Date: Sat, 16 Mar 2019 23:23:16 +0000 (UTC) From: Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r495996 - head/security/vuxml Message-ID: <201903162323.x2GNNGNY027427@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sunpoet Date: Sat Mar 16 23:23:16 2019 New Revision: 495996 URL: https://svnweb.freebsd.org/changeset/ports/495996 Log: Document py-notebook vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Mar 16 23:23:10 2019 (r495995) +++ head/security/vuxml/vuln.xml Sat Mar 16 23:23:16 2019 (r495996) @@ -58,6 +58,43 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="72a6e3be-483a-11e9-92d7-f1590402501e"> + <topic>Jupyter notebook -- cross-site inclusion (XSSI) vulnerability</topic> + <affects> + <package> + <name>py27-notebook</name> + <name>py35-notebook</name> + <name>py36-notebook</name> + <name>py37-notebook</name> + <range><lt>5.7.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Jupyter notebook Changelog:</p> + <blockquote cite="https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst">; + <p>5.7.6 contains a security fix for a cross-site inclusion (XSSI) + vulnerability, where files at a known URL could be included in a page + from an unauthorized website if the user is logged into a Jupyter + server. The fix involves setting the X-Content-Type-Options: nosniff + header, and applying CSRF checks previously on all non-GET API requests + to GET requests to API endpoints and the /files/ endpoint.</p> + <p>The attacking page is able to access some contents of files when using + Internet Explorer through script errors, but this has not been + demonstrated with other browsers. A CVE has been requested for this + vulnerability.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst</url>; + </references> + <dates> + <discovery>2019-03-10</discovery> + <entry>2019-03-16</entry> + </dates> + </vuln> + <vuln vid="27b12d04-4722-11e9-8b7c-b5e01141761f"> <topic>RubyGems -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201903162323.x2GNNGNY027427>