Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.3180 nbconvert security update 5 June 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: nbconvert Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2021-32862 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/06/msg00003.html Comment: CVSS (Max): 5.4 CVE-2021-32862 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3442-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin June 03, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : nbconvert Version : 5.4-2+deb10u1 CVE ID : CVE-2021-32862 Alvaro Munoz from the GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert, a tool and library used to convert notebooks to various other formats via Jinja templates. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server without tight Content-Security-Policy (e.g., nbviewer). * GHSL-2021-1013: XSS in notebook.metadata.language_info.pygments_lexer; * GHSL-2021-1014: XSS in notebook.metadata.title; * GHSL-2021-1015: XSS in notebook.metadata.widgets; * GHSL-2021-1016: XSS in notebook.cell.metadata.tags; * GHSL-2021-1017: XSS in output data text/html cells; * GHSL-2021-1018: XSS in output data image/svg+xml cells; * GHSL-2021-1019: XSS in notebook.cell.output.svg_filename; * GHSL-2021-1020: XSS in output data text/markdown cells; * GHSL-2021-1021: XSS in output data application/javascript cells; * GHSL-2021-1022: XSS in output.metadata.filenames image/png and image/jpeg; * GHSL-2021-1023: XSS in output data image/png and image/jpeg cells; * GHSL-2021-1024: XSS in output.metadata.width/height image/png and image/jpeg; * GHSL-2021-1025: XSS in output data application/vnd.jupyter.widget-state+ json cells; * GHSL-2021-1026: XSS in output data application/vnd.jupyter.widget-view+ json cells; * GHSL-2021-1027: XSS in raw cells; and * GHSL-2021-1028: XSS in markdown cells. Some of these vulnerabilities, namely GHSL-2021-1017, -1020, -1021, and - -1028, are actually design decisions where text/html, text/markdown, application/JavaScript and markdown cells should allow for arbitrary JavaScript code execution. These vulnerabilities are therefore left open by default, but users can now opt-out and strip down all JavaScript elements via a new HTMLExporter option `sanitize_html`. For Debian 10 buster, this problem has been fixed in version 5.4-2+deb10u1. We recommend that you upgrade your nbconvert packages. For the detailed security status of nbconvert please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nbconvert Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmR7RCAACgkQ05pJnDwh pVKb6Q/9HQR3dK9+JHFugSj2oRQyogpbFYDFaKYaItkTbdSpaIJ3vTZ23NiYb/mi J8Rk0M3dygHOvnGLze5TPHTW2WGYW+B2pWXwLPF6lt2HluzWwG/t53Mj+jE3PSTW LL5kH7eKSYoHSiHkSj6fr6oPS11zL4xOWWD828rswmPlzfhE46tSGakvEx36xQla ClDr5wC1Ee7UnI61q9Wk9UGpWlASdzpViAwjg0UW5lqVuk2kPp9AaRnTMcvIJ10F nG+5zYGrDA5YMYFNsxey1GN0OOjchCFAcU4Mr8HN7GNx0u72aDJDfkYqY2t7SgYn ThD1bjQ1TEfzTQc+6/V0MNWY0fmNbXbK6UESg5jreaKGSSHI85+pgSKPKGNPF9g6 ZIonrWhDSwQ/kA7plefnqSesGi/dsP6prkY0QfmuUMGZuPlq9dTqXqQh0infKlMI wCFBpHNEfU4tRHBTag+FLHrSYj6PDqm1DcWf2FLKjSL7DoX3VE/hD8ftT5GvLjag Scd91OyExPTjT3I0yRnq6bkUmGLGFmYXq49SPrTJtCt2tmFz02HDauJOJqZmYgo5 HlLXdo/RFWkjRpg0yXa6Lj6+ZR5OFfLEWeN0LsofMH0SwdDzABvV5ukKwMNIFcS5 xDBnc2+EQvV9Pa/Y57sEBdxwY+o9bJCcJYWffRPWsMIR2wdISpY= =kdo5 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZH1Kn8kNZI30y1K9AQgirw/9Gge85ozveGX+M7KnIpwjerpxLUZjtAgz dn5c4beV+wpdGLtQrVTygi91Ox173jgkrpIJjeNY4HMc/OuaeUtKJJraqe74vS45 WZX9qTg8r/wYmUaikkJ9pDngZRg8ymZ1zVWeeYA6mscdM83opsDOVNBpnvX6NKFh 9NgONfL42rBUeAXBlm7p3J1WgDj71Zn9e8GdMNXfxRNFzdFj1rcp6kx0KbSTihxB 4s228Oo7ftjXgbW3geHxGi8Gkr8e+9L/zUYaFbOBWuVrfh1FCOYFlKlhQfEwAObs RJho6815WLsUYAucFGd/HkJ2CJrJwCE/4tqMIhR+CkgGkCW/EMorkCno53nb7Dtf 5NHEq/Y2OrWGhDQx8t+DS8lPzJaFPhgu6c4kIaJTQoJuV7vizcvU4xNSCxm0GoF1 my5SqcDpiWNhmtNa4eQ4bBze5CvLBtXUe7+Og6dfdj1MwB2hm/ZdDgMJ+Ok82tTl iuLznI66IvL+tyJ30jwH5lv8U0yG9NFtwpc6W+a90mL2hr8W7td48qzjRoYgzxDs BJaxEBBReRkFvp3mE3CVwSt33GoE692J/FLubf8YEQGPJxLnd02Az5k8p+M9U5+8 nTE99CYzY0VSagyhfUwxUhaOvy4gjBjt3UkwumbdCIKg2Bgx8rRK2HNvBFI6AUf0 meb0wuTf5tw= =U6dU -----END PGP SIGNATURE-----