[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-8768, Ipython: Mark as no-dsa for Wheezy.

Markus Koschany apo at debian.org
Wed Mar 21 23:10:29 UTC 2018 

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
df5770da by Markus Koschany at 2018-03-22T00:09:12+01:00
CVE-2018-8768,Ipython: Mark as no-dsa for Wheezy.

Ipython in Wheezy lacks sanitization of untrusted HTML completely which means
in theory this CVE does not apply. However due to the absence of sanitization
it is recommended not to use Ipython's notebook with untrusted content. This
issue is no-dsa because it cannot be determined if Wheezy is still affected, a
fix appears to be to intrusive though. We recommend to upgrade to a newer
version instead.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -339,10 +339,17 @@ CVE-2017-18239 (A time-sensitive equality check on the JWT signature in the ...)
 CVE-2018-8768 (In Jupyter Notebook before 5.4.1, a maliciously forged notebook file ...)
 	- jupyter-notebook <unfixed> (bug #893436)
 	- ipython 5.1.0-2
+	[wheezy] - Ipython <no-dsa> (requires implementation of sanitization first, see NOTES)
 	NOTE: After the reupload of ipython to Debian as 4.1.2-1 via experimental
 	NOTE: src:ipython does not provide anymore the Notebook
 	NOTE: http://www.openwall.com/lists/oss-security/2018/03/15/2
 	NOTE: Fixed by: https://github.com/jupyter/notebook/commit/4e79ebb49acac722b37b03f1fe811e67590d3831
+	NOTE: Ipython in Wheezy lacks sanitization of untrusted HTML completely
+	NOTE: which means in theory this CVE does not apply. However due to the absence of
+	NOTE: sanitization it is recommended not to use Ipython's notebook with untrusted
+	NOTE: content. This issue is no-dsa because it cannot be determined if Ipython
+	NOTE: in Wheezy is still affected, a fix appears to be to intrusive though. We recommend to
+	NOTE: upgrade to a newer version instead.
 CVE-2018-8741 (A directory traversal flaw in SquirrelMail 1.4.22 allows an ...)
 	- squirrelmail <removed> (bug #893202)
 	NOTE: http://www.openwall.com/lists/oss-security/2018/03/17/2



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df5770da68ddd2066ac3eedf7e41cfc71caf618f

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df5770da68ddd2066ac3eedf7e41cfc71caf618f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180321/10607e0a/attachment-0001.html>

More information about the Secure-testing-commits mailing list