We have released a minor version of Jupyter Notebook to fix a security
vulnerability which allows a malicious notebook file containing invalid
HTML to execute Javascript when it is loaded. Because Javascript on a
notebook page can communicate with kernels, it can then do any operation
that the notebook user could do.
This vulnerability is tracked as CVE-2018-8768.
You can upgrade now using pip:
pip install --upgrade notebook
Packages for conda will be available through conda-forge later today. When
they are ready, you can upgrade with:
conda update notebook
If you need to backport the fix to older versions, you need these two
commits:
https://github.com/jupyter/notebook/commit/449368877f050c107b5d52ff610cbf6fb27b81b2
https://github.com/jupyter/notebook/commit/4e79ebb49acac722b37b03f1fe811e67590d3831
The second one implements the fix, but it won't work without the first. You
will need to rebuild the minified Javascript after making these changes. If
you're not sure of how to do this, we strongly encourage you to use our
releases instead. Version 5.5, which we hope to release next week, will
also include the fix.
We're grateful to Alex (HackerOne user pisarenko) for finding this issue,
and Jonathan Kamens and Scott Sanderson at Quantopian for verifying it and
bringing it to the core team.
We haven't yet heard of any notebooks using the attack in the wild, and for
now we're not publishing a sample that demonstrates how to do it. But you
should assume that malicious actors can figure out attacks from the
published fix, if they have not already discovered this. So please upgrade
promptly.
Unfortunately this fix may break the display of HTML in some non-malicious
notebooks if they unwittingly relied on jQuery to fix up invalid HTML.
Sorry about this, but we hope you'll understand why it was necessary.
If you discover any other security issues in Jupyter or IPython software,
please let us know at [email protected] . More info at:
http://jupyter-notebook.readthedocs.io/en/stable/security.html#reporting-security-issues
Thanks,
Thomas
--
You received this message because you are subscribed to the Google Groups
"Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jupyter/CAOvn4qhgjyjvFkjehfTN9c4k2GgJ%3DBYUvwKwhfrAXtob_o5fnw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
