Skip to content
This repository has been archived by the owner on Jun 3, 2024. It is now read-only.

Update dependency notebook to v6.4.12 [SECURITY] #111

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency notebook to v6.4.12 [SECURITY] #111

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 16, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
notebook ==6.0.3 -> ==6.4.12 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-26215

localhost

Impact

What kind of vulnerability is it? Who is impacted?

Open redirect vulnerability - a maliciously crafted link to a notebook server could redirect the browser to a different website.

All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet.

Patches

Has the problem been patched? What versions should users upgrade to?

Patched in notebook 6.1.5

References

OWASP page on open redirects

For more information

If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.

Credit: zhuonan li of Alibaba Application Security Team

CVE-2021-32798

Impact

Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.

Patches

5.7.11, 6.4.1

References

OWASP Page on Injection Prevention

For more information

If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.

Credit: Guillaume Jeanne from Google

Example:

A notebook with the following content in a cell and it would display an alert when opened for the first time in Notebook (in an untrusted state):

{ "cell_type": "code", "execution_count": 0, "metadata": {}, "outputs": [ { "data": { "text/html": [ "<select><iframe></select><img src=x: onerror=alert('xss')>\n"], "text/plain": [] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "" ] }

CVE-2021-32797

Impact

Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.

Patches

Patched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21.

References

OWASP Page on Restricting Form Submissions

For more information

If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.

Credit: Guillaume Jeanne from Google

CVE-2022-24758

Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server.

Upgrade to notebook version 6.4.10

For more information

If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.

Credit: @​3coins for reporting. Thank you!

CVE-2022-29238

Impact

What kind of vulnerability is it? Who is impacted?

Authenticated requests to the notebook server with ContentsManager.allow_hidden = False only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed.

Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. ~/.ssh while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed.

Patches

Has the problem been patched? What versions should users upgrade to?

notebook 6.4.12

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

  • Do not run the notebook server in a directory with hidden files, use subdirectories
  • Use a custom ContentsManager with additional checks for self.is_hidden(path) prior to completing actions

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Release Notes

jupyter/notebook (notebook)

v6.4.12

Compare Source

What's Changed

Full Changelog: jupyter/notebook@v6.4.11...6.4.12

v6.4.11

Compare Source

6.4.11

(Full Changelog)

Bugs fixed
Maintenance and upkeep improvements
Contributors to this release

(GitHub contributors page for this release)

@​blink1073 | @​echarles | @​fcollonval | @​github-actions | @​jtpio | @​penguinolog

v6.4.10

Compare Source

v6.4.9

Compare Source

v6.4.8

Compare Source

(Full Changelog)

Bugs fixed
Contributors to this release

(GitHub contributors page for this release)

@​Vishwajeet0510

v6.4.7

Compare Source

(Full Changelog)

Bugs fixed
Maintenance and upkeep improvements
Other merged PRs
Contributors to this release

(GitHub contributors page for this release)

@​antoinecarme | @​blink1073 | @​ccw630 | @​kevin-bates | @​LiHua-Official | @​penguinolog | @​tornaria

v6.4.6

Compare Source

(Full Changelog)

Bugs fixed
Maintenance and upkeep improvements
  • TST: don't look in user site for serverextensions #​6233 (@​bnavigator)
  • Enable terminal tests as pywinpty is ported for python 3.9 #​6228 (@nsait-linaro)
Contributors to this release

(GitHub contributors page for this release)

@​bnavigator | @​dleen | @​dolfinus | @​jackexu | @​kevin-bates | @​maliubiao | @nsait-linaro | @​takluyver | @​Zsailer

v6.4.5

Compare Source

(Full Changelog)

Bug fixes
Maintenance and upkeep improvements
Documentation improvements
Contributors to this release

(GitHub contributors page for this release)

@​blink1073 | @​jgarte | @​kevin-bates | @​martinRenou | @​mgeier

v6.4.4

Compare Source

(Full Changelog)

Documentation improvements
Other merged PRs
Contributors to this release

(GitHub contributors page for this release)

@​blink1073 | @​kevin-bates | @​krassowski | @​massongit | @​minrk | @​Zsailer

v6.4.3

Compare Source

(Full Changelog)

Bugs fixed
Maintenance and upkeep improvements
Contributors to this release

(GitHub contributors page for this release)

@​afshin | @​blink1073 | @​Zsailer

v6.4.2

Compare Source

(Full Changelog)

Bugs fixed
Maintenance and upkeep improvements
Contributors to this release

(GitHub contributors page for this release)

@​afshin | @​Amr-Ibra | @​frenzymadness | @​ilayh123 | @​kevin-bates | @​Nazeeh21 | @​saiwing-yeung

v6.4.1

Compare Source

v6.4.0

Compare Source

(Full Changelog)

Bugs fixed
Maintenance and upkeep improvements
Documentation improvements
Contributors to this release

(GitHub contributors page for this release)

@​afshin | @​befeleme | @​blink1073 | @​faucct | @​frenzymadness | @​gamestrRUS | @​jtpio | @​kevin-bates | @​minrk | @​misterhay | @​stef4k | @​wggillen

v6.3.0

Compare Source

Merged PRs
Contributors to this release

(GitHub contributors page for this release)

@​abielhammonds | @​afshin | @​ajharry | @​Alokrar | @​befeleme | @​blairdrummond | @​blink1073 | @​bollwyvl | @​Carreau | @​ChenChenDS | @​cosmoscalibur | @​dlrice | @​dwanneruchi | @​ElisonSherton | @​FazeelUsmani | @​frenzymadness | @​goerz | @​insolor | @​jasongrout | @​JianghuiDu | @​JuzerShakir | @​kevin-bates | @​Khalilsqu | @​meeseeksdev | @​mgeier | @​michaelpedota | @​mjbright | @​MSeal | @​ncoughlin | @​NTimmons | @​ProsperousHeart | @​rjn01 | @​slw07g | @​stenivan | @​takluyver | @​thomasrockhu | @​wgilpin | @​wxtt522 | @​yuvipanda | @​Zsailer

v6.2.0

Compare Source

v6.1.6

Compare Source

v6.1.5

Compare Source

6.1.5 is a security release, fixing one vulnerability:

v6.1.4

Compare Source

  • Fix broken links to jupyter documentation (5686)
  • Add additional entries to troubleshooting section (5695)
  • Revert change in page alignment (5703)
  • Bug fix: remove double encoding in download files (5720)
  • Fix typo for Check in zh_CN (5730)
  • Require a file name in the "Save As" dialog (5733)

Thank you to all the contributors:

  • bdbai
  • Jaipreet Singh
  • Kevin Bates
  • Pavel Panchekha
  • Zach Sailer

v6.1.3

Compare Source

  • Title new buttons with label if action undefined (5676)

Thank you to all the contributors:

  • Kyle Kelley

v6.1.2

Compare Source

  • Fix russian message format for delete/duplicate actions (5662)
  • Remove unnecessary import of bind_unix_socket (5666)
  • Tooltip style scope fix (5672)

Thank you to all the contributors:

  • Dmitry Akatov
  • Kevin Bates
  • Magda Stenius

v6.1.1

Compare Source

  • Prevent inclusion of requests_unixsocket on Windows (5650)

Thank you to all the contributors:

  • Kevin Bates

v6.1.0

Compare Source

Please note that this repository is currently maintained by a skeleton
crew of maintainers from the Jupyter community. For our approach moving
forward, please see this
notice from the README.
Thank you.

Here is an enumeration of changes made since the last release and
included in 6.1.0.

  • Remove deprecated encoding parameter for Python 3.9 compatibility. (5174)
  • Add support for async kernel management (4479)
  • Fix typo in password_required help message (5320)
  • Gateway only: Ensure launch and request timeouts are in sync (5317)
  • Update Markdown Cells example to HTML5 video tag (5411)
  • Integrated LoginWidget into edit to enable users to logout from the t... (5406)
  • Update message about minimum Tornado version (5222)
  • Logged notebook type (5425)
  • Added nl language (5354)
  • Add UNIX socket support to notebook server. (4835)
  • Update CodeMirror dependency (5198)
  • Tree added download multiple files (5351)
  • Toolbar buttons tooltip: show help instead of label (5107)
  • Remove unnecessary import of requests_unixsocket (5451)
  • Add ability to cull terminals and track last activity (5372)
  • Code refactoring notebook.js (5352)
  • Install terminado for docs build (5462)
  • Convert notifications JS test to selenium (5455)
  • Add cell attachments to markdown example (5412)
  • Add Japanese document (5231)
  • Migrate Move multiselection test to selenium (5158)
  • Use cmdtrl-enter to run a cell (5120)
  • Fix broken "Raw cell MIME type" dialog (5385)
  • Make a notebook writable after successful save-as (5296)
  • Add actual watch script (4738)
  • Added --autoreload flag to NotebookApp (4795)
  • Enable check_origin on gateway websocket communication (5471)
  • Restore detection of missing terminado package (5465)
  • Culling: ensure last_activity attr exists before use (5355)
  • Added functionality to allow filter kernels by Jupyter Enterprise Gat... (5484)
  • 'Play' icon for run-cell toolbar button (2922)
  • Bump minimum version of jQuery to 3.5.0 (5491)
  • Remove old JS markdown tests, add a new one in selenium (5497)
  • Add support for more RTL languages (5036)
  • Make markdown cells stay RTL in edit mode (5037)
  • Unforce RTL output display (5039)
  • Fixed multicursor backspacing (4880)
  • Implemented Split Cell for multicursor (4824)
  • Alignment issue [FIXED] (3173)
  • MathJax: Support for \gdef (4407)
  • Another (Minor) Duplicate Code Reduction (5316)
  • Update readme regarding maintenance (5500)
  • Document contents chunks (5508)
  • Backspace deletes empty line (5516)
  • The dropdown submenu at notebook page is not keyboard accessible (4732)
  • Tooltips visible through keyboard navigation for specified buttons (4729)
  • Fix for recursive symlink (4670)
  • Fix for the terminal shutdown issue (4180)
  • Add japanese translation files (4490)
  • Workaround for socket permission errors on Cygwin (4584)
  • Implement optional markdown header and footer files (4043)
  • Remove double link when using custom_display_url (5544)
  • Respect cell.is_editable during find-and-replace (5545)
  • Fix exception causes all over the codebase (5556
  • Improve login shell heuristics (5588)
  • Added support for JUPYTER_TOKEN_FILE (5587)
  • Kill notebook itself when server cull idle kernel (5593)
  • Implement password hashing with bcrypt (3793)
  • Fix broken links (5600)
  • Russian internationalization support (5571)
  • Add a metadata tag to override notebook direction (ltr/rtl) (5052)
  • Paste two images from clipboard in markdown cell (5598)
  • Add keyboard shortcuts to menu dropdowns (5525)
  • Update codemirror to 5.56.0+components1 (5637)

Thank you to all the contributors:

  • Aaron Myatt
  • Adam Blake
  • Afshin Taylor Darian
  • Aman Bansal
  • Ben Thayer
  • berendjan
  • Bruno P. Kinoshita
  • bzinberg
  • Christophe Cadilhac
  • Daiki Katsuragawa
  • David Lukes
  • Dmitriy Q
  • dmpe
  • dylanzjy
  • dSchurch
  • E. M. Bray
  • ErwinRussel
  • Felix Mönckemeyer
  • Grant Nestor
  • Jarrad Whitaker
  • Jesus Panales Castillo
  • Joshua Zeltser
  • Karthikeyan Singaravelan
  • Kenichi Ito
  • Kevin Bates
  • Koki Nishihara
  • Kris Wilson
  • Kyle Kelley
  • Laura Merlo
  • levinxo
  • Luciano Resende
  • Luis Cabezon Manchado
  • Madhusudhan Srinivasa
  • Matthias Geier
  • mattn
  • Max Klein
  • Min RK
  • Mingxuan Lin
  • Mohammad Mostafa Farzan
  • Niko Felger
  • Norah Abanumay
  • Onno Broekmans
  • PierreMB
  • pinarkavak
  • Ram Rachum
  • Reece Hart
  • Remi Rampin
  • Rohit Sanjay
  • Shane Canon
  • Simon Li
  • Steinar Sturlaugsson
  • Steven Silvester
  • taohan16
  • Thew Dhanat
  • Thomas Kluyver
  • Toon Baeyens
  • Vidar Tonaas Fauske
  • Zachary Sailer

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot changed the title Update dependency notebook to v6.4.12 [SECURITY] Update dependency notebook to v6.4.12 [SECURITY] - autoclosed Jul 21, 2023
@renovate renovate bot closed this Jul 21, 2023
@renovate renovate bot deleted the renovate/pypi-notebook-vulnerability branch July 21, 2023 13:25
@renovate renovate bot changed the title Update dependency notebook to v6.4.12 [SECURITY] - autoclosed Update dependency notebook to v6.4.12 [SECURITY] Jul 21, 2023
@renovate renovate bot reopened this Jul 21, 2023
@renovate renovate bot restored the renovate/pypi-notebook-vulnerability branch July 21, 2023 16:03
@renovate renovate bot force-pushed the renovate/pypi-notebook-vulnerability branch from b59fd1d to a2fd3e6 Compare July 21, 2023 16:04
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants