Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4114 jupyter-notebook security update 19 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: jupyter-notebook Publisher: Debian Operating System: Debian GNU/Linux 9 Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-21030 CVE-2018-19351 CVE-2018-8768 Original Bulletin: https://lists.debian.org/debian-lts-announce/2020/11/msg00033.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2432-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA November 19, 2020 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : jupyter-notebook Version : 4.2.3-4+deb9u1 CVE ID : CVE-2018-8768 CVE-2018-19351 CVE-2018-21030 Debian Bug : 893436 917409 Several vulnerabilities have been discovered in jupyter-notebook. CVE-2018-8768 A maliciously forged notebook file can bypass sanitization to execute Javascript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous. CVE-2018-19351 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. CVE-2018-21030 jupyter-notebook does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document. For Debian 9 stretch, these problems have been fixed in version 4.2.3-4+deb9u1. We recommend that you upgrade your jupyter-notebook packages. For the detailed security status of jupyter-notebook please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jupyter-notebook Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl+1+lQACgkQhj1N8u2c KO+VvQ/8DFSHy1UDGxYx+DGO76cG+Dp2ImZdGqJyUDUqnBt41aQkzveXn1HOBApi gRueQrvmVqIl4CyVasw2NokR6Ln+2cNOo9WBCfiW7b3M3lXyNHck3gHIVu2cNyt+ 3KeFEi0fQNFFQYk6rWuh1uUAdzcDp0M1z7h3TajTjBLsNVshhfm937rfFv78OxYE dB3TiMbvP7pQKmWT+4Fhe9wQp/2LwrP/tGpaZCWnjp+DLZmQh0qvjh0K1Bplqox4 vQ+X7OUAuu711lO+xlmIppQEtvR0uLZ5QWngUtpUjAqY7u2EABAdINgsTjFjbeyr HvDnkoW8sNA+YGkLrU4ZhoBJkZbaun8nkUcCYs0H4jlQQ+UTkAbGVey/6hGKRc1R VhU7plZfKlk/JgJFDLzjcRLoeCHyp4wwk7GBPDiMJoxWz/jL1BOIk58vM+BVtzzC +D8AjSiynUk8aQ9bIMAz2dBFvmWOq3WRTz+qKA6PokDY1u0Ge4yFoiZZU1ylQ5L/ qWgvPUueI6t4cH/pxEKfRsH5/RRxP+shAp/vvqk5WS0hQfQm8gHk1njd6t9N8xih c6mTgTw1yvdycv6pXBbaCZ+/cDps3qKSYiFayGq6h6qn2HtM/KRNyneJEwDxsiCd N7+ZEOmmB+4Fs1kYkB2sneZJjcGMuHCfEYECWtsoz2on/5QwXR4= =luvs - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX7YBVeNLKJtyKPYoAQhCag/+OAhEuYznO5LqBLvf6vXbM2O4HixecVYH NlrxProzWkCmxyOcw0QjxDrKSxzTYKNU6852NnzhPrdfu2iJ6AY907Ro2PiDNGHS naXOd+XkAclC8ocKo5ZNyqpRl2Ks/4Q+6GjSGc+ct+pdPPCT+mqv1xMdDry6071I DbT2Jne8n9ls5RcocfnBrjotMCdjaVDmzl5MjVDdsrw8S9DqSQoj27+NCFNEAgFU lw+ZH/SwUjVapdnp2e+KjpJ3yAtEphyAGHJlJOmGdgnXi0wclahaXDS0jnEo6dYv OXQADB7KjiDmUYw/vPbqJ7vnXWjqS6sXwzrSlZ3F0xpU29yX/P9JQP5e6K//If06 4qL0i24w/gKICk7EJhU/GP2Lv3otFA4ZwTXBb15gGugGKqfuFep00dkcYI4+Lx+f 6zyN6WIap9R1cZkuH4HMslnbq7tUTWE732DfH00+ltPVeOG7pD2yT3ZRbwf2h0ho W57iWRh4iTb8XGu7+2SeC2YkRbCpQYogpaoH6n+4U6qvKpLGaasXZ8pEPGVJbrBA 7VelFyRJHlsR4B1gYoeogfe7EaWF7zQal0QDcFgu/I14eaSpJoXHeVt7fPBEKooh zRmEu5WSNU8NKwcx5XSPEoPeEh9+7ZSMor6vJ5ex29mohgKgiK+DJeRYPgqecCuR zN0VGCVR24A= =vsGV -----END PGP SIGNATURE-----