Bug 27705 - jupyter-notebook new security issue CVE-2020-26215
Summary: jupyter-notebook new security issue CVE-2020-26215
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-12-02 15:56 CET by David Walser
Modified: 2020-12-17 14:12 CET (History)
7 users (show)

See Also:
Source RPM: jupyter-notebook-5.7.8-1.mga7.src.rpm
CVE: CVE-2020-26215
Status comment:


Attachments

Description David Walser 2020-12-02 15:56:13 CET
Debian-LTS has issued an advisory today (December 2):
https://www.debian.org/lts/security/2020/dla-2477

The issue is fixed upstream in 6.1.5.
David Walser 2020-12-02 15:56:28 CET

CC: (none) => geiger.david68210, guillomovitch, smelror

Comment 1 Nicolas Salguero 2020-12-08 09:25:29 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A maliciously crafted link to a notebook server could redirect the browser to a different website. All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet. (CVE-2020-26215)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26215
https://www.debian.org/lts/security/2020/dla-2477
========================

Updated packages in core/updates_testing:
========================
jupyter-notebook-5.7.8-1.1.mga7
python-jupyter-notebook-5.7.8-1.1.mga7

from SRPM:
jupyter-notebook-5.7.8-1.1.mga7.src.rpm

CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-26215
Assignee: pkg-bugs => qa-bugs

Comment 2 Len Lawrence 2020-12-14 17:02:18 CET
mga7, x64

Installed the 53 release and update packages.

$ jupyter-notebook --generate-config
Overwrite /home/lcl/.jupyter/jupyter_notebook_config.py with default config? [y/N] n
$
$ jupyter-notebook
[I 15:18:21.818 NotebookApp] Writing notebook server cookie secret to /run/user/1000/jupyter/notebook_cookie_secret
[I 15:18:21.977 NotebookApp] Serving notebooks from local directory: /home/lcl/qa/jupyter-notebook
[I 15:18:21.977 NotebookApp] The Jupyter Notebook is running at:
[I 15:18:21.977 NotebookApp] http://localhost:8888/?token=fdc416a5a53a8debba44f535e8bba6bb999b5faa886c110a
[I 15:18:21.977 NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).
[C 15:18:22.001 NotebookApp] 
    
    To access the notebook, open this file in a browser:
        file:///run/user/1000/jupyter/nbserver-1762-open.html
    Or copy and paste one of these URLs:
        http://localhost:8888/?token=fdc416a5a53a8debba44f535e8bba6bb999b5faa886c110a

This displays jupyter at http://localhost:8888/tree
and the contents of the launch directory.

Tried inputting this - as tried on bug #22780:

var cell = Jupyter.notebook.get_selected_cell();
var config = cell.config;
var patch = {
      CodeCell:{
        cm_config:{indentUnit:2}
      }
    }
config.update(patch)

The tried running it and hit a syntax error right away, as before.
It is pointless trying to figure out how to run this without a two week induction course so this is as far as it goes for testing.

Giving this a tentative OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 3 Aurelien Oudelet 2020-12-14 18:37:36 CET
Validating.
Advisory pushed to SVN.

Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 4 Mageia Robot 2020-12-17 14:12:06 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0457.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.