Hello community, here is the log from the commit of package IPython.2958 for openSUSE:13.1:Update checked in at 2014-08-23 01:08:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/IPython.2958 (Old) and /work/SRC/openSUSE:13.1:Update/.IPython.2958.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "IPython.2958" Changes: -------- New Changes file: --- /dev/null 2014-07-24 01:57:42.080040256 +0200 +++ /work/SRC/openSUSE:13.1:Update/.IPython.2958.new/IPython.changes 2014-08-23 01:08:40.000000000 +0200 @@ -0,0 +1,285 @@ +------------------------------------------------------------------- +Thu Aug 7 14:56:56 UTC 2014 - [email protected] + +- CVE-2014-3429-cross-domain.patch - RCE in IPython Notebook via + cross-origin websocket connection + (CVE-2014-3429, bnc#887577) + +------------------------------------------------------------------- +Fri Aug 9 09:11:37 UTC 2013 - [email protected] + +- update to 1.0.0 +- The principal milestone is the addition of IPython.nbconvert. +- Added IPython.kernel for all kernel-related code. +- Removed the frontend subpackage, as it caused unnecessary depth. +- The IPython sphinx directives are now installed in IPython.sphinx. +- The input transformation framework has been reworked. +- Exception types can now be displayed with a custom traceback. +- A new command, ipython history trim can be used to delete everything but the last 1000 entries in the history database. +- __file__ is defined in both config files at load time, and .ipy files executed with %run. +- %logstart and %logappend are no longer broken. +- Add glob expansion for %run, e.g. %run -g script.py *.txt. +- Expand variables ($foo) in Cell Magic argument line. +- By default, iptest will exclude various slow tests. All tests can be run with iptest –all. +- SQLite history can be disabled in the various cases that it does not behave well. +- %edit works on interactively defined variables. +- editor hooks have been restored from quarantine, enabling TextMate as editor, etc. +- The env variable PYTHONSTARTUP is respected by IPython. +- The %matplotlib magic was added. +- The --matplotlib command line flag was also added. + +------------------------------------------------------------------- +Wed Jun 5 11:46:27 UTC 2013 - [email protected] + +- Install .desktop files +- Add buildrequires so there is proper detection of dependencies + at build-time +- Add python-distribute buildrequires for proper dependency + detection +- Build full documentation in python 2 version + (not yet working with python 3) +- Include license file and README file +- Change suggests to recommends since suggests are not well + supported +- Manually-specify executable and manual file names to better + identify conflicts between python 2 and python 3 versions + +------------------------------------------------------------------- +Fri May 17 17:33:56 UTC 2013 - [email protected] + +- update to 0.13.2 + - bugfix-release, 52 bugs fixed + - improved compatibility with new Qt versions + (fixes bnc#819931, obsoletes ipython-fix-loading-newer-pyqt.diff) +- drop conditionals for too-old SUSE releases +- shorten summary + +------------------------------------------------------------------- +Fri Mar 15 13:48:38 UTC 2013 - [email protected] + +- Add ipython-fix-loading-newer-pyqt.diff to make Qt console + load with PyQt 4.10 (fix already upstream) + +------------------------------------------------------------------- +Wed Jan 2 19:44:41 UTC 2013 - [email protected] + +- Fix building on SLES + +------------------------------------------------------------------- +Wed Oct 24 07:38:43 UTC 2012 - [email protected] + +- Update to 0.13.1 + - New major upstream release + - Major notebook improvements + - Major improvements to the Qt console + - Improvement of parallel tools + +------------------------------------------------------------------- +Thu May 3 11:26:14 UTC 2012 - [email protected] + +- license update: BSD-3-Clause + See http://ipython.org/ipython-doc/dev/about/license_and_copyright.html + +------------------------------------------------------------------- +Mon Apr 30 13:06:58 UTC 2012 - [email protected] + +- Fix building python 3 package on openSUSE 11.4 x86_64 + +------------------------------------------------------------------- +Sat Apr 28 07:17:08 UTC 2012 - [email protected] + +- added python-tornado Requires for ipython notebook mode + +------------------------------------------------------------------- +Fri Apr 27 11:13:00 UTC 2012 - [email protected] + +- Update to 0.12.1 + Bugfixes +- Comment out non-existant wxpython-related python 3 packages +- Change python 3 binary names so they don't conflict with the + python 2 ones +- Fix removal of hidden git info in python3 package +- Small python 2 package spec file cleanups + +------------------------------------------------------------------- +Fri Apr 27 08:38:48 UTC 2012 - [email protected] + +- added build dependency python3-2to3 + without it files just not converted silently + +------------------------------------------------------------------- +Thu Feb 9 02:26:35 UTC 2012 - [email protected] + +- added python3-IPython package + +------------------------------------------------------------------- +Wed Feb 8 15:15:26 UTC 2012 - [email protected] + +- updated to 0.12 + IPython 0.12 contains several major new features, as well as a large amount + of bug and regression fixes. + + New features: + * An interactive browser-based Notebook with rich media support + * Two-process terminal console + * Tabbed QtConsole + * Full Python 3 compatibility + * Standalone Kernel + * PyPy support + +------------------------------------------------------------------- +Sun Jul 31 19:28:17 UTC 2011 - [email protected] + +- updated to 0.11 + IPython 0.11 is a *major* overhaul of IPython, two years in the making. Most + of the code base has been rewritten or at least reorganized, breaking backward + compatibility with several APIs in previous versions. + + Since the internal APIs have changed so much, projects using IPython as a + library (as opposed to end-users of the application) are the most likely to + encounter regressions or changes that break their existing use patterns. + + A quick summary: + * Standalone Qt console. + * High-level parallel computing with ZeroMQ. + * New model for GUI/plotting support in the terminal. + * A two-process architecture. + * Vim integration. + * Integration into Microsoft Visual Studio + * Improved unicode support. + * Python 3 support. + * New profile model. + * SQLite storage for history. + * New configuration system. + * Pasting of code with prompts. + +------------------------------------------------------------------- +Sat Jul 16 01:38:19 UTC 2011 - [email protected] + +- updated to 0.10.2 + * This is a minor bugfix and latst release of the 0.10.x series. + * Closing of github ticket #185, a major regression we had + in 0.10.1 where pylab mode with GTK was not working correctly, + hence plots were blocking with GTK. Since this is the default matplotlib + backend on Unix systems, this was a major annoyance for many users. Many + thanks to Paul Ivanov for helping resolve this issue. + * Fix IOError bug on Windows when used with -gthread. + * Work robustly if $HOME is missing from environment. + * Better POSIX support in ssh scripts (remove bash-specific idioms). + * Improved support for non-ascii characters in log files. + * Work correctly in environments where GTK can be imported but not started + (such as a linux text console without X11). + +------------------------------------------------------------------- +Wed Dec 29 15:07:59 CET 2010 - [email protected] + +- Updated python-wxWidgets name. + +------------------------------------------------------------------- +Tue Aug 11 14:58:46 CEST 2009 - [email protected] + +- removed useless item from filelist +- switched to noarch + +------------------------------------------------------------------- +Sun Aug 9 12:03:16 CEST 2009 - [email protected] + +- new new python macros + +------------------------------------------------------------------- +Wed Aug 5 17:35:27 CEST 2009 - [email protected] + +- update to 0.10 + * lots of bugfixes + * improved gui and wx-based gui component + * improved ipcluster +- split off -doc subpackage + ++++ 88 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.IPython.2958.new/IPython.changes New: ---- CVE-2014-3429-cross-domain.patch IPython.changes IPython.spec ipython-1.0.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ IPython.spec ++++++ # # spec file for package IPython # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: IPython BuildRequires: python-devel Version: 1.0.0 Release: 0 Source0: https://pypi.python.org/packages/source/i/ipython/ipython-%{version}.tar.gz # CVE-2014-3429 - RCE via unchecked cross-origin websocket connections Patch0: CVE-2014-3429-cross-domain.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: http://ipython.scipy.org/ Summary: An Enhanced Interactive Python Shell License: BSD-3-Clause Group: Development/Languages/Python BuildArch: noarch BuildRequires: gnome-icon-theme BuildRequires: python BuildRequires: python-Cython BuildRequires: python-curses BuildRequires: python-distribute BuildRequires: python-nose >= 0.10.1 BuildRequires: python-opengl BuildRequires: python-pexpect BuildRequires: python-pymongo BuildRequires: python-pyzmq-devel >= 2.1.11 BuildRequires: python-wxWidgets %if 0%{?suse_version} %py_requires BuildRequires: fdupes BuildRequires: update-desktop-files %endif Requires: gnome-icon-theme Requires: python-pexpect Requires: python-pyzmq >= 2.1.11 Recommends: python-curses Recommends: python-pymongo Recommends: python-wxWidgets # qtconsole BuildRequires: python-Pygments BuildRequires: python-matplotlib BuildRequires: python-qt4-devel Requires: python-Pygments Requires: python-matplotlib Requires: python-qt4 # html notebook BuildRequires: python-tornado >= 2.0 Requires: python-tornado >= 2.0 #documentation BuildRequires: graphviz BuildRequires: graphviz-gnome BuildRequires: python-Sphinx >= 0.3 %description IPython provides a replacement for the interactive python (Python) interpreter with extra functionality. Main features: * Comprehensive object introspection. * Input history that is persistent across sessions. * Caching of output results during a session with automatically generated references. * Readline-based name completion. * Extensible system of 'magic' commands for controlling the environment and performing many tasks related either to IPython or the operating system. * Configuration system with easy switching between different setups (simpler than changing $PYTHONSTARTUP environment variables every time). * Session logging and reloading. * Extensible syntax processing for special purpose situations. * Access to the system shell with user-extensible alias system. * Easily embeddable in other Python programs. * Integrated access to the pdb debugger and the Python profiler. %package doc Summary: An Enhanced Interactive Python Shell documentation Group: Documentation/Other Recommends: %{name} = %{version} %description doc IPython provides a replacement for the interactive python (Python) interpreter with extra functionality. This package contains comprehensive documentation for IPython in html format, as well as examples of usage. %prep %setup -q -n ipython-%{version} %patch0 -p1 # Get rid of library shebangs find . -type f -name "*.py" -exec sed -i '/#!\/usr\/bin\/env/d' {} \; %build export CFLAGS="%{optflags}" python setup.py build %install python setup.py install --prefix=%{_prefix} --root=%{buildroot} # move automatically installed documentation to the right directory install -d -m 755 %{buildroot}%{_docdir}/ mv -f %{buildroot}/usr/share/doc/ipython/ %{buildroot}%{_docdir}/%{name} # make docs pushd docs PYTHONPATH=$PYTHONPATH:%{buildroot}%{python_sitelib} make html rm build/html/.buildinfo mv build/html %{buildroot}%{_docdir}/%{name}/ popd # remove hidden files rm -f %{buildroot}/%{python_sitelib}/IPython/.git_commit_info.ini rm -f %{buildroot}/%{_docdir}/%{name}/manual/.buildinfo %if 0%{?suse_version} > 1010 %fdupes %{buildroot}%{_docdir}/%{name}/ # install .desktop files mv examples/core/*.desktop ./ sed -i 's/gnome-netstatus-idle/ipython/g' *.desktop %suse_update_desktop_file -r -i ipython System TerminalEmulator %suse_update_desktop_file -r -i ipython-qtconsole System TerminalEmulator # install icons for i in %{_datadir}/icons/gnome/*/status/gnome-netstatus-idle.* do NUM="$(basename $(dirname $(dirname $i)))" mkdir -p "%{buildroot}%{_datadir}/icons/hicolor/$NUM/apps/" pushd "%{buildroot}%{_datadir}/icons/hicolor/$NUM/apps/" ln -s "$i" ./ipython.png popd done %endif %files %defattr(-,root,root) %doc COPYING.txt README.rst %{_bindir}/ipcluster %{_bindir}/ipcontroller %{_bindir}/ipengine %{_bindir}/iplogger %{_bindir}/iptest %{_bindir}/ipython %{_bindir}/irunner %{_bindir}/pycolor %{_mandir}/man1/ipcluster.1.gz %{_mandir}/man1/ipcontroller.1.gz %{_mandir}/man1/ipengine.1.gz %{_mandir}/man1/iplogger.1.gz %{_mandir}/man1/ipython.1.gz %{_mandir}/man1/irunner.1.gz %{_mandir}/man1/pycolor.1.gz %{_datadir}/applications/ipython-qtconsole.desktop %{_datadir}/applications/ipython.desktop %{_datadir}/icons/hicolor/ %{python_sitelib}/%{name} %{python_sitelib}/ipython-%{version}-py*.egg-info %exclude %{_docdir}/%{name}/html/ %exclude %{_docdir}/%{name}/examples/ %files doc %defattr(-,root,root) %{_docdir}/%{name}/ %exclude %{_docdir}/%{name}/COPYING.txt %exclude %{_docdir}/%{name}/README.rst %changelog ++++++ CVE-2014-3429-cross-domain.patch ++++++ Index: ipython-1.1.0/IPython/html/base/zmqhandlers.py =================================================================== --- ipython-1.1.0.orig/IPython/html/base/zmqhandlers.py 2014-08-07 16:03:13.331603969 +0200 +++ ipython-1.1.0/IPython/html/base/zmqhandlers.py 2014-08-07 16:53:08.041133824 +0200 @@ -21,6 +21,11 @@ from tornado import web from tornado import websocket +try: + from urllib.parse import urlparse # Py3 +except ImportError: + from urlparse import urlparse # Py2 + from zmq.utils import jsonapi from IPython.kernel.zmq.session import Session @@ -35,6 +40,29 @@ class ZMQStreamHandler(websocket.WebSocketHandler): + def same_origin(self): + """Check to see that origin and host match in the headers.""" + + # The difference between version 8 and 13 is that in 8 the + # client sends a "Sec-Websocket-Origin" header and in 13 it's + # simply "Origin". + if self.request.headers.get("Sec-WebSocket-Version") in ("7", "8"): + origin_header = self.request.headers.get("Sec-Websocket-Origin") + else: + origin_header = self.request.headers.get("Origin") + + host = self.request.headers.get("Host") + + # If no header is provided, assume we can't verify origin + if(origin_header is None or host is None): + return False + + parsed_origin = urlparse(origin_header) + origin = parsed_origin.netloc + + # Check to see that origin matches host directly, including ports + return origin == host + def clear_cookie(self, *args, **kwargs): """meaningless for websockets""" pass @@ -83,6 +111,11 @@ class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler): def open(self, kernel_id): + # Check to see that origin matches host directly, including ports + if not self.same_origin(): + self.log.warn("Cross Origin WebSocket Attempt.") + raise web.HTTPError(404) + self.kernel_id = cast_unicode(kernel_id, 'ascii') self.session = Session(config=self.config) self.save_on_message = self.on_message @@ -111,4 +144,4 @@ if self.get_current_user() is None: self.log.warn("Couldn't authenticate WebSocket connection") raise web.HTTPError(403) - self.on_message = self.save_on_message \ No newline at end of file + self.on_message = self.save_on_message -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
