Notebook 5.6.0 released with security fix

88 views
Skip to first unread message

Thomas Kluyver

unread,
Jul 16, 2018, 6:23:17 AM7/16/18
to Project Jupyter
Hi all,

We released notebook 5.6 over the weekend, and you should be able to upgrade with pip or conda (using conda-forge) now.

We were notified of another bug which allows an untrusted notebook to execute code as soon as it opens, and this is fixed in 5.6. So we advise everyone to upgrade as soon as practical. For now, we're not sharing an example of how to exploit this vulnerability, but you should assume people will figure it out fast, if they haven't already.

There are a number of other features and fixes in the release, which you can see here:

Thanks to everyone who contributed to this release, and in particular to Jonathan Kamens, who both reported the security issue and figured out what we needed to do to fix it.

Thomas

Thomas Kluyver

unread,
Jul 22, 2018, 6:44:34 AM7/22/18
to Project Jupyter
For reference, the security vulnerability which we fixed in this release has now been assigned a CVE number: CVE-2018-1999024

The bug was actually in the Mathjax library, and the fix in notebook 5.6.0 was simply upgrading Mathjax to version 2.7.4.

It seems the CVE databases don't update instantly, but hopefully this will be there soon.

Matthias Bussonnier

unread,
Jul 22, 2018, 2:26:56 PM7/22/18
to jup...@googlegroups.com
Should the blog post be updated now ? or on August 17th ?
-- 
M

--
You received this message because you are subscribed to the Google Groups "Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+u...@googlegroups.com.
To post to this group, send email to jup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CAOvn4qhGGYd-%2BphFRi8v3nZenTvbfuZY7QUn%3D%2BpppAxMOwBNpA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Damián Avila

unread,
Jul 26, 2018, 12:56:37 PM7/26/18
to jup...@googlegroups.com
> A CVE has been requested for the vulnerability. Release notes for 5.6.0 and this post will be updated as the CVE is assigned

I guess we should update the post given what we said before.

To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CANJQusUZPpU%2BLV8mbH-hTYgQhm7ojK%2B_1peRc1ugW_3fkqbfJw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.


--
Damián Avila
Reply all
Reply to author
Forward
0 new messages