| Summary: | dev-python/ipython: insecure loading of the MathJax library | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | minor | CC: | python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1125937 | ||
| Whiteboard: | B4 [upstream/ebuild] | ||
| Package list: | Runtime testing required: | --- | |
dev-python/ipython ebuilds depend on dev-libs/mathjax and create $(python_get_sitedir)/IPython/html/static/mathjax symlinks to allow using IPython Notebook without network connection, so then there is no loading of MathJax using either HTTP or HTTPS. (Even in the referenced commit, you can see comment "no local mathjax, serve from CDN".) thanks Arfrever. This in summary means thus bug is simply not required or valid. However, ipython-2.2 is now getting close which will 'fix' it anyway, though what might cause some angst is cleanout of affected versions. As explained earlier, this bug should be closed as RESOLVED INVALID. |
From ${URL} : It was reported [1],[2] that when an IPython notebook is used without encryption (that is, running over HTTP instead of HTTPS), the MathJax library is loaded over HTTP. A man-in-the-middle attacker could potentially use this flaw to execute arbitrary code in a local IPython notebook by modifying the loaded MathJax JavaScript code. This issue is fixed in the upcoming version 2.2 with the patch available at [3]. The report indicates versions 0.12 to 2.1 are vulnerable to this flaw. The version of IPython shipped with EPEL5 (0.8.4) is not vulnerable to this issue as the vulnerable code that loads MathJax is not present. [1] https://github.com/ipython/ipython/issues/6246 [2] http://seclists.org/oss-sec/2014/q3/272 [3] https://github.com/ipython/ipython/commit/cf793ebc4f9e8483f104667e4c73748357fa8c56 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.