix CVE-2015-6938: XSS vulnerability (Closes: #798886)
   * fix CVE-2015-4707: XSS in JSON error responses (Closes: #789824)
Checksums-Sha1:
 8f865f1f772fd9da3d21984447a9709b27b423af 2923 ipython_2.4.1-1.dsc
 8f51a383fc8436e476110417fb8ae694d499defd 11896092 ipython_2.4.1.orig.tar.gz
 7f858ef7ae5a0f72b022637d24124b9c89da0d16 42876 ipython_2.4.1-1.debian.tar.xz
 9138492c0402c66dd03f590ebfcc43cc3cc446fa 7126238 ipython-doc_2.4.1-1_all.deb
 1de188314b810cb5008e5c2e5e0f9c03da6a6d5e 722906 ipython-notebook-common_2.4.1-1_all.deb
 25151f09eb1c9fd29205b8eb42d4c7713a469882 48242 ipython-notebook_2.4.1-1_all.deb
 4203a771056d3603aa3355edd30ea755c8dcc46e 67752 ipython-qtconsole_2.4.1-1_all.deb
 ff97b28bfb2931f23ce7517e62dd231583196198 48350 ipython3-notebook_2.4.1-1_all.deb
 68af58b8123221b40d2423d4f70e83522380dfa9 67844 ipython3-qtconsole_2.4.1-1_all.deb
 3a308016bf1addf3234523d97bdbfa926263d1f1 635158 ipython3_2.4.1-1_all.deb
 24374e71299f2eb8dffabf3d382a0cac3260e5f8 618682 ipython_2.4.1-1_all.deb
Checksums-Sha256:
 ae8a0b8fa31f8b9d70f280ef6ecc23553ee07742795699fcbb230b2080fc03d2 2923 ipython_2.4.1-1.dsc
 6d350b5c2d3e925b0ff6167658812d720b891e476238d924504e2f7f483e9217 11896092 ipython_2.4.1.orig.tar.gz
 fbe9bc5ab2e0727afb916977adc8122c673d42940831c11bb1b812c612a2016b 42876 ipython_2.4.1-1.debian.tar.xz
 119bbfdb4c228e470f287c754af086def0d87e7bdaae82ebe39b520dfa657b8d 7126238 ipython-doc_2.4.1-1_all.deb
 9e71df81586d66d73c4dbab0cb112918195f1ed8550bc36fc6238e2f88779e4a 722906 ipython-notebook-common_2.4.1-1_all.deb
 f1f6578d408be1ac03a471bb42706d3ca52cae2d9609c5a72f4fcd062daad107 48242 ipython-notebook_2.4.1-1_all.deb
 c8ffee890091fd3ba40b6eb434394b7de45011f8c593148ce92779fc71d56d10 67752 ipython-qtconsole_2.4.1-1_all.deb
 3ecbb8207c72ce8f91e75a75f888b0e8e0a915da287be1f10875c91c733d9d11 48350 ipython3-notebook_2.4.1-1_all.deb
 d692eb0e76c87aca9ee47d572dd5ae544165e76bed49160b63ca0d3f05e6ebb5 67844 ipython3-qtconsole_2.4.1-1_all.deb
 0c1e30bf777774aa3c4f61de83261c8150bf81f75b8f741a8451eb9ad5b6a2c1 635158 ipython3_2.4.1-1_all.deb
 96fc0fd9342f4d4d260706c0db6136c77f3961ab500d9311306446e19ebe80f8 618682 ipython_2.4.1-1_all.deb
Files:
 186a910f9dcb394486a94c33c366b253 2923 python optional ipython_2.4.1-1.dsc
 70149981d6515d77ecb3d7507de2d7d9 11896092 python optional ipython_2.4.1.orig.tar.gz
 816edbfce2bdf5b86a321826b2c75b6b 42876 python optional ipython_2.4.1-1.debian.tar.xz
 56372271b8af84dede5655b388318062 7126238 doc optional ipython-doc_2.4.1-1_all.deb
 87870a83fd59fc43746281fdd6ca3ed0 722906 python optional ipython-notebook-common_2.4.1-1_all.deb
 94e792f2f17d4bf43e79601dd5120fb7 48242 python optional ipython-notebook_2.4.1-1_all.deb
 3b05d128375f216d278ee1fefb9d7f13 67752 python optional ipython-qtconsole_2.4.1-1_all.deb
 dd7bb4488c013b55382382276d3c3d59 48350 python optional ipython3-notebook_2.4.1-1_all.deb
 12f1f0e3cb1040a57e340351b5c088da 67844 python optional ipython3-qtconsole_2.4.1-1_all.deb
 0cabf891d928c0f3438a30720779b427 635158 python optional ipython3_2.4.1-1_all.deb
 e3e957802d40908dfc52f2c052bb2167 618682 python optional ipython_2.4.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWjtZXAAoJEDLMSqwCh4b/EC8P/iowoTrhEx8+llbz9hU31/o3
7CbK7z3fl5Nig/UGr0a09rQpuzvmsO9fgbFJoCXEAP9YjSUpZXgCOyLIQsbTos2f
0UjTwoaGpKo3cHVWWRqFoywnyF1ZBRLt9QGcZ4oX//4IF57qmZPwME+PqbjtiBYI
8W5OkXRwB43rRdl2XsZcV9zI01pV8SVT6eoNWg3muVXpvT4bGJqDCNTic1uCrVRm
GGHjgtEwOwajYsrDOiI6GmrcO3aAOyqDxMTR71qF1BTF9S9gM6DnkV1xYJ5UZ+wa
kkxG+jxqn94ph4NLOnr81Vc8/wI9Kq7kePRPeDvrcz5yZTkOhC9k92IpYkyVkMdh
+A73VGfx85N+uK6zZ4Ox8kk9IANowNM0gNkDXEq+bnE6tMcQdKLMJqbaZ/R37d5O
cqqctUL4cVcPIJHYjbN/a+RTbDV6JyLtwc6PAhRN+dIB+8P/0hkQrF8PcLqrRG/l
Uj7eN+tXnCMIRlh0LcEkIGX0TKUTw6DALD44y6f2k5pd71Ww5/Q5xx+eY5Q5Vv1Z
UQ4d1m8GY4K54E5P8AMTbuiYQYXcP9RxXksPOuXnD8MB9SyFUnoNixU9Uqqz8zD9
rRm98kyG3HKtxOLKvFPdnEtXj1oHrg6ESdhxvNKh96cCRfA3Afc0kLuSGBwp47LI
RpUOLPT2FSZZae8QR+sJ
=3+b4
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 10 Feb 2016 07:27:13 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:09:33 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started