Date: Fri, 29 Mar 2019 16:36:03 +0000 (UTC) From: Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r497167 - head/security/vuxml Message-ID: <201903291636.x2TGa3pI018971@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sunpoet Date: Fri Mar 29 16:36:03 2019 New Revision: 497167 URL: https://svnweb.freebsd.org/changeset/ports/497167 Log: Document py-notebook vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Mar 29 16:35:56 2019 (r497166) +++ head/security/vuxml/vuln.xml Fri Mar 29 16:36:03 2019 (r497167) @@ -58,6 +58,54 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="fe7e322f-522d-11e9-98b5-216e512dad89"> + <topic>Jupyter notebook -- open redirect vulnerability</topic> + <affects> + <package> + <name>py27-notebook</name> + <name>py35-notebook</name> + <name>py36-notebook</name> + <name>py37-notebook</name> + <range><lt>5.7.7</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Jupyter blog:</p> + <blockquote cite="https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4">; + <p>Login pages tend to take a parameter for redirecting back to a page + after successful login, e.g. /login?next=/notebooks/mynotebook.ipynb, so + that you aren't disrupted too much if you try to visit a page, but have + to authenticate first. An Open Redirect Vulnerability is when a + malicious person crafts a link pointing to the login page of a trusted + site, but setting the "redirect after successful login" parameter to + send the user to their own site, instead of a page on the authenticated + site (the notebook or JupyterHub server), e.g. + /login?next=http://badwebsite.biz. This doesn't necessarily compromise + anything immediately, but it enables phishing if users don't notice + that the domain has changed, e.g. by showing a fake "re-enter your + password" page. Servers generally have to validate the redirect URL to + avoid this. Both JupyterHub and Notebook already do this, but the + validation didn't take into account all possible ways to redirect to + other sites, so some malicious URLs could still be crafted to redirect + away from the server (the above example does not work in any recent + version of either package). Only certain browsers (Chrome and Firefox, + not Safari) could be redirected from the JupyterHub login page, but all + browsers could be redirected away from a standalone notebook server.</p> + </blockquote> + </body> + </description> + <references> + <url>https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4</url>; + <url>https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst</url>; + <cvename>CVE-2019-10255</cvename> + </references> + <dates> + <discovery>2019-03-28</discovery> + <entry>2019-03-29</entry> + </dates> + </vuln> + <vuln vid="7862213c-5152-11e9-8b26-a4badb296695"> <topic>dovecot -- Buffer overflow reading extension header</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201903291636.x2TGa3pI018971>