[Python-modules-team] Bug#789824: ipython: CVE-2015-4707: XSS in JSON error responses
Moritz Mühlenhoff
jmm at inutil.org
Tue Jul 14 22:08:36 UTC 2015
On Wed, Jun 24, 2015 at 10:29:20PM +0200, Salvatore Bonaccorso wrote:
> Source: ipython
> Version: 2.1.0-1
> Severity: important
> Tags: security upstream fixed-upstream
>
> Hi,
>
> the following vulnerability was published for ipython.
>
> CVE-2015-4707[0]:
> IPython XSS in JSON error responses -- /api/notebooks path
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2015-4707
> [1] http://www.openwall.com/lists/oss-security/2015/06/22/4
> [2] http://www.openwall.com/lists/oss-security/2015/06/22/7
There's an additional vulnerability (currently without a CVE ID):
http://www.openwall.com/lists/oss-security/2015/07/12/4
Patches:
https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0 (2.x)
https://github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816 (3.x)
Both of these vulnerabilities don't warrant a DSA, but it would still
be good if you would fix them through a point update:
https://www.debian.org/doc/manuals/developers-reference/ch05.de.html#upload-stable
Cheers,
Moritz
More information about the Python-modules-team
mailing list