Debian Bug report logs -
#924515
jupyter-notebook: CVE-2019-9644
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 13 Mar 2019 20:45:01 UTC
Severity: important
Tags: security, upstream
Found in version jupyter-notebook/5.7.4-2
Fixed in version jupyter-notebook/5.7.8-1
Done: Gordon Ball <gordon@chronitis.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#924515; Package src:jupyter-notebook.
(Wed, 13 Mar 2019 20:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Wed, 13 Mar 2019 20:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jupyter-notebook
Version: 5.7.4-2
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for jupyter-notebook.
CVE-2019-9644[0]:
| An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before
| 5.7.6 allows inclusion of resources on malicious pages when visited by
| users who are authenticated with a Jupyter server. Access to the
| content of resources has been demonstrated with Internet Explorer
| through capturing of error messages, though not reproduced with other
| browsers. This occurs because Internet Explorer's error messages can
| include the content of any invalid JavaScript that was encountered.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9644
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9644
[1] https://github.com/jupyter/notebook/compare/f3f00df...05aa4b2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Gordon Ball <gordon@chronitis.net>:
You have taken responsibility.
(Mon, 06 May 2019 18:51:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 06 May 2019 18:51:03 GMT) (full text, mbox, link).
Message #10 received at 924515-close@bugs.debian.org (full text, mbox, reply):
Source: jupyter-notebook
Source-Version: 5.7.8-1
We believe that the bug you reported is fixed in the latest version of
jupyter-notebook, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 924515@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gordon Ball <gordon@chronitis.net> (supplier of updated jupyter-notebook package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 06 May 2019 18:12:38 +0000
Source: jupyter-notebook
Binary: jupyter-notebook python-notebook python-notebook-doc python3-notebook
Architecture: source all
Version: 5.7.8-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Gordon Ball <gordon@chronitis.net>
Description:
jupyter-notebook - Jupyter interactive notebook
python-notebook - Jupyter interactive notebook (Python 2)
python-notebook-doc - Jupyter interactive notebook (documentation)
python3-notebook - Jupyter interactive notebook (Python 3)
Closes: 924515 925939
Changes:
jupyter-notebook (5.7.8-1) unstable; urgency=medium
.
* New upstream release 5.7.8
* Fixes CVE-2019-9644 (Closes: #924515)
* Fixes CVE-2019-10255 (Closes: #925939)
Checksums-Sha1:
874eeaa19a2cec1b655351f8c1fdfc0d64656d84 4035 jupyter-notebook_5.7.8-1.dsc
51f60db0708172fee8243270f5334e4d275d5ce4 6418926 jupyter-notebook_5.7.8.orig.tar.gz
5bb0d335d06076dd88027d5085c9899869defc58 51292 jupyter-notebook_5.7.8-1.debian.tar.xz
9a3e058b50d45d7783d539927aba603ffb17006f 21884 jupyter-notebook_5.7.8-1_all.deb
fd48635d8446e4df70ea4b1c29ab4fdff83d2c32 14266 jupyter-notebook_5.7.8-1_amd64.buildinfo
7669c86ad965d0a15b9f84165a788a629af0156c 2489572 python-notebook-doc_5.7.8-1_all.deb
5e9f3385b204e07ac9b2a36e537941d00704991d 1009836 python-notebook_5.7.8-1_all.deb
c50c6a71253e9826a63d28b0b4ef90b610e8199c 1009972 python3-notebook_5.7.8-1_all.deb
Checksums-Sha256:
a8dc9de7576c394eb6bc2c5ac1831f9b7524e7dbf266c52c9d4aa4f220cafd9d 4035 jupyter-notebook_5.7.8-1.dsc
b4691f40924eca3c9dabf0bf6b1884aef76aa7e380f4c37781cf18b3a2f72702 6418926 jupyter-notebook_5.7.8.orig.tar.gz
7d7bb9f193f4e660ff2fdda3605501872760b83050b4ce4612535ba1d2250b2a 51292 jupyter-notebook_5.7.8-1.debian.tar.xz
84792a652e46d8c9236c571eefbcfa9fd4b175a194ebfe7b5eef6dde4c5fa4b0 21884 jupyter-notebook_5.7.8-1_all.deb
e71e7137b62049cc94a546714ec7152b10bf4bdb54218644486476184894d5bb 14266 jupyter-notebook_5.7.8-1_amd64.buildinfo
5480cf934e1fdd1547b101f6add27b94f3644832f09936c8fec2e7455f3861b4 2489572 python-notebook-doc_5.7.8-1_all.deb
320ee4fb8f117d0b4825cb08108f877a6825fdbb941acf5af81aabe435ebc1bd 1009836 python-notebook_5.7.8-1_all.deb
a23aec95c264a2207b99a07da637f1a4199524bfbad81afbe956fe3b309cbc2d 1009972 python3-notebook_5.7.8-1_all.deb
Files:
f2c9cdda74ca3f32cc9a94eccbb26bc1 4035 python optional jupyter-notebook_5.7.8-1.dsc
07307d1b0ad171920c91f943732bb4db 6418926 python optional jupyter-notebook_5.7.8.orig.tar.gz
8c55e2413b3ef9c3e7efafeb0b406159 51292 python optional jupyter-notebook_5.7.8-1.debian.tar.xz
16422647575731006fd5dd7d04e92b37 21884 science optional jupyter-notebook_5.7.8-1_all.deb
bf7d6887f0ef9c70bc1dfb29ffaa3c12 14266 python optional jupyter-notebook_5.7.8-1_amd64.buildinfo
e4b1956647a9d9b868ddaa1b40d07ddf 2489572 doc optional python-notebook-doc_5.7.8-1_all.deb
6b77e866c784bf3338ac4b8afc059f9d 1009836 python optional python-notebook_5.7.8-1_all.deb
7822345283b53e89368cccaae3b78082 1009972 python optional python3-notebook_5.7.8-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE6PwpXIa418BJ+Xuno12v+60p6N4FAlzQfgkACgkQo12v+60p
6N59Tw/+Mrni1R+HoUisERTTJIqLXHKbR0S0jAfbDWFrxx2EsxDSFS2JciY/WvGh
+MWqWy+o1P09jXDoq4gqmcpxcqBx3YsH60xE8gc/REiYRNE2DcKA6cIeB/WoHZRr
DofUIdxB37uSyYUS/uldA8ONPH8jFoKL1m3V4mD+xlQZOdCGSCjpXu1QEH1Tw0Pq
XStir5epRBqLWly5dgy4EbEVsg0X0CWxRLBH1kab9g1942oPwxE82zv3hMdtxKGw
K7G9Th4paZP9q/k582R76iuv3bmvY2yFBktOUc8cNF9oXkN9S6s3FiduGwAD6Mil
6VDxCWxbpfoHv+6yai9OT2xaVhpf2WGn+xcpDQZnzubtLDe9J/Z6dOHEuSc4Wr8q
GRuHD+ftexF5X5QRuDJ286NcgpsCD+UeFJMsRJrXM4dk4vDRZcsUFfTjua6ebJ5G
cWlyuUpJzyBK8SbWIF7Vy4LW1Px4B4XRq3N5kIJ47tVuzB4KstLAt5U8PGL3fXgO
C1slAm6ipp/Iqi6MOv8y6BPnEqLTwGsU9KuzFUI/77fh8n8Nz2pB5IlZsZC1eUtq
5KNfkHHdy0hQyIL/lGkMdpu5sGurBNvU9leJuZW7+d20hFIMdqAqDf8N5ybCruO4
2S1MzxmlWcIwLICj6sZksVPC/5Eentivh/2BgiuDJ3Mz7DwFKrA=
=ptQy
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 09 Jun 2019 07:26:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:52:31 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon