Debian Bug report logs -
#789824
ipython: CVE-2015-4707: XSS in JSON error responses
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 24 Jun 2015 20:33:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version ipython/2.1.0-1
Fixed in version ipython/2.4.1-1
Done: Julian Taylor <jtaylor.debian@googlemail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#789824
; Package src:ipython
.
(Wed, 24 Jun 2015 20:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Wed, 24 Jun 2015 20:33:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ipython
Version: 2.1.0-1
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for ipython.
CVE-2015-4707[0]:
IPython XSS in JSON error responses -- /api/notebooks path
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-4707
[1] http://www.openwall.com/lists/oss-security/2015/06/22/4
[2] http://www.openwall.com/lists/oss-security/2015/06/22/7
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#789824
; Package src:ipython
.
(Tue, 14 Jul 2015 22:12:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Tue, 14 Jul 2015 22:12:10 GMT) (full text, mbox, link).
Message #10 received at 789824@bugs.debian.org (full text, mbox, reply):
On Wed, Jun 24, 2015 at 10:29:20PM +0200, Salvatore Bonaccorso wrote:
> Source: ipython
> Version: 2.1.0-1
> Severity: important
> Tags: security upstream fixed-upstream
>
> Hi,
>
> the following vulnerability was published for ipython.
>
> CVE-2015-4707[0]:
> IPython XSS in JSON error responses -- /api/notebooks path
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2015-4707
> [1] http://www.openwall.com/lists/oss-security/2015/06/22/4
> [2] http://www.openwall.com/lists/oss-security/2015/06/22/7
There's an additional vulnerability (currently without a CVE ID):
http://www.openwall.com/lists/oss-security/2015/07/12/4
Patches:
https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0 (2.x)
https://github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816 (3.x)
Both of these vulnerabilities don't warrant a DSA, but it would still
be good if you would fix them through a point update:
https://www.debian.org/doc/manuals/developers-reference/ch05.de.html#upload-stable
Cheers,
Moritz
Reply sent
to Julian Taylor <jtaylor.debian@googlemail.com>
:
You have taken responsibility.
(Thu, 07 Jan 2016 22:21:24 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Thu, 07 Jan 2016 22:21:25 GMT) (full text, mbox, link).
Message #15 received at 789824-close@bugs.debian.org (full text, mbox, reply):
Source: ipython
Source-Version: 2.4.1-1
We believe that the bug you reported is fixed in the latest version of
ipython, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 789824@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julian Taylor <jtaylor.debian@googlemail.com> (supplier of updated ipython package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 06 Jan 2016 15:47:58 +0100
Source: ipython
Binary: ipython ipython3 ipython-qtconsole ipython3-qtconsole ipython-notebook-common ipython-notebook ipython3-notebook ipython-doc
Architecture: source all
Version: 2.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Julian Taylor <jtaylor.debian@googlemail.com>
Description:
ipython - enhanced interactive Python shell
ipython-doc - enhanced interactive Python shell - Documentation
ipython-notebook - interactive Python html notebook
ipython-notebook-common - interactive Python html notebook data package
ipython-qtconsole - enhanced interactive Python shell - Qt console
ipython3 - enhanced interactive Python 3 shell
ipython3-notebook - interactive Python 3 html notebook
ipython3-qtconsole - enhanced interactive Python 3 shell - Qt console
Closes: 789824 798886 803082
Changes:
ipython (2.4.1-1) unstable; urgency=medium
.
* New upstream release (Closes: #803082)
* add backported patches to support python3.5
* fix CVE-2015-6938: XSS vulnerability (Closes: #798886)
* fix CVE-2015-4707: XSS in JSON error responses (Closes: #789824)
Checksums-Sha1:
8f865f1f772fd9da3d21984447a9709b27b423af 2923 ipython_2.4.1-1.dsc
8f51a383fc8436e476110417fb8ae694d499defd 11896092 ipython_2.4.1.orig.tar.gz
7f858ef7ae5a0f72b022637d24124b9c89da0d16 42876 ipython_2.4.1-1.debian.tar.xz
9138492c0402c66dd03f590ebfcc43cc3cc446fa 7126238 ipython-doc_2.4.1-1_all.deb
1de188314b810cb5008e5c2e5e0f9c03da6a6d5e 722906 ipython-notebook-common_2.4.1-1_all.deb
25151f09eb1c9fd29205b8eb42d4c7713a469882 48242 ipython-notebook_2.4.1-1_all.deb
4203a771056d3603aa3355edd30ea755c8dcc46e 67752 ipython-qtconsole_2.4.1-1_all.deb
ff97b28bfb2931f23ce7517e62dd231583196198 48350 ipython3-notebook_2.4.1-1_all.deb
68af58b8123221b40d2423d4f70e83522380dfa9 67844 ipython3-qtconsole_2.4.1-1_all.deb
3a308016bf1addf3234523d97bdbfa926263d1f1 635158 ipython3_2.4.1-1_all.deb
24374e71299f2eb8dffabf3d382a0cac3260e5f8 618682 ipython_2.4.1-1_all.deb
Checksums-Sha256:
ae8a0b8fa31f8b9d70f280ef6ecc23553ee07742795699fcbb230b2080fc03d2 2923 ipython_2.4.1-1.dsc
6d350b5c2d3e925b0ff6167658812d720b891e476238d924504e2f7f483e9217 11896092 ipython_2.4.1.orig.tar.gz
fbe9bc5ab2e0727afb916977adc8122c673d42940831c11bb1b812c612a2016b 42876 ipython_2.4.1-1.debian.tar.xz
119bbfdb4c228e470f287c754af086def0d87e7bdaae82ebe39b520dfa657b8d 7126238 ipython-doc_2.4.1-1_all.deb
9e71df81586d66d73c4dbab0cb112918195f1ed8550bc36fc6238e2f88779e4a 722906 ipython-notebook-common_2.4.1-1_all.deb
f1f6578d408be1ac03a471bb42706d3ca52cae2d9609c5a72f4fcd062daad107 48242 ipython-notebook_2.4.1-1_all.deb
c8ffee890091fd3ba40b6eb434394b7de45011f8c593148ce92779fc71d56d10 67752 ipython-qtconsole_2.4.1-1_all.deb
3ecbb8207c72ce8f91e75a75f888b0e8e0a915da287be1f10875c91c733d9d11 48350 ipython3-notebook_2.4.1-1_all.deb
d692eb0e76c87aca9ee47d572dd5ae544165e76bed49160b63ca0d3f05e6ebb5 67844 ipython3-qtconsole_2.4.1-1_all.deb
0c1e30bf777774aa3c4f61de83261c8150bf81f75b8f741a8451eb9ad5b6a2c1 635158 ipython3_2.4.1-1_all.deb
96fc0fd9342f4d4d260706c0db6136c77f3961ab500d9311306446e19ebe80f8 618682 ipython_2.4.1-1_all.deb
Files:
186a910f9dcb394486a94c33c366b253 2923 python optional ipython_2.4.1-1.dsc
70149981d6515d77ecb3d7507de2d7d9 11896092 python optional ipython_2.4.1.orig.tar.gz
816edbfce2bdf5b86a321826b2c75b6b 42876 python optional ipython_2.4.1-1.debian.tar.xz
56372271b8af84dede5655b388318062 7126238 doc optional ipython-doc_2.4.1-1_all.deb
87870a83fd59fc43746281fdd6ca3ed0 722906 python optional ipython-notebook-common_2.4.1-1_all.deb
94e792f2f17d4bf43e79601dd5120fb7 48242 python optional ipython-notebook_2.4.1-1_all.deb
3b05d128375f216d278ee1fefb9d7f13 67752 python optional ipython-qtconsole_2.4.1-1_all.deb
dd7bb4488c013b55382382276d3c3d59 48350 python optional ipython3-notebook_2.4.1-1_all.deb
12f1f0e3cb1040a57e340351b5c088da 67844 python optional ipython3-qtconsole_2.4.1-1_all.deb
0cabf891d928c0f3438a30720779b427 635158 python optional ipython3_2.4.1-1_all.deb
e3e957802d40908dfc52f2c052bb2167 618682 python optional ipython_2.4.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWjtZXAAoJEDLMSqwCh4b/EC8P/iowoTrhEx8+llbz9hU31/o3
7CbK7z3fl5Nig/UGr0a09rQpuzvmsO9fgbFJoCXEAP9YjSUpZXgCOyLIQsbTos2f
0UjTwoaGpKo3cHVWWRqFoywnyF1ZBRLt9QGcZ4oX//4IF57qmZPwME+PqbjtiBYI
8W5OkXRwB43rRdl2XsZcV9zI01pV8SVT6eoNWg3muVXpvT4bGJqDCNTic1uCrVRm
GGHjgtEwOwajYsrDOiI6GmrcO3aAOyqDxMTR71qF1BTF9S9gM6DnkV1xYJ5UZ+wa
kkxG+jxqn94ph4NLOnr81Vc8/wI9Kq7kePRPeDvrcz5yZTkOhC9k92IpYkyVkMdh
+A73VGfx85N+uK6zZ4Ox8kk9IANowNM0gNkDXEq+bnE6tMcQdKLMJqbaZ/R37d5O
cqqctUL4cVcPIJHYjbN/a+RTbDV6JyLtwc6PAhRN+dIB+8P/0hkQrF8PcLqrRG/l
Uj7eN+tXnCMIRlh0LcEkIGX0TKUTw6DALD44y6f2k5pd71Ww5/Q5xx+eY5Q5Vv1Z
UQ4d1m8GY4K54E5P8AMTbuiYQYXcP9RxXksPOuXnD8MB9SyFUnoNixU9Uqqz8zD9
rRm98kyG3HKtxOLKvFPdnEtXj1oHrg6ESdhxvNKh96cCRfA3Afc0kLuSGBwp47LI
RpUOLPT2FSZZae8QR+sJ
=3+b4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 10 Feb 2016 07:27:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:09:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.