UbuntuUpdates.org

Package "python-notebook"

Name: python-notebook

Description:

Jupyter interactive notebook (Python 2)

Latest version: 5.2.2-1ubuntu0.1
Release: bionic (18.04)
Level: security
Repository: universe
Head package: jupyter-notebook
Homepage: https://github.com/jupyter/notebook

Links


Download "python-notebook"


Other versions of "python-notebook" in Bionic

Repository Area Version
base universe 5.2.2-1
updates universe 5.2.2-1ubuntu0.1

Changelog

Version: 5.2.2-1ubuntu0.1 2022-08-30 12:06:19 UTC

  jupyter-notebook (5.2.2-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Cross-site scripting via untrusted notebook (LP: #1982670)
    - debian/patches/CVE-2018-19351.patch: Apply CSP sandboxing to nbconvert
      responses.
    - CVE-2018-19351
  * SECURITY UPDATE: Cross-site inclusion on malicious pages (LP: #1982670)
    - debian/patches/CVE-2019-9644-1.patch: Block cross-origin GET and HEAD
      requests with mismatched Referer.
    - debian/patches/CVE-2019-9644-2.patch: Add CSRF checks on files endpoints.
    - debian/patches/CVE-2019-9644-3.patch: Set X-Content-Type-Options: nosniff
      on all handlers for protecting non-script resources.
    - CVE-2019-9644
  * SECURITY UPDATE: Crafted link to login page redirects to malicious site
    (LP: #1982670)
    - debian/patches/CVE-2019-10255-1.patch: Parse URLs when validating redirect
      targets.
    - debian/patches/CVE-2019-10255-2.patch: Protect against Chrome mishandling
      backslashes as slashes in URLs.
    - debian/patches/CVE-2019-10255-3.patch: Handle empty netloc being
      interpreted as first path part being the netloc by buggy browsers.
    - CVE-2019-10255, CVE-2019-10856
  * SECURITY UPDATE: Cross-site scripting (LP: #1982670)
    - debian/patches/CVE-2018-21030-1.patch: Use CSP header to treat served
      files as belonging to a separate origin.
    - debian/patches/CVE-2018-21030-2.patch: Add a content_security_policy
      property instead of the CSP header.
    - CVE-2018-21030
  * SECURITY UPDATE: Crafted link to login page redirects to spoofed server
    (LP: #1982670)
    - debian/patches/CVE-2020-26215.patch: Validate redirect target in
      TrailingSlashHandler.
    - CVE-2020-26215
  * SECURITY UPDATE: Sensitive information disclosure leading to unauthorized
    access (LP: #1982670)
    - debian/patches/CVE-2022-24758.patch: Log only a non-sensitive subset of
      the headers when a HTTP 5xx error other than HTTP 502 is triggered.
    - CVE-2022-24758
  * Address Lintian warnings.

 -- Luís Infante da Câmara <email address hidden> Sun, 28 Aug 2022 23:00:01 +0100

1982670 Multiple vulnerabilities in Bionic, Focal, Jammy and Kinetic
CVE-2018-19351 Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook
CVE-2019-9644 An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by users
CVE-2019-10255 An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.7 and some browsers (Chrome, Firefox) in JupyterHub before 0.9.5 allow
CVE-2019-10856 In Jupyter Notebook before 5.7.8, an open redirect can occur via an empty netloc. This issue exists because of an incomplete fix for CVE-2019-10255.
CVE-2018-21030 Jupyter Notebook before 5.5.0 does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload ca
CVE-2020-26215 Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A maliciously crafted link to a notebook server could redirect the browser
CVE-2022-24758 The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive



About   -   Send Feedback to @ubuntu_updates