| Summary: | jupyter-notebook new security issue CVE-2020-26215 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, guillomovitch, nicolas.salguero, ouaurelien, smelror, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | jupyter-notebook-5.7.8-1.mga7.src.rpm | CVE: | CVE-2020-26215 |
| Status comment: | |||
|
Description
David Walser
2020-12-02 15:56:13 CET
David Walser
2020-12-02 15:56:28 CET
CC:
(none) =>
geiger.david68210, guillomovitch, smelror Suggested advisory: ======================== The updated packages fix a security vulnerability: Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A maliciously crafted link to a notebook server could redirect the browser to a different website. All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet. (CVE-2020-26215) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26215 https://www.debian.org/lts/security/2020/dla-2477 ======================== Updated packages in core/updates_testing: ======================== jupyter-notebook-5.7.8-1.1.mga7 python-jupyter-notebook-5.7.8-1.1.mga7 from SRPM: jupyter-notebook-5.7.8-1.1.mga7.src.rpm CC:
(none) =>
nicolas.salguero mga7, x64 Installed the 53 release and update packages. $ jupyter-notebook --generate-config Overwrite /home/lcl/.jupyter/jupyter_notebook_config.py with default config? [y/N] n $ $ jupyter-notebook [I 15:18:21.818 NotebookApp] Writing notebook server cookie secret to /run/user/1000/jupyter/notebook_cookie_secret [I 15:18:21.977 NotebookApp] Serving notebooks from local directory: /home/lcl/qa/jupyter-notebook [I 15:18:21.977 NotebookApp] The Jupyter Notebook is running at: [I 15:18:21.977 NotebookApp] http://localhost:8888/?token=fdc416a5a53a8debba44f535e8bba6bb999b5faa886c110a [I 15:18:21.977 NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation). [C 15:18:22.001 NotebookApp] To access the notebook, open this file in a browser: file:///run/user/1000/jupyter/nbserver-1762-open.html Or copy and paste one of these URLs: http://localhost:8888/?token=fdc416a5a53a8debba44f535e8bba6bb999b5faa886c110a This displays jupyter at http://localhost:8888/tree and the contents of the launch directory. Tried inputting this - as tried on bug #22780: var cell = Jupyter.notebook.get_selected_cell(); var config = cell.config; var patch = { CodeCell:{ cm_config:{indentUnit:2} } } config.update(patch) The tried running it and hit a syntax error right away, as before. It is pointless trying to figure out how to run this without a two week induction course so this is as far as it goes for testing. Giving this a tentative OK. Whiteboard:
(none) =>
MGA7-64-OK Validating. Advisory pushed to SVN. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0457.html Status:
ASSIGNED =>
RESOLVED |