Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 18 Mar 2018 07:59:06 +0000
From: Thomas Kluyver <takowl@...il.com>
To: Salvatore Bonaccorso <carnil@...ian.org>
Cc: oss-security@...ts.openwall.com, security <security@...thon.org>, 
	MinRK <benjaminrk@...il.com>, jkamens@...ntopian.com, ssanderson@...ntopian.com
Subject: Re: CVE request: maliciously crafted notebook files in Jupyter

Thanks Salvatore. Devdatta Akhawe filled in the form on my behalf, and
we've now been assigned CVE-2018-8768.

I'm going to merge the fix now and start the release process for 5.4.1.

Thomas

On 17 March 2018 at 14:05, Salvatore Bonaccorso <carnil@...ian.org> wrote:

> Hi,
>
> On Thu, Mar 15, 2018 at 01:55:59PM +0000, Thomas Kluyver wrote:
> > Email address of requester: security@...thon.org, thomas@...yver.me.uk,
> benjaminrk@...il.com, jkamens@...ntopian.com, ssanderson@...ntopian.com
> >
> > Software name: Jupyter Notebook (formerly IPython Notebook)
> > Type of vulnerability: Maliciously forged file
> > Attack outcome: Possible remote execution
> >
> > Vulnerability: A maliciously forged notebook file can bypass
> sanitization to execute Javascript in the notebook context. Specifically,
> invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.
> >
> > Affected versions:
> >
> > - notebook ≤ 5.4.0
> >
> > URI with issues:
> >
> > - GET /notebook/**
> >
> > Patches:  not yet finalised
> >
> > Mitigations:
> >
> > Upgrade to Jupyter notebook 5.4.1 or 5.5 once available.
> > If using pip,
> >
> >     pip install --upgrade notebook
> >
> > For conda:
> >
> >     conda update conda
> >     conda update notebook
> >
> > Vulnerability reported by vkgonka@...l.ru , via Jonathan Kamens at
> Quantopian
>
> Thanks for the headsup.
>
> This reply is mainly for this other purpose: It looks you wanted to
> have a CVE assigned trough this reply to the list. CVE's cannot
> anymore be requested via the oss-security list. If you want to request
> one please have a look at https://cveform.mitre.org/
>
> Once you have the CVE assigned, can you please loop back the
> assignement in this thread?
>
> Regards,
> Salvatore
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ