Details on a CVE issued for IPython in May were announced today (July 15): http://openwall.com/lists/oss-security/2014/07/15/2 Cauldron is not affected as the issue was fixed in 1.2. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated ipython package fixes security vulnerability: In IPython before 1.2, The origin of websocket requests was not verified within the IPython notebook server. If an attacker has knowledge of an IPython kernel id they can run arbitrary code on a user's machine when the client visits a crafted malicious page (CVE-2014-3429). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3429 http://openwall.com/lists/oss-security/2014/07/15/2 ======================== Updated packages in core/updates_testing: ======================== ipython-0.13.2-1.1.mga3 ipython-1.1.0-3.1.mga4 from SRPMS: ipython-0.13.2-1.1.mga3.src.rpm ipython-1.1.0-3.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Testing MGA4 64-bit real hardware. Installed ipython-1.1.0-3.mga4, which pulled in about 50 other things. To play with it, in a terminal $ ipython then copy/paste lines from: http://nbviewer.ipython.org/github/ipython/ipython/blob/master/examples/IPython%20Kernel/Cell%20Magics.ipynb http://nbviewer.ipython.org/github/ipython/ipython/blob/master/examples/IPython%20Kernel/Script%20Magics.ipynb These all worked as described except re matplotlib, not found. Updated to ipython-1.1.0-3.1.mga4 and re-ran the same tests, same results therefore deemed OK. Despite the fact that these tests have nothing to do with the fault described. The ipython site: http://nbviewer.ipython.org/github/ipython/ipython/tree/master/IPython/ has many Python test scripts, under: - core - kernel - qt - testing I could not find how to launch iPython Qt. I think there is a way of directly running these Python scripts from ipython citing the URL (rather than downloading & saving them). That would be excellent for Python update testing.
CC: (none) => lewyssmithWhiteboard: MGA3TOO => MGA3TOO MGA4-64-OK
python-matplotlib and python-qt4 are only suggests, so you certainly need to install them (or python3-matplotlib and python"-qt4 if you test python3-ipython in mga5)
CC: (none) => makowski.mageia
Testing mga4-32 and ran same tests as Lewis had in #1 on ipython-1.1.0-3.mga4. Same issue with matplotlit being not found but other tests worked. Installed python-matplotlib-1.3.0-7.mga4 and testing it then worked too. Upgraded to ipython-1.1.0-3.1.mga4 and tests cases worked with same output as ipython-1.1.0-3.mga4
CC: (none) => dpremyWhiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK
Fedora has issued an advisory for this on July 17: https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135763.html Adding that to the advisory. Advisory: ======================== Updated ipython package fixes security vulnerability: In IPython before 1.2, The origin of websocket requests was not verified within the IPython notebook server. If an attacker has knowledge of an IPython kernel id they can run arbitrary code on a user's machine when the client visits a crafted malicious page (CVE-2014-3429). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3429 https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135763.html ======================== Updated packages in core/updates_testing: ======================== ipython-0.13.2-1.1.mga3 ipython-1.1.0-3.1.mga4 from SRPMS: ipython-0.13.2-1.1.mga3.src.rpm ipython-1.1.0-3.1.mga4.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/606691/
Advisory uploaded. This still needs to be tested on mga3 before it can be uploaded.
CC: (none) => remiWhiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK advisory
s/uploaded/validated/
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK advisory => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK advisory
Testing complete mga3 32 using procedure in comment 1 $ ipython Python 2.7.6 (default, Jun 28 2014, 19:32:35) Type "copyright", "credits" or "license" for more information. IPython 0.13.2 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. In [1]: %lsmagic Available line magics: %alias %alias_magic %autocall %autoindent %automagic %bookmark %cd %colors %config %cpaste %debug %dhist %dirs %doctest_mode %ed %edit %env %gui %hist %history %install_default_config %install_ext %install_profiles %killbgscripts %load %load_ext %loadpy %logoff %logon %logstart %logstate %logstop %lsmagic %macro %magic %notebook %page %paste %pastebin %pdb %pdef %pdoc %pfile %pinfo %pinfo2 %popd %pprint %precision %profile %prun %psearch %psource %pushd %pwd %pycat %pylab %quickref %recall %rehashx %reload_ext %rep %rerun %reset %reset_selective %run %save %sc %store %sx %system %tb %time %timeit %unalias %unload_ext %who %who_ls %whos %xdel %xmode Available cell magics: %%! %%bash %%capture %%file %%perl %%prun %%python3 %%ruby %%script %%sh %%sx %%system %%timeit Automagic is ON, % prefix IS NOT needed for line magics. In [2]: %%bash ...: echo "Hello world!" ...: Hello world! In [3]: exit
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK advisory => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK MGA4-32-OK advisory
Testing complete mga3 64 Validating. Advisory already uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok MGA4-64-OK MGA4-32-OK advisory => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK MGA4-32-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0320.html
Status: NEW => RESOLVEDResolution: (none) => FIXED