Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 18 Mar 2018 21:36:45 -0700
From: Fernando Perez <Fernando.Perez@...keley.edu>
To: Thomas Kluyver <takowl@...il.com>
Cc: Salvatore Bonaccorso <carnil@...ian.org>, oss-security@...ts.openwall.com, 
	security <security@...thon.org>, MinRK <benjaminrk@...il.com>, jkamens@...ntopian.com, 
	Scott Sanderson <ssanderson@...ntopian.com>
Subject: Re: CVE request: maliciously crafted notebook files in Jupyter

A huge thanks to the Quantopian team, Thomas and everyone else who worked
to bring this to a quick resolution.

I was really impressed by the response and quick collaboration from all
parties.

Best,

f

On Sun, Mar 18, 2018 at 12:59 AM, Thomas Kluyver <takowl@...il.com> wrote:

> Thanks Salvatore. Devdatta Akhawe filled in the form on my behalf, and
> we've now been assigned CVE-2018-8768.
>
> I'm going to merge the fix now and start the release process for 5.4.1.
>
> Thomas
>
>
> On 17 March 2018 at 14:05, Salvatore Bonaccorso <carnil@...ian.org> wrote:
>
>> Hi,
>>
>> On Thu, Mar 15, 2018 at 01:55:59PM +0000, Thomas Kluyver wrote:
>> > Email address of requester: security@...thon.org, thomas@...yver.me.uk,
>> benjaminrk@...il.com, jkamens@...ntopian.com, ssanderson@...ntopian.com
>> >
>> > Software name: Jupyter Notebook (formerly IPython Notebook)
>> > Type of vulnerability: Maliciously forged file
>> > Attack outcome: Possible remote execution
>> >
>> > Vulnerability: A maliciously forged notebook file can bypass
>> sanitization to execute Javascript in the notebook context. Specifically,
>> invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.
>> >
>> > Affected versions:
>> >
>> > - notebook ≤ 5.4.0
>> >
>> > URI with issues:
>> >
>> > - GET /notebook/**
>> >
>> > Patches:  not yet finalised
>> >
>> > Mitigations:
>> >
>> > Upgrade to Jupyter notebook 5.4.1 or 5.5 once available.
>> > If using pip,
>> >
>> >     pip install --upgrade notebook
>> >
>> > For conda:
>> >
>> >     conda update conda
>> >     conda update notebook
>> >
>> > Vulnerability reported by vkgonka@...l.ru , via Jonathan Kamens at
>> Quantopian
>>
>> Thanks for the headsup.
>>
>> This reply is mainly for this other purpose: It looks you wanted to
>> have a CVE assigned trough this reply to the list. CVE's cannot
>> anymore be requested via the oss-security list. If you want to request
>> one please have a look at https://cveform.mitre.org/
>>
>> Once you have the CVE assigned, can you please loop back the
>> assignement in this thread?
>>
>> Regards,
>> Salvatore
>>
>
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ