Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 17 Mar 2018 15:05:46 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: security <security@...thon.org>, MinRK <benjaminrk@...il.com>,
	jkamens@...ntopian.com, ssanderson@...ntopian.com
Subject: Re: CVE request: maliciously crafted notebook files
 in Jupyter

Hi,

On Thu, Mar 15, 2018 at 01:55:59PM +0000, Thomas Kluyver wrote:
> Email address of requester: security@...thon.org, thomas@...yver.me.uk, benjaminrk@...il.com, jkamens@...ntopian.com, ssanderson@...ntopian.com
> 
> Software name: Jupyter Notebook (formerly IPython Notebook)
> Type of vulnerability: Maliciously forged file
> Attack outcome: Possible remote execution
> 
> Vulnerability: A maliciously forged notebook file can bypass sanitization to execute Javascript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.
> 
> Affected versions:
> 
> - notebook ≤ 5.4.0
> 
> URI with issues:
> 
> - GET /notebook/**
> 
> Patches:  not yet finalised
> 
> Mitigations:
> 
> Upgrade to Jupyter notebook 5.4.1 or 5.5 once available.
> If using pip,
> 
>     pip install --upgrade notebook
> 
> For conda:
> 
>     conda update conda
>     conda update notebook
> 
> Vulnerability reported by vkgonka@...l.ru , via Jonathan Kamens at Quantopian

Thanks for the headsup.

This reply is mainly for this other purpose: It looks you wanted to
have a CVE assigned trough this reply to the list. CVE's cannot
anymore be requested via the oss-security list. If you want to request
one please have a look at https://cveform.mitre.org/

Once you have the CVE assigned, can you please loop back the
assignement in this thread?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ