-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency notebook to v6.4.12 [security] #205
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/pypi-notebook-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.3 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
Mar 27, 2023
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
March 27, 2023 20:44
cb0c789
to
f5bc297
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.4.12 [security]
chore(deps): update dependency notebook to v6.5.3 [security]
Mar 28, 2023
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
March 28, 2023 08:56
f5bc297
to
4d8055c
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.3 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
Mar 28, 2023
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
March 28, 2023 10:47
4d8055c
to
a277b02
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.4.12 [security]
chore(deps): update dependency notebook to v6.5.3 [security]
Mar 28, 2023
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
March 28, 2023 13:28
a277b02
to
5ddd7f3
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.3 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
Mar 28, 2023
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
March 28, 2023 15:09
5ddd7f3
to
089002f
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.4.12 [security]
chore(deps): update dependency notebook to v6.5.3 [security]
Apr 3, 2023
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
April 3, 2023 10:49
089002f
to
2b0bb79
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.3 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
Apr 3, 2023
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
April 3, 2023 13:09
2b0bb79
to
783de05
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.4.12 [security]
chore(deps): update dependency notebook to v6.5.3 [security]
Apr 4, 2023
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
April 4, 2023 19:12
783de05
to
438b5bf
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.3 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
Apr 4, 2023
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
April 4, 2023 23:36
438b5bf
to
ae6b9ce
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.4.12 [security]
chore(deps): update dependency notebook to v6.5.3 [security]
Apr 5, 2023
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
April 5, 2023 09:46
ae6b9ce
to
49b06d6
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.3 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
Apr 5, 2023
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
April 5, 2023 18:46
49b06d6
to
14fc9d9
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.4.12 [security]
chore(deps): update dependency notebook to v6.5.4 [security]
Apr 8, 2023
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
April 8, 2023 08:40
14fc9d9
to
11f5ef6
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.4 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
Apr 8, 2023
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
April 8, 2023 11:35
11f5ef6
to
70728b8
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.4.12 [security]
chore(deps): update dependency notebook to v6.5.4 [security]
Apr 17, 2023
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
April 17, 2023 10:47
70728b8
to
63091a3
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.4 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
Apr 17, 2023
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.6 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
Apr 21, 2024
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
April 24, 2024 08:28
af4db2b
to
519d7d1
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.4.12 [security]
chore(deps): update dependency notebook to v6.5.6 [security]
Apr 24, 2024
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
April 24, 2024 09:48
519d7d1
to
02df0a5
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.6 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
Apr 24, 2024
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
April 25, 2024 09:26
02df0a5
to
e84bafb
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.4.12 [security]
chore(deps): update dependency notebook to v6.5.6 [security]
Apr 25, 2024
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
April 25, 2024 13:16
e84bafb
to
fe05eb5
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.6 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
Apr 25, 2024
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
May 1, 2024 09:50
fe05eb5
to
ece1014
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.4.12 [security]
chore(deps): update dependency notebook to v6.5.6 [security]
May 1, 2024
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
May 1, 2024 12:21
ece1014
to
3eb41f6
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.6 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
May 1, 2024
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.4.12 [security]
chore(deps): update dependency notebook to v6.5.7 [security]
May 9, 2024
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
2 times, most recently
from
May 9, 2024 10:05
3546f8d
to
8dfd99b
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.7 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
May 9, 2024
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
May 15, 2024 10:41
8dfd99b
to
dc967d6
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.4.12 [security]
chore(deps): update dependency notebook to v6.5.7 [security]
May 15, 2024
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
May 15, 2024 21:35
dc967d6
to
0a053d0
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.7 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
May 15, 2024
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
May 17, 2024 16:36
0a053d0
to
3b3a5eb
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.4.12 [security]
chore(deps): update dependency notebook to v6.5.7 [security]
May 17, 2024
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
May 17, 2024 16:37
3b3a5eb
to
ea9bd47
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.7 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
May 17, 2024
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
June 4, 2024 11:20
ea9bd47
to
c9888b2
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.4.12 [security]
chore(deps): update dependency notebook to v6.5.7 [security]
Jun 4, 2024
renovate
bot
force-pushed
the
renovate/pypi-notebook-vulnerability
branch
from
June 4, 2024 12:17
c9888b2
to
de6d329
Compare
renovate
bot
changed the title
chore(deps): update dependency notebook to v6.5.7 [security]
chore(deps): update dependency notebook to v6.4.12 [security]
Jun 4, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==6.0.3
->==6.4.12
GitHub Vulnerability Alerts
CVE-2021-32798
Impact
Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.
Patches
5.7.11, 6.4.1
References
OWASP Page on Injection Prevention
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.
Credit: Guillaume Jeanne from Google
Example:
A notebook with the following content in a cell and it would display an alert when opened for the first time in Notebook (in an untrusted state):
CVE-2021-32797
Impact
Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.
Patches
Patched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21.
References
OWASP Page on Restricting Form Submissions
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.
Credit: Guillaume Jeanne from Google
CVE-2022-24758
Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server.
Upgrade to notebook version 6.4.10
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.
Credit: @3coins for reporting. Thank you!
CVE-2022-29238
Impact
What kind of vulnerability is it? Who is impacted?
Authenticated requests to the notebook server with
ContentsManager.allow_hidden = False
only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed.Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g.
~/.ssh
while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed.Patches
Has the problem been patched? What versions should users upgrade to?
notebook 6.4.12
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
self.is_hidden(path)
prior to completing actionsReferences
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
CVE-2020-26215
localhost
Impact
What kind of vulnerability is it? Who is impacted?
Open redirect vulnerability - a maliciously crafted link to a notebook server could redirect the browser to a different website.
All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet.
Patches
Has the problem been patched? What versions should users upgrade to?
Patched in notebook 6.1.5
References
OWASP page on open redirects
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.
Credit: zhuonan li of Alibaba Application Security Team
Release Notes
jupyter/notebook (notebook)
v6.4.12
Compare Source
What's Changed
Full Changelog: jupyter/notebook@v6.4.11...6.4.12
v6.4.11
Compare Source
6.4.11
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
Contributors to this release
(GitHub contributors page for this release)
@blink1073 | @echarles | @fcollonval | @github-actions | @jtpio | @penguinolog
v6.4.10
Compare Source
v6.4.9
Compare Source
v6.4.8
Compare Source
(Full Changelog)
Bugs fixed
Contributors to this release
(GitHub contributors page for this release)
@Vishwajeet0510
v6.4.7
Compare Source
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
Other merged PRs
Contributors to this release
(GitHub contributors page for this release)
@antoinecarme | @blink1073 | @ccw630 | @kevin-bates | @LiHua-Official | @penguinolog | @tornaria
v6.4.6
Compare Source
(Full Changelog)
Bugs fixed
asyncio
error when opening notebooks #6221 (@dleen)send2trash
tests failing on Windows #6127 (@dolfinus)Maintenance and upkeep improvements
pywinpty
is ported for python 3.9 #6228 (@nsait-linaro
)Contributors to this release
(GitHub contributors page for this release)
@bnavigator | @dleen | @dolfinus | @jackexu | @kevin-bates | @maliubiao |
@nsait-linaro
| @takluyver | @Zsailerv6.4.5
Compare Source
(Full Changelog)
Bug fixes
Maintenance and upkeep improvements
jupyter_client
warning #6178 (@martinRenou)Documentation improvements
nbsphinx
to 0.8.6 #6201 (@kevin-bates)nbsphinx
to 0.8.6, clean up orphaned resources #6194 (@kevin-bates)Contributors to this release
(GitHub contributors page for this release)
@blink1073 | @jgarte | @kevin-bates | @martinRenou | @mgeier
v6.4.4
Compare Source
(Full Changelog)
Documentation improvements
Other merged PRs
Contributors to this release
(GitHub contributors page for this release)
@blink1073 | @kevin-bates | @krassowski | @massongit | @minrk | @Zsailer
v6.4.3
Compare Source
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
Contributors to this release
(GitHub contributors page for this release)
@afshin | @blink1073 | @Zsailer
v6.4.2
Compare Source
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
Contributors to this release
(GitHub contributors page for this release)
@afshin | @Amr-Ibra | @frenzymadness | @ilayh123 | @kevin-bates | @Nazeeh21 | @saiwing-yeung
v6.4.1
Compare Source
v6.4.0
Compare Source
(Full Changelog)
Bugs fixed
Maintenance and upkeep improvements
Documentation improvements
Contributors to this release
(GitHub contributors page for this release)
@afshin | @befeleme | @blink1073 | @faucct | @frenzymadness | @gamestrRUS | @jtpio | @kevin-bates | @minrk | @misterhay | @stef4k | @wggillen
v6.3.0
Compare Source
Merged PRs
Contributors to this release
(GitHub contributors page for this release)
@abielhammonds | @afshin | @ajharry | @Alokrar | @befeleme | @blairdrummond | @blink1073 | @bollwyvl | @Carreau | @ChenChenDS | @cosmoscalibur | @dlrice | @dwanneruchi | @ElisonSherton | @FazeelUsmani | @frenzymadness | @goerz | @insolor | @jasongrout | @JianghuiDu | @JuzerShakir | @kevin-bates | @Khalilsqu | @meeseeksdev | @mgeier | @michaelpedota | @mjbright | @MSeal | @ncoughlin | @NTimmons | @ProsperousHeart | @rjn01 | @slw07g | @stenivan | @takluyver | @thomasrockhu | @wgilpin | @wxtt522 | @yuvipanda | @Zsailer
v6.2.0
Compare Source
v6.1.6
Compare Source
v6.1.5
Compare Source
6.1.5 is a security release, fixing one vulnerability:
v6.1.4
Compare Source
Thank you to all the contributors:
v6.1.3
Compare Source
Thank you to all the contributors:
v6.1.2
Compare Source
Thank you to all the contributors:
v6.1.1
Compare Source
Thank you to all the contributors:
v6.1.0
Compare Source
Please note that this repository is currently maintained by a skeleton
crew of maintainers from the Jupyter community. For our approach moving
forward, please see this
notice from the README.
Thank you.
Here is an enumeration of changes made since the last release and
included in 6.1.0.
cmdtrl-enter
to run a cell (5120)--autoreload
flag toNotebookApp
(4795)last_activity
attr exists before use (5355)\gdef
(4407)custom_display_url
(5544)cell.is_editable
during find-and-replace (5545)JUPYTER_TOKEN_FILE
(5587)5.56.0+components1
(5637)Thank you to all the contributors:
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.