Security release: Notebook 5.4.1

85 views
Skip to first unread message

Thomas Kluyver

unread,
Mar 18, 2018, 5:06:10 AM3/18/18
to Project Jupyter
We have released a minor version of Jupyter Notebook to fix a security vulnerability which allows a malicious notebook file containing invalid HTML to execute Javascript when it is loaded. Because Javascript on a notebook page can communicate with kernels, it can then do any operation that the notebook user could do.

This vulnerability is tracked as CVE-2018-8768.

You can upgrade now using pip:

    pip install --upgrade notebook

Packages for conda will be available through conda-forge later today. When they are ready, you can upgrade with:

    conda update notebook

The second one implements the fix, but it won't work without the first. You will need to rebuild the minified Javascript after making these changes. If you're not sure of how to do this, we strongly encourage you to use our releases instead. Version 5.5, which we hope to release next week, will also include the fix.

We're grateful to Alex (HackerOne user pisarenko) for finding this issue, and Jonathan Kamens and Scott Sanderson at Quantopian for verifying it and bringing it to the core team.

We haven't yet heard of any notebooks using the attack in the wild, and for now we're not publishing a sample that demonstrates how to do it. But you should assume that malicious actors can figure out attacks from the published fix, if they have not already discovered this. So please upgrade promptly.

Unfortunately this fix may break the display of HTML in some non-malicious notebooks if they unwittingly relied on jQuery to fix up invalid HTML. Sorry about this, but we hope you'll understand why it was necessary.

If you discover any other security issues in Jupyter or IPython software, please let us know at secu...@ipython.org . More info at: http://jupyter-notebook.readthedocs.io/en/stable/security.html#reporting-security-issues

Thanks,
Thomas
Reply all
Reply to author
Forward
0 new messages