| Summary: | ipython new XSS security issue fixed upstream (CVE-2015-6938) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lewyssmith, makowski.mageia, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/657409/ | ||
| Whiteboard: | MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK | ||
| Source RPM: | ipython-2.3.0-2.2.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-09-02 15:22:31 CEST
David Walser
2015-09-02 15:22:40 CEST
Whiteboard:
(none) =>
MGA5TOO, MGA4TOO packages in 5/core/updates_testing : python3-ipython-2.3.0-2.3.mga5.noarch ipython-2.3.0-2.3.mga5.src ipython-2.3.0-2.3.mga5.noarch ipython-doc-2.3.0-2.3.mga5.noarch packages in 4/core/updates_testing : ipython-2.3.0-1.2.mga4.noarch ipython-2.3.0-1.2.mga4.src Cauldron patched with upstream patch Whiteboard:
MGA5TOO, MGA4TOO =>
MGA5TOO, MGA4TOO has_procedure Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13744#c1 Advisory pending CVE request. Advisory: ======================== Updated ipython packages fix security vulnerability: In IPython, local folder name was used in HTML templates without escaping, allowing XSS in said pages by carefully crafting folder name and URL to access it. References: http://openwall.com/lists/oss-security/2015/09/02/3 CC:
(none) =>
makowski.mageia Testing Mageia4 x64 Using existing: ipython-2.3.0-1.1.mga4 + python-matplotlib-1.3.0-7.mga4 From $ ipython I ran the tests in: http://nbviewer.ipython.org/github/ipython/ipython/blob/master/examples/IPython%20Kernel/Cell%20Magics.ipynb In [2]: %matplotlib inline UsageError: Invalid GUI request u'inline', valid ones are:['osx', 'qt4', 'glut', 'gtk3', 'pyglet', 'wx', 'none', 'qt', 'gtk', None, 'tk'] and adds 2 to the line count. In [16]: adds another 1 to the line count. Otherwise the results were as shown. From $ ipython I ran the tests in: http://nbviewer.ipython.org/github/ipython/ipython/blob/master/examples/IPython%20Kernel/Script%20Magics.ipynb In [8]: adds 1 to the line count. In [14]: adds another 3 to the line count, and gives what looks like an invald result (every line has the same time); but I have seen this before. Otherwise the results were as shown. Updated to: ipython-2.3.0-1.2.mga4 (same mathplotlib) and re-ran all the tests cited above. Results were the same, with the same provisos. So this update shows no regression or evident new errors; OK. CC:
(none) =>
lewyssmith Tested Mageia 4 i586 and Mageia 5 i586. Didn't run every single test case, but more than enough to show that the package is still functional. Whiteboard:
MGA4TOO has_procedure MGA4-64-OK =>
MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK This finally has CVE-2015-6938: http://openwall.com/lists/oss-security/2015/09/14/2 Advisory: ======================== Updated ipython packages fix security vulnerability: In IPython, local folder name was used in HTML templates without escaping, allowing XSS in said pages by carefully crafting folder name and URL to access it (CVE-2015-6938). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6938 http://openwall.com/lists/oss-security/2015/09/14/2 Summary:
ipython new XSS security issue fixed upstream =>
ipython new XSS security issue fixed upstream (CVE-2015-6938) Validating. Advisory uploaded combining comment 1 & comment 5. Please push to 4 & 5 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0372.html Status:
NEW =>
RESOLVED
David Walser
2015-09-15 19:46:00 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/657409/ |