Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 681030 (CVE-2019-9644) - <dev-python/notebook-5.7.8: XSSI due to invalid javascript (CVE-2019-9644)
Summary: <dev-python/notebook-5.7.8: XSSI due to invalid javascript (CVE-2019-9644)
Status: RESOLVED FIXED
Alias: CVE-2019-9644
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on: 719714
Blocks:
  Show dependency tree
 
Reported: 2019-03-20 13:49 UTC by Agostino Sarubbo
Modified: 2020-09-06 00:42 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/pyzmq-19.0.1_p20200608 dev-python/nbval-0.9.1-r1 dev-python/notebook-6.0.3 dev-python/prometheus_client-0.8.0
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-03-20 13:49:16 UTC
From ${URL} :

An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by 
users who are authenticated with a Jupyter server.

Reference:
https://security-tracker.debian.org/tracker/CVE-2019-9644

Upstream commit:
https://github.com/jupyter/notebook/compare/f3f00df...05aa4b2



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Stabilization helper bot gentoo-dev 2019-10-27 01:01:38 UTC
An automated check of this bug failed - repoman reported dependency errors (99 lines truncated): 

> dependency.bad dev-python/notebook/notebook-5.7.8.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=dev-python/terminado-0.8.1[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]', '>=dev-python/pyzmq-17[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]', '>=dev-python/jupyter_client-5.2[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]', 'dev-python/nbval[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]']
> dependency.bad dev-python/notebook/notebook-5.7.8.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=dev-python/terminado-0.8.1[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]', '>=dev-python/pyzmq-17[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]', '>=dev-python/jupyter_client-5.2[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]']
> dependency.bad dev-python/notebook/notebook-5.7.8.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-python/terminado-0.8.1[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]', '>=dev-python/pyzmq-17[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]', '>=dev-python/jupyter_client-5.2[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]', 'dev-python/nbval[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]']
Comment 2 Stabilization helper bot gentoo-dev 2019-11-03 14:02:33 UTC
An automated check of this bug failed - repoman reported dependency errors (78 lines truncated): 

> dependency.bad dev-python/pyzmq/pyzmq-17.1.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=www-servers/tornado-5.0.2[python_targets_python2_7(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python2_7(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]']
> dependency.bad dev-python/pyzmq/pyzmq-17.1.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=www-servers/tornado-5.0.2[python_targets_python2_7(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python2_7(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]']
> dependency.bad dev-python/pyzmq/pyzmq-17.1.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop/gnome) ['>=www-servers/tornado-5.0.2[python_targets_python2_7(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python2_7(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]']
> dependency.bad dev-python/notebook/notebook-5.7.8.ebuild: DEPEND: x86(default/linux/x86/17.0) ['dev-python/prometheus_client[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]']
> dependency.bad dev-python/notebook/notebook-5.7.8.ebuild: RDEPEND: x86(default/linux/x86/17.0) ['dev-python/prometheus_client[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]']
> dependency.bad dev-python/notebook/notebook-5.7.8.ebuild: DEPEND: x86(default/linux/x86/17.0) ['dev-python/prometheus_client[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]']
Comment 3 Stabilization helper bot gentoo-dev 2019-12-13 18:02:31 UTC
An automated check of this bug failed - repoman reported dependency errors (41 lines truncated): 

> dependency.bad dev-python/notebook/notebook-5.7.8.ebuild: DEPEND: x86(default/linux/x86/17.0) ['dev-python/prometheus_client[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]']
> dependency.bad dev-python/notebook/notebook-5.7.8.ebuild: RDEPEND: x86(default/linux/x86/17.0) ['dev-python/prometheus_client[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]']
> dependency.bad dev-python/notebook/notebook-5.7.8.ebuild: DEPEND: x86(default/linux/x86/17.0) ['dev-python/prometheus_client[python_targets_python3_5(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_5(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-)]']
Comment 4 Agostino Sarubbo gentoo-dev 2019-12-15 14:50:46 UTC
amd64 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-28 19:55:25 UTC
@x86: ping.
Comment 6 Stabilization helper bot gentoo-dev 2020-03-28 19:59:44 UTC
An automated check of this bug failed - the following atom is unknown:

dev-python/prometheus_client-0.6.0

Please verify the atom list.
Comment 7 NATTkA bot gentoo-dev 2020-05-04 11:52:53 UTC
Unable to check for sanity:

> no match for package: dev-python/pyzmq-17.1.0
Comment 8 NATTkA bot gentoo-dev 2020-05-05 21:17:18 UTC
All sanity-check issues have been resolved
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2020-06-20 10:31:54 UTC
tatt is unable to handle this bug,

  - dev-python/prometheus_client-0.7.1-r1::gentoo (masked by: missing keyword)
Comment 10 NATTkA bot gentoo-dev 2020-07-12 17:02:05 UTC
Unable to check for sanity:

> no match for package: dev-python/terminado-0.8.1
Comment 11 NATTkA bot gentoo-dev 2020-07-25 08:57:43 UTC
Unable to check for sanity:

> no match for package: dev-python/jupyter_client-5.2.3-r1
Comment 12 NATTkA bot gentoo-dev 2020-07-25 09:10:14 UTC
All sanity-check issues have been resolved
Comment 13 NATTkA bot gentoo-dev 2020-08-22 07:17:26 UTC
Unable to check for sanity:

> no match for package: dev-python/pyzmq-19.0.0
Comment 14 NATTkA bot gentoo-dev 2020-08-29 07:57:59 UTC
All sanity-check issues have been resolved
Comment 15 NATTkA bot gentoo-dev 2020-09-05 06:14:27 UTC
Unable to check for sanity:

> no match for package: dev-python/nbval-0.9.1
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-06 00:35:22 UTC
Dropping bug 728896; Package was marked stable despite that bug in the meanwhile :/
Comment 17 NATTkA bot gentoo-dev 2020-09-06 00:38:07 UTC
All sanity-check issues have been resolved
Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-06 00:41:15 UTC
x86 stable
Comment 19 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-06 00:42:06 UTC
Repository is clean, all done.