A security fixed upstream in jupyter-notebook has been announced today (March 15): http://openwall.com/lists/oss-security/2018/03/15/2 The issue will be fixed upstream in 5.4.1 and 5.5. Mageia 5 and Mageia 6 may also be affected.
Assigning to the Python stack maintainers, CC'ing the registered maintainer.
Assignee: bugsquad => pythonCC: (none) => makowski.mageia, marja11
Cauldron has been updated to version 5.4.1.
CC: (none) => smelror
Version: Cauldron => 6
CVE assignment: http://openwall.com/lists/oss-security/2018/03/18/1
Summary: jupyter-notebook new security issue fixed upstream in 5.4.1 => jupyter-notebook new security issue fixed upstream in 5.4.1 (CVE-2018-8768)
Advisory ======== jupyter-notebook has been updated to fix a security issue. CVE-2018-8768: In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous. References ========== https://nvd.nist.gov/vuln/detail/CVE-2018-8768 http://openwall.com/lists/oss-security/2018/03/15/2 Files ===== Uploaded to core/updates_testing: python3-jupyter-notebook-4.2.0-1.1.mga6 python2-jupyter-notebook-4.2.0-1.1.mga6 jupyter-notebook-4.2.0-1.1.mga6 from jupyter-notebook-4.2.0-1.1.mga6.src.rpm
CVE: (none) => CVE-2018-8768Assignee: python => qa-bugs
Mageia 6 :: x86_64 Documentation at: http://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/what_is_jupyter.html or https://media.readthedocs.org/pdf/jupyter-notebook/stable/jupyter-notebook.pdf It is not easy to follow. Installed the Core Release packages first and tinkered with the system for a couple of hours but made very little progress. What it is is an interactive code environment which makes use of "kernels" to run code stored in 'cells'. Cells can also contain Markup text, images and videos but it is not clear how data can be imported from elsewhere. Cells can be cut and pasted but native cut and paste does not seem to be supported. There is some discussion of this on the web. I got as far as typing random text into a cell and tried to save it but could not find any corresponding file in the user directory tree. The first step is to create a jupyter_notebook_config.py file in the .jupyter directory, with all the default settings commented out, using the following command: $ jupyter-notebook --generate-config Writing default config to: /home/lcl/.jupyter/jupyter_notebook_config.py [lcl@vega ~]$ jupyter-notebook [I 16:40:52.658 NotebookApp] Writing notebook server cookie secret to /run/user/1000/jupyter/notebook_cookie_secret [W 16:40:52.679 NotebookApp] Widgets are unavailable. Please install widgetsnbextension or ipywidgets 4.0 [I 16:40:52.687 NotebookApp] Serving notebooks from local directory: /home/lcl [I 16:40:52.687 NotebookApp] 0 active kernels [I 16:40:52.687 NotebookApp] The Jupyter Notebook is running at: http://localhost:8888/ [I 16:40:52.687 NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation). Note that the command is 'jupyter-notebook', not 'jupyter notebook' as given in the documentation. There does not seem to be a way to run it other than using the command line. By default, a notebook server runs locally at 127.0.0.1:8888 and is accessible only from localhost. Running jupyter-notebook without any changes to the default configuration displays the users home directory in a browser at localhost:8888/tree Installed the updates. By default, installing jupyter-notebook pulls in the python3 dependencies. Since understanding how to use this is a life's work just confirming that the server runs is about all we can do. I ran the jupyter-notebook command in a terminal and the home page came up in firefox. Used the New button at the right hand side to select 'create a new python3 notebook'. The view switched to a new tab with a notebook page named 'Untitled2' and a blank cell waiting for input. I typed in a snippet of code from the documentation: var cell = Jupyter.notebook.get_selected_cell(); var config = cell.config; var patch = { CodeCell:{ cm_config:{indentUnit:2} } } config.update(patch) Running this generated a syntax error message: File "<ipython-input-1-bb0c3215449e>", line 1 var cell = Jupyter.notebook.get_selected_cell(); ^ SyntaxError: invalid syntax This means little to me but it looks like ipython is involved. It seems surprising that the code would not be interpreted as python3. There might be a configuration setting covering that. Just checked - nothing relevant. Maybe it is not good python. However, this does demonstrate that a kernel is running. Closed down the notebook server and restarted it. In firefox, navigated to the directory where the notebook was saved and selected Untitled2.ipynb, which is an ASCII file containing metadata for the notebook and the edited cell. That brought up the cell with the error message. This is about as far as I can take this. On the face of it the application is working normally. Leaving the OK for a while in case there is anybody with experience of this system who would care to comment.
CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK
(In reply to Len Lawrence from comment #5) > This is about as far as I can take this. On the face of it the application > is working normally. Leaving the OK for a while in case there is anybody > with experience of this system who would care to comment. Thanks for your efforts. To do some test, you can for example download a notebook curl -O https://raw.githubusercontent.com/jupyter/notebook/master/docs/source/examples/Notebook/Running%20Code.ipynb and then do : jupyter-notebook Running%20Code.ipynb and play with the notebook.
Thanks for the link Philippe. Shall have a look at that later.
Just to confirm the OK downloaded the notebook suggested in comment 6, placing it in ~/.jupyter and ran jupyter-notebook from there. Tried replicating cells and moving cells about. Ran code using the Ctrl and Alt shortcuts. Inserted new code in blank cell 'print(a+a)' and ran it; result 20 appeared below the cell. Interrupted the kernel and also crashed the kernel and responded to the automatic restart message. Typed Ctrl-C twice to close down. 64-bit OK.
Oops; looks like this is not finished yet. Forgot about python2. The packages had been installed but there seems to be only one notebook script in /bin and that runs under python3: #!/usr/bin/python3 # EASY-INSTALL-ENTRY-SCRIPT: 'notebook==4.2.0','console_scripts','jupyter-notebook' No pointers from 'jupyter-notebook --help-all' but googling indicates that a new kernel may need to be generated. Looking into that just now.
Whiteboard: MGA6-64-OK => (none)
The kernel can be changed on the fly from the running notebook menu but it needs to be generated first.
$ sudo urpmi python-pip $ sudo python2 -m pip install --upgrade ipykernel That seemed to run smoothly enough but cannot be sure of the end result: ......................... Python sys.version_info(major=2, minor=7, micro=13, releaselevel='final', serial=0) detected. Your pip version is out of date, please install pip >= 9.0.1. pip 8.0.2 detected. ---------------------------------------- Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-I9Wrwu/ipython You are using pip version 8.0.2, however version 9.0.3 is available. You should consider upgrading via the 'pip install --upgrade pip' command. $ sudo python2 -m ipykernel install Installed kernelspec python2 in /usr/local/share/jupyter/kernels/python2 However, restarting the notebook showed python2 available so I switched. Worked through similar tests on the demonstration notebook. All is well.
Thanks Len for the test. Advisoried & validating.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0182.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED