This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|
| notebook | ==6.0.3 ->==6.4.12 |  |  |  |  |
GitHub Vulnerability Alerts
localhost
Impact
What kind of vulnerability is it? Who is impacted?
Open redirect vulnerability - a maliciously crafted link to a notebook server could redirect the browser to a different website.
All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server mayappear safe, but ultimately redirect to a spoofed server on the public internet.
Patches
Has the problem been patched? What versions should users upgrade to?
Patched in notebook 6.1.5
References
OWASP page on open redirects
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security listsecurity@ipython.org.
Credit: zhuonan li of Alibaba Application Security Team
Impact
Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.
Patches
5.7.11, 6.4.1
References
OWASP Page on Injection Prevention
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security listsecurity@ipython.org.
Credit: Guillaume Jeanne from Google
Example:
A notebook with the following content in a cell and it would display an alert when opened for the first time in Notebook (in an untrusted state):
{ "cell_type": "code", "execution_count": 0, "metadata": {}, "outputs": [ { "data": { "text/html": [ "<select><iframe></select><img src=x: onerror=alert('xss')>\n"], "text/plain": [] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "" ] }
Impact
Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.
Patches
Patched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21.
References
OWASP Page on Restricting Form Submissions
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security listsecurity@ipython.org.
Credit: Guillaume Jeanne from Google
Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server.
Upgrade to notebook version 6.4.10
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security listsecurity@ipython.org.
Credit: @3coins for reporting. Thank you!
Impact
What kind of vulnerability is it? Who is impacted?
Authenticated requests to the notebook server withContentsManager.allow_hidden = False only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed.
Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g.~/.ssh while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintendedmeans by which the files could be accessed.
Patches
Has the problem been patched? What versions should users upgrade to?
notebook 6.4.12
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
- Do not run the notebook server in a directory with hidden files, use subdirectories
- Use a custom ContentsManager with additional checks for
self.is_hidden(path) prior to completing actions
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Release Notes
jupyter/notebook (notebook)
Compare Source
What's Changed
Full Changelog:jupyter/notebook@v6.4.11...6.4.12
Compare Source
6.4.11
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
Contributors to this release
(GitHub contributors page for this release)
@blink1073 |@echarles |@fcollonval |@github-actions |@jtpio |@penguinolog
Compare Source
Compare Source
Compare Source
(Full Changelog)
Bugs fixed
Contributors to this release
(GitHub contributors page for this release)
@Vishwajeet0510
Compare Source
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
Other merged PRs
Contributors to this release
(GitHub contributors page for this release)
@antoinecarme |@blink1073 |@ccw630 |@kevin-bates |@LiHua-Official |@penguinolog |@tornaria
Compare Source
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
- TST: don't look in user site for serverextensions#6233 (@bnavigator)
- Enable terminal tests as
pywinpty is ported for python 3.9#6228 (@nsait-linaro)
Contributors to this release
(GitHub contributors page for this release)
@bnavigator |@dleen |@dolfinus |@jackexu |@kevin-bates |@maliubiao |@nsait-linaro |@takluyver |@Zsailer
Compare Source
(Full Changelog)
Bug fixes
Maintenance and upkeep improvements
Documentation improvements
Contributors to this release
(GitHub contributors page for this release)
@blink1073 |@jgarte |@kevin-bates |@martinRenou |@mgeier
Compare Source
(Full Changelog)
Documentation improvements
Other merged PRs
Contributors to this release
(GitHub contributors page for this release)
@blink1073 |@kevin-bates |@krassowski |@massongit |@minrk |@Zsailer
Compare Source
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
Contributors to this release
(GitHub contributors page for this release)
@afshin |@blink1073 |@Zsailer
Compare Source
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
Contributors to this release
(GitHub contributors page for this release)
@afshin |@Amr-Ibra |@frenzymadness |@ilayh123 |@kevin-bates |@Nazeeh21 |@saiwing-yeung
Compare Source
Compare Source
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
Documentation improvements
Contributors to this release
(GitHub contributors page for this release)
@afshin |@befeleme |@blink1073 |@faucct |@frenzymadness |@gamestrRUS |@jtpio |@kevin-bates |@minrk |@misterhay |@stef4k |@wggillen
Compare Source
Merged PRs
Contributors to this release
(GitHub contributors page for this release)
@abielhammonds |@afshin |@ajharry |@Alokrar |@befeleme |@blairdrummond |@blink1073 |@bollwyvl |@Carreau |@ChenChenDS |@cosmoscalibur |@dlrice |@dwanneruchi |@ElisonSherton |@FazeelUsmani |@frenzymadness |@goerz |@insolor |@jasongrout |@JianghuiDu |@JuzerShakir |@kevin-bates |@Khalilsqu |@meeseeksdev |@mgeier |@michaelpedota |@mjbright |@MSeal |@ncoughlin |@NTimmons |@ProsperousHeart |@rjn01 |@slw07g |@stenivan |@takluyver |@thomasrockhu |@wgilpin |@wxtt522 |@yuvipanda |@Zsailer
Compare Source
Compare Source
Compare Source
6.1.5 is a security release, fixing one vulnerability:
Compare Source
- Fix broken links to jupyter documentation (5686)
- Add additional entries to troubleshooting section (5695)
- Revert change in page alignment (5703)
- Bug fix: remove double encoding in download files (5720)
- Fix typo for Check in zh_CN (5730)
- Require a file name in the "Save As" dialog (5733)
Thank you to all the contributors:
- bdbai
- Jaipreet Singh
- Kevin Bates
- Pavel Panchekha
- Zach Sailer
Compare Source
- Title new buttons with label if action undefined (5676)
Thank you to all the contributors:
Compare Source
- Fix russian message format for delete/duplicate actions (5662)
- Remove unnecessary import of bind_unix_socket (5666)
- Tooltip style scope fix (5672)
Thank you to all the contributors:
- Dmitry Akatov
- Kevin Bates
- Magda Stenius
Compare Source
- Prevent inclusion of requests_unixsocket on Windows (5650)
Thank you to all the contributors:
Compare Source
Please note that this repository is currently maintained by a skeleton
crew of maintainers from the Jupyter community. For our approach moving
forward, please see this
notice from the README.
Thank you.
Here is an enumeration of changes made since the last release and
included in 6.1.0.
- Remove deprecated encoding parameter for Python 3.9 compatibility. (5174)
- Add support for async kernel management (4479)
- Fix typo in password_required help message (5320)
- Gateway only: Ensure launch and request timeouts are in sync (5317)
- Update Markdown Cells example to HTML5 video tag (5411)
- Integrated LoginWidget into edit to enable users to logout from the t... (5406)
- Update message about minimum Tornado version (5222)
- Logged notebook type (5425)
- Added nl language (5354)
- Add UNIX socket support to notebook server. (4835)
- Update CodeMirror dependency (5198)
- Tree added download multiple files (5351)
- Toolbar buttons tooltip: show help instead of label (5107)
- Remove unnecessary import of requests_unixsocket (5451)
- Add ability to cull terminals and track last activity (5372)
- Code refactoring notebook.js (5352)
- Install terminado for docs build (5462)
- Convert notifications JS test to selenium (5455)
- Add cell attachments to markdown example (5412)
- Add Japanese document (5231)
- Migrate Move multiselection test to selenium (5158)
- Use
cmdtrl-enter to run a cell (5120) - Fix broken "Raw cell MIME type" dialog (5385)
- Make a notebook writable after successful save-as (5296)
- Add actual watch script (4738)
- Added
--autoreload flag toNotebookApp (4795) - Enable check_origin on gateway websocket communication (5471)
- Restore detection of missing terminado package (5465)
- Culling: ensure
last_activity attr exists before use (5355) - Added functionality to allow filter kernels by Jupyter Enterprise Gat... (5484)
- 'Play' icon for run-cell toolbar button (2922)
- Bump minimum version of jQuery to 3.5.0 (5491)
- Remove old JS markdown tests, add a new one in selenium (5497)
- Add support for more RTL languages (5036)
- Make markdown cells stay RTL in edit mode (5037)
- Unforce RTL output display (5039)
- Fixed multicursor backspacing (4880)
- Implemented Split Cell for multicursor (4824)
- Alignment issue [FIXED] (3173)
- MathJax: Support for
\gdef (4407) - Another (Minor) Duplicate Code Reduction (5316)
- Update readme regarding maintenance (5500)
- Document contents chunks (5508)
- Backspace deletes empty line (5516)
- The dropdown submenu at notebook page is not keyboard accessible (4732)
- Tooltips visible through keyboard navigation for specified buttons (4729)
- Fix for recursive symlink (4670)
- Fix for the terminal shutdown issue (4180)
- Add japanese translation files (4490)
- Workaround for socket permission errors on Cygwin (4584)
- Implement optional markdown header and footer files (4043)
- Remove double link when using
custom_display_url (5544) - Respect
cell.is_editable during find-and-replace (5545) - Fix exception causes all over the codebase (5556
- Improve login shell heuristics (5588)
- Added support for
JUPYTER_TOKEN_FILE (5587) - Kill notebook itself when server cull idle kernel (5593)
- Implement password hashing with bcrypt (3793)
- Fix broken links (5600)
- Russian internationalization support (5571)
- Add a metadata tag to override notebook direction (ltr/rtl) (5052)
- Paste two images from clipboard in markdown cell (5598)
- Add keyboard shortcuts to menu dropdowns (5525)
- Update codemirror to
5.56.0+components1 (5637)
Thank you to all the contributors:
- Aaron Myatt
- Adam Blake
- Afshin Taylor Darian
- Aman Bansal
- Ben Thayer
- berendjan
- Bruno P. Kinoshita
- bzinberg
- Christophe Cadilhac
- Daiki Katsuragawa
- David Lukes
- Dmitriy Q
- dmpe
- dylanzjy
- dSchurch
- E. M. Bray
- ErwinRussel
- Felix Mönckemeyer
- Grant Nestor
- Jarrad Whitaker
- Jesus Panales Castillo
- Joshua Zeltser
- Karthikeyan Singaravelan
- Kenichi Ito
- Kevin Bates
- Koki Nishihara
- Kris Wilson
- Kyle Kelley
- Laura Merlo
- levinxo
- Luciano Resende
- Luis Cabezon Manchado
- Madhusudhan Srinivasa
- Matthias Geier
- mattn
- Max Klein
- Min RK
- Mingxuan Lin
- Mohammad Mostafa Farzan
- Niko Felger
- Norah Abanumay
- Onno Broekmans
- PierreMB
- pinarkavak
- Ram Rachum
- Reece Hart
- Remi Rampin
- Rohit Sanjay
- Shane Canon
- Simon Li
- Steinar Sturlaugsson
- Steven Silvester
- taohan16
- Thew Dhanat
- Thomas Kluyver
- Toon Baeyens
- Vidar Tonaas Fauske
- Zachary Sailer
Configuration
📅Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated byMend Renovate. View repository job loghere.
Uh oh!
There was an error while loading.Please reload this page.
This PR contains the following updates:
==6.0.3->==6.4.12GitHub Vulnerability Alerts
CVE-2020-26215
localhost
Impact
What kind of vulnerability is it? Who is impacted?
Open redirect vulnerability - a maliciously crafted link to a notebook server could redirect the browser to a different website.
All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server mayappear safe, but ultimately redirect to a spoofed server on the public internet.
Patches
Has the problem been patched? What versions should users upgrade to?
Patched in notebook 6.1.5
References
OWASP page on open redirects
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security listsecurity@ipython.org.
Credit: zhuonan li of Alibaba Application Security Team
CVE-2021-32798
Impact
Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.
Patches
5.7.11, 6.4.1
References
OWASP Page on Injection Prevention
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security listsecurity@ipython.org.
Credit: Guillaume Jeanne from Google
Example:
A notebook with the following content in a cell and it would display an alert when opened for the first time in Notebook (in an untrusted state):
CVE-2021-32797
Impact
Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.
Patches
Patched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21.
References
OWASP Page on Restricting Form Submissions
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security listsecurity@ipython.org.
Credit: Guillaume Jeanne from Google
CVE-2022-24758
Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server.
Upgrade to notebook version 6.4.10
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security listsecurity@ipython.org.
Credit: @3coins for reporting. Thank you!
CVE-2022-29238
Impact
What kind of vulnerability is it? Who is impacted?
Authenticated requests to the notebook server with
ContentsManager.allow_hidden = Falseonly prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed.Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g.
~/.sshwhile serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintendedmeans by which the files could be accessed.Patches
Has the problem been patched? What versions should users upgrade to?
notebook 6.4.12
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
self.is_hidden(path)prior to completing actionsReferences
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Release Notes
jupyter/notebook (notebook)
v6.4.12Compare Source
What's Changed
Full Changelog:jupyter/notebook@v6.4.11...6.4.12
v6.4.11Compare Source
6.4.11
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
Contributors to this release
(GitHub contributors page for this release)
@blink1073 |@echarles |@fcollonval |@github-actions |@jtpio |@penguinolog
v6.4.10Compare Source
v6.4.9Compare Source
v6.4.8Compare Source
(Full Changelog)
Bugs fixed
Contributors to this release
(GitHub contributors page for this release)
@Vishwajeet0510
v6.4.7Compare Source
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
Other merged PRs
Contributors to this release
(GitHub contributors page for this release)
@antoinecarme |@blink1073 |@ccw630 |@kevin-bates |@LiHua-Official |@penguinolog |@tornaria
v6.4.6Compare Source
(Full Changelog)
Bugs fixed
asyncioerror when opening notebooks#6221 (@dleen)send2trashtests failing on Windows#6127 (@dolfinus)Maintenance and upkeep improvements
pywinptyis ported for python 3.9#6228 (@nsait-linaro)Contributors to this release
(GitHub contributors page for this release)
@bnavigator |@dleen |@dolfinus |@jackexu |@kevin-bates |@maliubiao |
@nsait-linaro|@takluyver |@Zsailerv6.4.5Compare Source
(Full Changelog)
Bug fixes
Maintenance and upkeep improvements
jupyter_clientwarning#6178 (@martinRenou)Documentation improvements
nbsphinxto 0.8.6#6201 (@kevin-bates)nbsphinxto 0.8.6, clean up orphaned resources#6194 (@kevin-bates)Contributors to this release
(GitHub contributors page for this release)
@blink1073 |@jgarte |@kevin-bates |@martinRenou |@mgeier
v6.4.4Compare Source
(Full Changelog)
Documentation improvements
Other merged PRs
Contributors to this release
(GitHub contributors page for this release)
@blink1073 |@kevin-bates |@krassowski |@massongit |@minrk |@Zsailer
v6.4.3Compare Source
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
Contributors to this release
(GitHub contributors page for this release)
@afshin |@blink1073 |@Zsailer
v6.4.2Compare Source
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
Contributors to this release
(GitHub contributors page for this release)
@afshin |@Amr-Ibra |@frenzymadness |@ilayh123 |@kevin-bates |@Nazeeh21 |@saiwing-yeung
v6.4.1Compare Source
v6.4.0Compare Source
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
Documentation improvements
Contributors to this release
(GitHub contributors page for this release)
@afshin |@befeleme |@blink1073 |@faucct |@frenzymadness |@gamestrRUS |@jtpio |@kevin-bates |@minrk |@misterhay |@stef4k |@wggillen
v6.3.0Compare Source
Merged PRs
Contributors to this release
(GitHub contributors page for this release)
@abielhammonds |@afshin |@ajharry |@Alokrar |@befeleme |@blairdrummond |@blink1073 |@bollwyvl |@Carreau |@ChenChenDS |@cosmoscalibur |@dlrice |@dwanneruchi |@ElisonSherton |@FazeelUsmani |@frenzymadness |@goerz |@insolor |@jasongrout |@JianghuiDu |@JuzerShakir |@kevin-bates |@Khalilsqu |@meeseeksdev |@mgeier |@michaelpedota |@mjbright |@MSeal |@ncoughlin |@NTimmons |@ProsperousHeart |@rjn01 |@slw07g |@stenivan |@takluyver |@thomasrockhu |@wgilpin |@wxtt522 |@yuvipanda |@Zsailer
v6.2.0Compare Source
v6.1.6Compare Source
v6.1.5Compare Source
6.1.5 is a security release, fixing one vulnerability:
v6.1.4Compare Source
Thank you to all the contributors:
v6.1.3Compare Source
Thank you to all the contributors:
v6.1.2Compare Source
Thank you to all the contributors:
v6.1.1Compare Source
Thank you to all the contributors:
v6.1.0Compare Source
Please note that this repository is currently maintained by a skeleton
crew of maintainers from the Jupyter community. For our approach moving
forward, please see this
notice from the README.
Thank you.
Here is an enumeration of changes made since the last release and
included in 6.1.0.
cmdtrl-enterto run a cell (5120)--autoreloadflag toNotebookApp(4795)last_activityattr exists before use (5355)\gdef(4407)custom_display_url(5544)cell.is_editableduring find-and-replace (5545)JUPYTER_TOKEN_FILE(5587)5.56.0+components1(5637)Thank you to all the contributors:
Configuration
📅Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated byMend Renovate. View repository job loghere.