Arch Linux 804 Published by

Updated jupyter-notebook packages has been released for Arch Linux



Arch Linux Security Advisory ASA-201812-1
=========================================

Severity: Medium
Date : 2018-12-06
CVE-ID : CVE-2018-19351 CVE-2018-19352
Package : jupyter-notebook
Type : cross-site scripting
Remote : No
Link : https://security.archlinux.org/AVG-820

Summary
=======

The package jupyter-notebook before version 5.7.2-1 is vulnerable to
cross-site scripting.

Resolution
==========

Upgrade to 5.7.2-1.

# pacman -Syu "jupyter-notebook>=5.7.2-1"

The problems have been fixed upstream in version 5.7.2.

Workaround
==========

None.

Description
===========

- CVE-2018-19351 (cross-site scripting)

A security issue has been found in Jupyter Notebook versions prior to
5.7.1, where untrusted javascript could be executed if malicious files
could be delivered to the users system and the user takes specific
actions with those malicious files. It allowed nbconvert endpoints
(such as Print Preview) to render untrusted HTML and javascript with
access to the notebook server.

- CVE-2018-19352 (cross-site scripting)

A security issue has been found in Jupyter Notebook versions prior to
5.7.2, where untrusted javascript could be executed if malicious files
could be delivered to the users system and the user takes specific
actions with those malicious files. It allowed maliciously crafted
directory names to execute javascript when opened in the tree view.

Impact
======

A remote attacker is able to execute javascript and create html content
by tricking users into opening and interacting with maliciously crafted
notebook files.

References
==========

https://bugs.archlinux.org/task/60910
https://blog.jupyter.org/jupyter-notebook-security-fixes-59817e86a711
https://blog.jupyter.org/security-fix-for-jupyter-notebook-450f272b6932?gi=dbc3ae28c796
https://security.archlinux.org/CVE-2018-19351
https://security.archlinux.org/CVE-2018-19352
  Jupyter-notebook Update for Arch Linux