ArchLinux: 201812-1: jupyter-notebook: cross-site scripting
Summary
- CVE-2018-19351 (cross-site scripting)
A security issue has been found in Jupyter Notebook versions prior to
5.7.1, where untrusted javascript could be executed if malicious files
could be delivered to the users system and the user takes specific
actions with those malicious files. It allowed nbconvert endpoints
(such as Print Preview) to render untrusted HTML and javascript with
access to the notebook server.
- CVE-2018-19352 (cross-site scripting)
A security issue has been found in Jupyter Notebook versions prior to
5.7.2, where untrusted javascript could be executed if malicious files
could be delivered to the users system and the user takes specific
actions with those malicious files. It allowed maliciously crafted
directory names to execute javascript when opened in the tree view.
Resolution
Upgrade to 5.7.2-1.
# pacman -Syu "jupyter-notebook>=5.7.2-1"
The problems have been fixed upstream in version 5.7.2.
References
https://bugs.archlinux.org/task/60910 https://blog.jupyter.org/jupyter-notebook-security-fixes-59817e86a711 https://blog.jupyter.org/security-fix-for-jupyter-notebook-450f272b6932?gi=dbc3ae28c796 https://security.archlinux.org/CVE-2018-19351 https://security.archlinux.org/CVE-2018-19352
Workaround
None.