| Summary: | ipython new security issue CVE-2015-4707 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, joequant, lewyssmith, makowski.mageia, sysadmin-bugs, wilcal.int |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/653502/ | ||
| Whiteboard: | has_procedure advisory MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | ipython-2.3.0-2.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 16373 | ||
|
Description
David Walser
2015-06-23 00:23:01 CEST
David Walser
2015-06-23 00:23:07 CEST
Whiteboard:
(none) =>
MGA5TOO, MGA4TOO The backported patch for 2.x should be enough, the other changes in the 3.x patch are for some new features of the 3.x release. I will apply the patch and also will follow what Debian is doing since the have also a 2.x version. https://security-tracker.debian.org/tracker/CVE-2015-4707
David Walser
2015-06-26 16:42:42 CEST
CC:
(none) =>
joequant (In reply to David Walser from comment #0) > Mageia 4 and Mageia 5 are also affected. > Mageia 4, I don't think so seems that Problematic code introduced in rel-2.0.0 and Mageia4 have 1.1.0 so we are like Debian squeeze for Mageia 4 https://security-tracker.debian.org/tracker/CVE-2015-4707 Whiteboard:
MGA5TOO, MGA4TOO =>
MGA5TOO ipython-doc-2.3.0-2.1.mga5.noarch.rpm ipython-2.3.0-2.1.mga5.noarch.rpm python3-ipython-2.3.0-2.1.mga5.noarch.rpm are in 5/core/testing Assignee:
makowski.mageia =>
security
Philippe Makowski
2015-06-28 16:22:03 CEST
CC:
(none) =>
makowski.mageia Thanks Philippe! Advisory: ======================== Updated ipython packages fix security vulnerability: JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack (CVE-2015-4707). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4707 http://openwall.com/lists/oss-security/2015/06/22/7 ======================== Updated packages in core/updates_testing: ======================== ipython-doc-2.3.0-2.1.mga5 ipython-2.3.0-2.1.mga5 python3-ipython-2.3.0-2.1.mga5 from ipython-2.3.0-2.1.mga5.src.rpm Assignee:
security =>
qa-bugs Advisory committed to svn. Whiteboard:
has_procedure =>
has_procedure advisory Philippe has patched another security issue, from Mageia Bug 16373. The Mageia 4 package had to be updated to the Mageia 5 version to be patched. Please update the advisory in SVN. Advisory: ======================== Updated ipython packages fix security vulnerability: JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack (CVE-2015-4707). POST requests exposed via the IPython REST API are vulnerable to cross-site request forgery (CSRF). Web pages on different domains can make non-AJAX POST requests to known IPython URLs, and IPython will honor them. The user's browser will automatically send IPython cookies along with the requests. The response is blocked by the Same-Origin Policy, but the request isn't. The Mageia 5 package has been patched to fix these issues. The Mageia 4 package wasn't vulnerable to CVE-2015-4707, but it has been updated and patched to fix the second issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4707 http://openwall.com/lists/oss-security/2015/06/22/7 http://openwall.com/lists/oss-security/2015/07/12/4 ======================== Updated packages in core/updates_testing: ======================== ipython-2.3.0-1.mga4 ipython-doc-2.3.0-2.2.mga5 ipython-2.3.0-2.2.mga5 python3-ipython-2.3.0-2.2.mga5 from SRPMS: ipython-2.3.0-1.mga4.src.rpm ipython-2.3.0-2.2.mga5.src.rpm Blocks:
(none) =>
16373 CVE-2015-5607 assigned for the second issue: http://openwall.com/lists/oss-security/2015/07/21/3 Advisory: ======================== Updated ipython packages fix security vulnerability: JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack (CVE-2015-4707). POST requests exposed via the IPython REST API are vulnerable to cross-site request forgery (CSRF). Web pages on different domains can make non-AJAX POST requests to known IPython URLs, and IPython will honor them. The user's browser will automatically send IPython cookies along with the requests. The response is blocked by the Same-Origin Policy, but the request isn't (CVE-2015-5607). The Mageia 5 package has been patched to fix these issues. The Mageia 4 package wasn't vulnerable to CVE-2015-4707, but it has been updated and patched to fix CVE-2015-5607. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4707 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5607 http://openwall.com/lists/oss-security/2015/06/22/7 http://openwall.com/lists/oss-security/2015/07/12/4 http://openwall.com/lists/oss-security/2015/07/21/3 Updated advisory committed to svn. Whiteboard:
has_procedure =>
has_procedure advisory Testing MGA5 x64 Installed ipython-2.3.0-2.mga5 (65 pkgs), python3-ipython-2.3.0-2.mga5 (35 pkgs). Using the following examples after: $ ipython $ ipython3 [1] http://nbviewer.ipython.org/github/ipython/ipython/blob/master/examples/IPython%20Kernel/Cell%20Magics.ipynb [2] http://nbviewer.ipython.org/github/ipython/ipython/blob/master/examples/IPython%20Kernel/Script%20Magics.ipynb It seems that you have to follow these in order - some at least. You can copy/paste each input 'block' after the ipython prompt. There is some slight displacement of line numbers between the terminal and the example pages where one 'block' yields >1 input line. 1.2 %matplotlib inline yields an error "UsageError: Invalid GUI request u'inline', valid ones are:['osx', 'qt4', 'glut', None, 'gtk3', 'pyglet', 'wx', 'none', 'qt', 'gtk', 'tk']" Guess the example is wrong. The two following 'import' lines come out indvidually, adding 2 to the console line number re the example. The output of 'ruby_lines' 1.18, 2.10 varied between the two example formats. Not important. 2.14 splits into 4 input lines. 2.13/14 is delicate, but even when it works the result is *wrong* in showing a constant time for each line, whereas there should be a 1s increment from 0. Also, this test for *ipython3* outputs a badly formatted line: 3.2s: b'line 1\n'3.2s: b'line 2\n'3.2s: b'line 3\n'3.2s: b'line 4\n'3.2s: b'line 5\n' rather than from ipython: 15.9s: line 1 15.9s: line 2 15.9s: line 3 15.9s: line 4 15.9s: line 5 Otherwise all the tests on both pages worked as prescribed. ----------------------------------------------------------- Updated to: ipython-2.3.0-2.2.mga5, python3-ipython-2.3.0-2.2.mga5 All the test results were the same - right or wrong. I prefer Philippe's opinion before MGA5-64-OK'ing this. CC:
(none) =>
lewyssmith (In reply to Lewis Smith from comment #10) > All the test results were the same - right or wrong. > I prefer Philippe's opinion before MGA5-64-OK'ing this. For me nothing really hurt I'm not a Ipython user myself but I don't think that what your reporting are really a problem. In VirtualBox, M5, KDE, 32-bit Package(s) under test: ipython ipython-doc python3-ipython default install of ipython ipython-doc python3-ipython [root@localhost wilcal]# urpmi ipython Package ipython-2.3.0-2.mga5.noarch is already installed [root@localhost wilcal]# urpmi ipython-doc Package ipython-doc-2.3.0-2.mga5.noarch is already installed [root@localhost wilcal]# urpmi python3-ipython Package python3-ipython-2.3.0-2.mga5.noarch is already installed [wilcal@localhost ~]$ ipython Python 2.7.9 (default, Dec 14 2014, 10:10:27) Type "copyright", "credits" or "license" for more information...... In [1]: %lsmagic Out[1]: Available line magics: %alias %alias_magic %autocall %autoindent %automagic........... In [2]: %%bash ...: echo "Hello world!" ...: Hello world! In [3]: exit [wilcal@localhost ~]$ install ipython ipython-doc python3-ipython from updates_testing [root@localhost wilcal]# urpmi ipython Package ipython-2.3.0-2.2.mga5.noarch is already installed [root@localhost wilcal]# urpmi ipython-doc Package ipython-doc-2.3.0-2.2.mga5.noarch is already installed [root@localhost wilcal]# urpmi python3-ipython Package python3-ipython-2.3.0-2.2.mga5.noarch is already installed [wilcal@localhost ~]$ ipython Python 2.7.9 (default, Dec 14 2014, 10:10:27) Type "copyright", "credits" or "license" for more information...... In [1]: %lsmagic Out[1]: Available line magics: %alias %alias_magic %autocall %autoindent %automagic........... In [2]: %%bash ...: echo "Hello world!" ...: Hello world! In [3]: exit [wilcal@localhost ~]$ CC:
(none) =>
wilcal.int In VirtualBox, M5, KDE, 64-bit Package(s) under test: ipython ipython-doc python3-ipython default install of ipython ipython-doc python3-ipython [root@localhost wilcal]# urpmi ipython Package ipython-2.3.0-2.mga5.noarch is already installed [root@localhost wilcal]# urpmi ipython-doc Package ipython-doc-2.3.0-2.mga5.noarch is already installed [root@localhost wilcal]# urpmi python3-ipython Package python3-ipython-2.3.0-2.mga5.noarch is already installed [wilcal@localhost ~]$ ipython Python 2.7.9 (default, Dec 14 2014, 10:12:16) Type "copyright", "credits" or "license" for more information....... In [1]: %lsmagic Out[1]: Available line magics: %alias %alias_magic %autocall %autoindent %automagic........... In [2]: %%bash ...: echo "Hello world!" ...: Hello world! In [3]: exit [wilcal@localhost ~]$ install ipython ipython-doc python3-ipython from updates_testing [root@localhost wilcal]# urpmi ipython Package ipython-2.3.0-2.2.mga5.noarch is already installed [root@localhost wilcal]# urpmi ipython-doc Package ipython-doc-2.3.0-2.2.mga5.noarch is already installed [root@localhost wilcal]# urpmi python3-ipython Package python3-ipython-2.3.0-2.2.mga5.noarch is already installed [wilcal@localhost ~]$ ipython Python 2.7.9 (default, Dec 14 2014, 10:10:27) Type "copyright", "credits" or "license" for more information...... In [1]: %lsmagic Out[1]: Available line magics: %alias %alias_magic %autocall %autoindent %automagic........... In [2]: %%bash ...: echo "Hello world!" ...: Hello world! In [3]: exit [wilcal@localhost ~]$ This looks good to go David. What you say yee? (In reply to William Kenney from comment #14) > This looks good to go David. What you say yee? Yes, let's ship it. This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0300.html Status:
NEW =>
RESOLVED
David Walser
2015-08-04 22:32:37 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/653502/ |