Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

upgrade jupyterhub-server-proxy #12

Open
eeholmes opened this issue Apr 9, 2024 · 0 comments
Open

upgrade jupyterhub-server-proxy #12

eeholmes opened this issue Apr 9, 2024 · 0 comments

Comments

@eeholmes
Copy link
Member

eeholmes commented Apr 9, 2024

Dear Hub Champion,

If you are not using custom-built images for your JupyterHub, then 2i2c has already taken action to secure your hub. Please disregard the rest of this message.

We would like you to be aware of a potential vulnerability for JupyterHubs. If you are using a custom image with jupyter-server-proxy installed, then please take action to secure your hub. The affected versions are <=4.1.0 and <=3.2.2 and may be pulled in as a dependency of other packages.

Recommended actions

If your custom image is based on an upstream community image, then update your base image to the latest version
If your custom image is using pip, conda or similar, then you may need to explicitly pin all of your packages to versions compatible with patched versions of jupyter-server-proxy
Once you have updated and re-built your image, test that it is indeed using a patched version >=4.1.1, >=3.2.3 of jupyter-server-proxy.
See the security advisory on GitHub for full details and instructions on how to check for this vulnerability GHSA-w3vc-fx9p-wp4v.

Optional: A note on upgrading JupyterHub

You may also want to take this opportunity to upgrade your custom image to JupyterHub version >=4.1.0 to address a separate JupyterHub vulnerability GHSA-7r3h-4ph8-w38g. You may experience XSRF and 403 bugs in JupyterHub versions 4.1.0 – 4.1.4, therefore we recommend

upgrading JupyterHub to >=4.1.5
upgrading nbgitpuller to >=1.2.1 (if using)
upgrading jupyterhub-singleuser to the latest version (if using conda/mamba)
You are receiving this email because you are noted as a 'technical contact' for your community. If you do not wish to receive such emails or there is someone else in your organization who should be receiving this kind of email, please let me know at jwong@2i2c.org. Thank you!

Best wishes,
Jenny Wong
2i2c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant