Operating System:

[WIN][UNIX/Linux][Debian]

Published:

19 November 2020

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2020.4114 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.4114
                     jupyter-notebook security update
                             19 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           jupyter-notebook
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-21030 CVE-2018-19351 CVE-2018-8768

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2020/11/msg00033.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2432-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
November 19, 2020                             https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : jupyter-notebook
Version        : 4.2.3-4+deb9u1
CVE ID         : CVE-2018-8768 CVE-2018-19351 CVE-2018-21030
Debian Bug     : 893436 917409

Several vulnerabilities have been discovered in jupyter-notebook.

CVE-2018-8768

    A maliciously forged notebook file can bypass sanitization to execute
    Javascript in the notebook context. Specifically, invalid HTML is
    'fixed' by jQuery after sanitization, making it dangerous.

CVE-2018-19351

    allows XSS via an untrusted notebook because nbconvert responses are
    considered to have the same origin as the notebook server.

CVE-2018-21030

    jupyter-notebook does not use a CSP header to treat served files as
    belonging to a separate origin. Thus, for example, an XSS payload can
    be placed in an SVG document.

For Debian 9 stretch, these problems have been fixed in version
4.2.3-4+deb9u1.

We recommend that you upgrade your jupyter-notebook packages.

For the detailed security status of jupyter-notebook please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jupyter-notebook

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl+1+lQACgkQhj1N8u2c
KO+VvQ/8DFSHy1UDGxYx+DGO76cG+Dp2ImZdGqJyUDUqnBt41aQkzveXn1HOBApi
gRueQrvmVqIl4CyVasw2NokR6Ln+2cNOo9WBCfiW7b3M3lXyNHck3gHIVu2cNyt+
3KeFEi0fQNFFQYk6rWuh1uUAdzcDp0M1z7h3TajTjBLsNVshhfm937rfFv78OxYE
dB3TiMbvP7pQKmWT+4Fhe9wQp/2LwrP/tGpaZCWnjp+DLZmQh0qvjh0K1Bplqox4
vQ+X7OUAuu711lO+xlmIppQEtvR0uLZ5QWngUtpUjAqY7u2EABAdINgsTjFjbeyr
HvDnkoW8sNA+YGkLrU4ZhoBJkZbaun8nkUcCYs0H4jlQQ+UTkAbGVey/6hGKRc1R
VhU7plZfKlk/JgJFDLzjcRLoeCHyp4wwk7GBPDiMJoxWz/jL1BOIk58vM+BVtzzC
+D8AjSiynUk8aQ9bIMAz2dBFvmWOq3WRTz+qKA6PokDY1u0Ge4yFoiZZU1ylQ5L/
qWgvPUueI6t4cH/pxEKfRsH5/RRxP+shAp/vvqk5WS0hQfQm8gHk1njd6t9N8xih
c6mTgTw1yvdycv6pXBbaCZ+/cDps3qKSYiFayGq6h6qn2HtM/KRNyneJEwDxsiCd
N7+ZEOmmB+4Fs1kYkB2sneZJjcGMuHCfEYECWtsoz2on/5QwXR4=
=luvs
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX7YBVeNLKJtyKPYoAQhCag/+OAhEuYznO5LqBLvf6vXbM2O4HixecVYH
NlrxProzWkCmxyOcw0QjxDrKSxzTYKNU6852NnzhPrdfu2iJ6AY907Ro2PiDNGHS
naXOd+XkAclC8ocKo5ZNyqpRl2Ks/4Q+6GjSGc+ct+pdPPCT+mqv1xMdDry6071I
DbT2Jne8n9ls5RcocfnBrjotMCdjaVDmzl5MjVDdsrw8S9DqSQoj27+NCFNEAgFU
lw+ZH/SwUjVapdnp2e+KjpJ3yAtEphyAGHJlJOmGdgnXi0wclahaXDS0jnEo6dYv
OXQADB7KjiDmUYw/vPbqJ7vnXWjqS6sXwzrSlZ3F0xpU29yX/P9JQP5e6K//If06
4qL0i24w/gKICk7EJhU/GP2Lv3otFA4ZwTXBb15gGugGKqfuFep00dkcYI4+Lx+f
6zyN6WIap9R1cZkuH4HMslnbq7tUTWE732DfH00+ltPVeOG7pD2yT3ZRbwf2h0ho
W57iWRh4iTb8XGu7+2SeC2YkRbCpQYogpaoH6n+4U6qvKpLGaasXZ8pEPGVJbrBA
7VelFyRJHlsR4B1gYoeogfe7EaWF7zQal0QDcFgu/I14eaSpJoXHeVt7fPBEKooh
zRmEu5WSNU8NKwcx5XSPEoPeEh9+7ZSMor6vJ5ex29mohgKgiK+DJeRYPgqecCuR
zN0VGCVR24A=
=vsGV
-----END PGP SIGNATURE-----