svn commit: r497167 - head/security/vuxml

Sunpoet Po-Chuan Hsieh sunpoet at FreeBSD.org
Fri Mar 29 16:36:07 UTC 2019 

Author: sunpoet
Date: Fri Mar 29 16:36:03 2019
New Revision: 497167
URL: https://svnweb.freebsd.org/changeset/ports/497167

Log:
  Document py-notebook vulnerability

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Fri Mar 29 16:35:56 2019	(r497166)
+++ head/security/vuxml/vuln.xml	Fri Mar 29 16:36:03 2019	(r497167)
@@ -58,6 +58,54 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="fe7e322f-522d-11e9-98b5-216e512dad89">
+    <topic>Jupyter notebook -- open redirect vulnerability</topic>
+    <affects>
+      <package>
+	<name>py27-notebook</name>
+	<name>py35-notebook</name>
+	<name>py36-notebook</name>
+	<name>py37-notebook</name>
+	<range><lt>5.7.7</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Jupyter blog:</p>
+	<blockquote cite="https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4">
+	  <p>Login pages tend to take a parameter for redirecting back to a page
+	    after successful login, e.g. /login?next=/notebooks/mynotebook.ipynb, so
+	    that you aren't disrupted too much if you try to visit a page, but have
+	    to authenticate first. An Open Redirect Vulnerability is when a
+	    malicious person crafts a link pointing to the login page of a trusted
+	    site, but setting the "redirect after successful login" parameter to
+	    send the user to their own site, instead of a page on the authenticated
+	    site (the notebook or JupyterHub server), e.g.
+	    /login?next=http://badwebsite.biz. This doesn't necessarily compromise
+	    anything immediately, but it enables phishing if users don't notice
+	    that the domain has changed, e.g. by showing a fake "re-enter your
+	    password" page. Servers generally have to validate the redirect URL to
+	    avoid this. Both JupyterHub and Notebook already do this, but the
+	    validation didn't take into account all possible ways to redirect to
+	    other sites, so some malicious URLs could still be crafted to redirect
+	    away from the server (the above example does not work in any recent
+	    version of either package). Only certain browsers (Chrome and Firefox,
+	    not Safari) could be redirected from the JupyterHub login page, but all
+	    browsers could be redirected away from a standalone notebook server.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4</url>
+      <url>https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst</url>
+      <cvename>CVE-2019-10255</cvename>
+    </references>
+    <dates>
+      <discovery>2019-03-28</discovery>
+      <entry>2019-03-29</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="7862213c-5152-11e9-8b26-a4badb296695">
     <topic>dovecot -- Buffer overflow reading extension header</topic>
     <affects>

More information about the svn-ports-all mailing list