From ${URL} : A vulnerability in IPython allowing maliciously forged file to be opened for editing that could execute javascript code, specifically by being redirected to /files/ due to the mistakenly treating the file as plain text. Versions >= 3.0 and <= 3.2.1 of IPython are affected. Upstream patch: https://github.com/ipython/ipython/commit/0a8096adf165e2465550bd5893d7e352544e5967 CVE request: http://seclists.org/oss-sec/2015/q3/558 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@marbre, could you please see whether there is any chance to get a fix for <ipython-4 into the tree? And if so, please send a PR
Done for ipython 3.2.0 and 3.2.1 (now both -r1). https://github.com/gentoo/gentoo/pull/100
commit c1ffdebd962ee305a51efc42433c42ce27ab814b Author: Justin Lecher <jlec@gentoo.org> Date: Thu Sep 17 20:37:02 2015 +0200 Merge branch 'marbre-ipython' * marbre-ipython: dev-python/ipython: Fix security issue Github: Closes gentoo/gentoo#100 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c1ffdebd962ee305a51efc42433c42ce27ab814b
@arches, please stable dev-python/ipython-3.2.1-r1
amd64 stable
x86 stable
Stable for PPC64.
ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
commit 109af39f8885db800c3a13931c80d31d83939d9d Author: Justin Lecher <jlec@gentoo.org> Date: Tue Sep 22 11:24:37 2015 +0200 dev-python/ipython: Drop vulnerable version Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=560708 Package-Manager: portage-2.2.21 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=109af39f8885db800c3a13931c80d31d83939d9d
@sec, all clean now.
Maintainer(s), Thank you for you for cleanup. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201512-02 at https://security.gentoo.org/glsa/201512-02 by GLSA coordinator Yury German (BlueKnight).