svn commit: r495996 - head/security/vuxml
Sunpoet Po-Chuan Hsieh
sunpoet at FreeBSD.org
Sat Mar 16 23:23:21 UTC 2019
Author: sunpoet
Date: Sat Mar 16 23:23:16 2019
New Revision: 495996
URL: https://svnweb.freebsd.org/changeset/ports/495996
Log:
Document py-notebook vulnerability
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sat Mar 16 23:23:10 2019 (r495995)
+++ head/security/vuxml/vuln.xml Sat Mar 16 23:23:16 2019 (r495996)
@@ -58,6 +58,43 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="72a6e3be-483a-11e9-92d7-f1590402501e">
+ <topic>Jupyter notebook -- cross-site inclusion (XSSI) vulnerability</topic>
+ <affects>
+ <package>
+ <name>py27-notebook</name>
+ <name>py35-notebook</name>
+ <name>py36-notebook</name>
+ <name>py37-notebook</name>
+ <range><lt>5.7.6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Jupyter notebook Changelog:</p>
+ <blockquote cite="https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst">
+ <p>5.7.6 contains a security fix for a cross-site inclusion (XSSI)
+ vulnerability, where files at a known URL could be included in a page
+ from an unauthorized website if the user is logged into a Jupyter
+ server. The fix involves setting the X-Content-Type-Options: nosniff
+ header, and applying CSRF checks previously on all non-GET API requests
+ to GET requests to API endpoints and the /files/ endpoint.</p>
+ <p>The attacking page is able to access some contents of files when using
+ Internet Explorer through script errors, but this has not been
+ demonstrated with other browsers. A CVE has been requested for this
+ vulnerability.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst</url>
+ </references>
+ <dates>
+ <discovery>2019-03-10</discovery>
+ <entry>2019-03-16</entry>
+ </dates>
+ </vuln>
+
<vuln vid="27b12d04-4722-11e9-8b7c-b5e01141761f">
<topic>RubyGems -- multiple vulnerabilities</topic>
<affects>
More information about the svn-ports-all
mailing list