[Python-modules-team] Bug#925939: jupyter-notebook: CVE-2019-10255: open redirect vulnerability
Salvatore Bonaccorso
carnil at debian.org
Thu Apr 4 21:58:56 BST 2019
On Thu, Mar 28, 2019 at 10:54:17PM +0100, Salvatore Bonaccorso wrote:
> Source: jupyter-notebook
> Version: 5.7.4-2
> Severity: important
> Tags: patch security upstream
>
> Hi,
>
> The following vulnerability was published for jupyter-notebook.
>
> CVE-2019-10255[0]:
> | An Open Redirect vulnerability for all browsers in Jupyter Notebook
> | before 5.7.7 and some browsers (Chrome, Firefox) in JupyterHub before
> | 0.9.5 allows crafted links to the login page, which will redirect to a
> | malicious site after successful login. Servers running on a base_url
> | prefix are not affected.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-10255
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10255
>
> Please adjust the affected versions in the BTS as needed.
When fixing this issue actually make sure that not only the incomplete
fix is applied, cf.
https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4
(adressed in 5.7.8).
Regards,
Salvatore
More information about the Python-modules-team
mailing list