A CVE has been assigned for a security issue fixed upstream in ipython: http://openwall.com/lists/oss-security/2015/06/22/7 More details are in the CVE request: http://openwall.com/lists/oss-security/2015/06/22/4 It's not 100% clear to me if all that's needed is applying the patch that was backported to ipython 2.x. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
The backported patch for 2.x should be enough, the other changes in the 3.x patch are for some new features of the 3.x release. I will apply the patch and also will follow what Debian is doing since the have also a 2.x version. https://security-tracker.debian.org/tracker/CVE-2015-4707
CC: (none) => joequant
(In reply to David Walser from comment #0) > Mageia 4 and Mageia 5 are also affected. > Mageia 4, I don't think so seems that Problematic code introduced in rel-2.0.0 and Mageia4 have 1.1.0 so we are like Debian squeeze for Mageia 4 https://security-tracker.debian.org/tracker/CVE-2015-4707
Whiteboard: MGA5TOO, MGA4TOO => MGA5TOO
ipython-doc-2.3.0-2.1.mga5.noarch.rpm ipython-2.3.0-2.1.mga5.noarch.rpm python3-ipython-2.3.0-2.1.mga5.noarch.rpm are in 5/core/testing
Assignee: makowski.mageia => security
CC: (none) => makowski.mageia
Thanks Philippe! Advisory: ======================== Updated ipython packages fix security vulnerability: JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack (CVE-2015-4707). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4707 http://openwall.com/lists/oss-security/2015/06/22/7 ======================== Updated packages in core/updates_testing: ======================== ipython-doc-2.3.0-2.1.mga5 ipython-2.3.0-2.1.mga5 python3-ipython-2.3.0-2.1.mga5 from ipython-2.3.0-2.1.mga5.src.rpm
Assignee: security => qa-bugsWhiteboard: MGA5TOO => (none)Version: Cauldron => 5
procedure : https://bugs.mageia.org/show_bug.cgi?id=13744#c1
Whiteboard: (none) => has_procedure
Advisory committed to svn.
Whiteboard: has_procedure => has_procedure advisoryCC: (none) => davidwhodgins
Philippe has patched another security issue, from Mageia Bug 16373. The Mageia 4 package had to be updated to the Mageia 5 version to be patched. Please update the advisory in SVN. Advisory: ======================== Updated ipython packages fix security vulnerability: JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack (CVE-2015-4707). POST requests exposed via the IPython REST API are vulnerable to cross-site request forgery (CSRF). Web pages on different domains can make non-AJAX POST requests to known IPython URLs, and IPython will honor them. The user's browser will automatically send IPython cookies along with the requests. The response is blocked by the Same-Origin Policy, but the request isn't. The Mageia 5 package has been patched to fix these issues. The Mageia 4 package wasn't vulnerable to CVE-2015-4707, but it has been updated and patched to fix the second issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4707 http://openwall.com/lists/oss-security/2015/06/22/7 http://openwall.com/lists/oss-security/2015/07/12/4 ======================== Updated packages in core/updates_testing: ======================== ipython-2.3.0-1.mga4 ipython-doc-2.3.0-2.2.mga5 ipython-2.3.0-2.2.mga5 python3-ipython-2.3.0-2.2.mga5 from SRPMS: ipython-2.3.0-1.mga4.src.rpm ipython-2.3.0-2.2.mga5.src.rpm
Blocks: (none) => 16373Whiteboard: has_procedure advisory => has_procedure
CVE-2015-5607 assigned for the second issue: http://openwall.com/lists/oss-security/2015/07/21/3 Advisory: ======================== Updated ipython packages fix security vulnerability: JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack (CVE-2015-4707). POST requests exposed via the IPython REST API are vulnerable to cross-site request forgery (CSRF). Web pages on different domains can make non-AJAX POST requests to known IPython URLs, and IPython will honor them. The user's browser will automatically send IPython cookies along with the requests. The response is blocked by the Same-Origin Policy, but the request isn't (CVE-2015-5607). The Mageia 5 package has been patched to fix these issues. The Mageia 4 package wasn't vulnerable to CVE-2015-4707, but it has been updated and patched to fix CVE-2015-5607. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4707 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5607 http://openwall.com/lists/oss-security/2015/06/22/7 http://openwall.com/lists/oss-security/2015/07/12/4 http://openwall.com/lists/oss-security/2015/07/21/3
Updated advisory committed to svn.
Whiteboard: has_procedure => has_procedure advisory
Testing MGA5 x64 Installed ipython-2.3.0-2.mga5 (65 pkgs), python3-ipython-2.3.0-2.mga5 (35 pkgs). Using the following examples after: $ ipython $ ipython3 [1] http://nbviewer.ipython.org/github/ipython/ipython/blob/master/examples/IPython%20Kernel/Cell%20Magics.ipynb [2] http://nbviewer.ipython.org/github/ipython/ipython/blob/master/examples/IPython%20Kernel/Script%20Magics.ipynb It seems that you have to follow these in order - some at least. You can copy/paste each input 'block' after the ipython prompt. There is some slight displacement of line numbers between the terminal and the example pages where one 'block' yields >1 input line. 1.2 %matplotlib inline yields an error "UsageError: Invalid GUI request u'inline', valid ones are:['osx', 'qt4', 'glut', None, 'gtk3', 'pyglet', 'wx', 'none', 'qt', 'gtk', 'tk']" Guess the example is wrong. The two following 'import' lines come out indvidually, adding 2 to the console line number re the example. The output of 'ruby_lines' 1.18, 2.10 varied between the two example formats. Not important. 2.14 splits into 4 input lines. 2.13/14 is delicate, but even when it works the result is *wrong* in showing a constant time for each line, whereas there should be a 1s increment from 0. Also, this test for *ipython3* outputs a badly formatted line: 3.2s: b'line 1\n'3.2s: b'line 2\n'3.2s: b'line 3\n'3.2s: b'line 4\n'3.2s: b'line 5\n' rather than from ipython: 15.9s: line 1 15.9s: line 2 15.9s: line 3 15.9s: line 4 15.9s: line 5 Otherwise all the tests on both pages worked as prescribed. ----------------------------------------------------------- Updated to: ipython-2.3.0-2.2.mga5, python3-ipython-2.3.0-2.2.mga5 All the test results were the same - right or wrong. I prefer Philippe's opinion before MGA5-64-OK'ing this.
CC: (none) => lewyssmith
(In reply to Lewis Smith from comment #10) > All the test results were the same - right or wrong. > I prefer Philippe's opinion before MGA5-64-OK'ing this. For me nothing really hurt I'm not a Ipython user myself but I don't think that what your reporting are really a problem.
In VirtualBox, M5, KDE, 32-bit Package(s) under test: ipython ipython-doc python3-ipython default install of ipython ipython-doc python3-ipython [root@localhost wilcal]# urpmi ipython Package ipython-2.3.0-2.mga5.noarch is already installed [root@localhost wilcal]# urpmi ipython-doc Package ipython-doc-2.3.0-2.mga5.noarch is already installed [root@localhost wilcal]# urpmi python3-ipython Package python3-ipython-2.3.0-2.mga5.noarch is already installed [wilcal@localhost ~]$ ipython Python 2.7.9 (default, Dec 14 2014, 10:10:27) Type "copyright", "credits" or "license" for more information...... In [1]: %lsmagic Out[1]: Available line magics: %alias %alias_magic %autocall %autoindent %automagic........... In [2]: %%bash ...: echo "Hello world!" ...: Hello world! In [3]: exit [wilcal@localhost ~]$ install ipython ipython-doc python3-ipython from updates_testing [root@localhost wilcal]# urpmi ipython Package ipython-2.3.0-2.2.mga5.noarch is already installed [root@localhost wilcal]# urpmi ipython-doc Package ipython-doc-2.3.0-2.2.mga5.noarch is already installed [root@localhost wilcal]# urpmi python3-ipython Package python3-ipython-2.3.0-2.2.mga5.noarch is already installed [wilcal@localhost ~]$ ipython Python 2.7.9 (default, Dec 14 2014, 10:10:27) Type "copyright", "credits" or "license" for more information...... In [1]: %lsmagic Out[1]: Available line magics: %alias %alias_magic %autocall %autoindent %automagic........... In [2]: %%bash ...: echo "Hello world!" ...: Hello world! In [3]: exit [wilcal@localhost ~]$
CC: (none) => wilcal.int
In VirtualBox, M5, KDE, 64-bit Package(s) under test: ipython ipython-doc python3-ipython default install of ipython ipython-doc python3-ipython [root@localhost wilcal]# urpmi ipython Package ipython-2.3.0-2.mga5.noarch is already installed [root@localhost wilcal]# urpmi ipython-doc Package ipython-doc-2.3.0-2.mga5.noarch is already installed [root@localhost wilcal]# urpmi python3-ipython Package python3-ipython-2.3.0-2.mga5.noarch is already installed [wilcal@localhost ~]$ ipython Python 2.7.9 (default, Dec 14 2014, 10:12:16) Type "copyright", "credits" or "license" for more information....... In [1]: %lsmagic Out[1]: Available line magics: %alias %alias_magic %autocall %autoindent %automagic........... In [2]: %%bash ...: echo "Hello world!" ...: Hello world! In [3]: exit [wilcal@localhost ~]$ install ipython ipython-doc python3-ipython from updates_testing [root@localhost wilcal]# urpmi ipython Package ipython-2.3.0-2.2.mga5.noarch is already installed [root@localhost wilcal]# urpmi ipython-doc Package ipython-doc-2.3.0-2.2.mga5.noarch is already installed [root@localhost wilcal]# urpmi python3-ipython Package python3-ipython-2.3.0-2.2.mga5.noarch is already installed [wilcal@localhost ~]$ ipython Python 2.7.9 (default, Dec 14 2014, 10:10:27) Type "copyright", "credits" or "license" for more information...... In [1]: %lsmagic Out[1]: Available line magics: %alias %alias_magic %autocall %autoindent %automagic........... In [2]: %%bash ...: echo "Hello world!" ...: Hello world! In [3]: exit [wilcal@localhost ~]$
This looks good to go David. What you say yee?
(In reply to William Kenney from comment #14) > This looks good to go David. What you say yee? Yes, let's ship it.
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
CC: (none) => sysadmin-bugsWhiteboard: has_procedure advisory => has_procedure advisory MGA5-32-OK MGA5-64-OKKeywords: (none) => validated_update
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0300.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/653502/