Debian-LTS has issued an advisory today (December 2): https://www.debian.org/lts/security/2020/dla-2477 The issue is fixed upstream in 6.1.5.
CC: (none) => geiger.david68210, guillomovitch, smelror
Suggested advisory: ======================== The updated packages fix a security vulnerability: Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A maliciously crafted link to a notebook server could redirect the browser to a different website. All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet. (CVE-2020-26215) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26215 https://www.debian.org/lts/security/2020/dla-2477 ======================== Updated packages in core/updates_testing: ======================== jupyter-notebook-5.7.8-1.1.mga7 python-jupyter-notebook-5.7.8-1.1.mga7 from SRPM: jupyter-notebook-5.7.8-1.1.mga7.src.rpm
CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDCVE: (none) => CVE-2020-26215Assignee: pkg-bugs => qa-bugs
mga7, x64 Installed the 53 release and update packages. $ jupyter-notebook --generate-config Overwrite /home/lcl/.jupyter/jupyter_notebook_config.py with default config? [y/N] n $ $ jupyter-notebook [I 15:18:21.818 NotebookApp] Writing notebook server cookie secret to /run/user/1000/jupyter/notebook_cookie_secret [I 15:18:21.977 NotebookApp] Serving notebooks from local directory: /home/lcl/qa/jupyter-notebook [I 15:18:21.977 NotebookApp] The Jupyter Notebook is running at: [I 15:18:21.977 NotebookApp] http://localhost:8888/?token=fdc416a5a53a8debba44f535e8bba6bb999b5faa886c110a [I 15:18:21.977 NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation). [C 15:18:22.001 NotebookApp] To access the notebook, open this file in a browser: file:///run/user/1000/jupyter/nbserver-1762-open.html Or copy and paste one of these URLs: http://localhost:8888/?token=fdc416a5a53a8debba44f535e8bba6bb999b5faa886c110a This displays jupyter at http://localhost:8888/tree and the contents of the launch directory. Tried inputting this - as tried on bug #22780: var cell = Jupyter.notebook.get_selected_cell(); var config = cell.config; var patch = { CodeCell:{ cm_config:{indentUnit:2} } } config.update(patch) The tried running it and hit a syntax error right away, as before. It is pointless trying to figure out how to run this without a two week induction course so this is as far as it goes for testing. Giving this a tentative OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Validating. Advisory pushed to SVN.
Keywords: (none) => advisory, validated_updateCC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0457.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED