chore(deps): update dependency notebook to v6.4.12 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
notebook	==6.0.3 -> ==6.4.12

GitHub Vulnerability Alerts

CVE-2021-32798

Impact

Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.

Patches

5.7.11, 6.4.1

References

OWASP Page on Injection Prevention

For more information

If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.

Credit: Guillaume Jeanne from Google

Example:

A notebook with the following content in a cell and it would display an alert when opened for the first time in Notebook (in an untrusted state):

{ "cell_type": "code", "execution_count": 0, "metadata": {}, "outputs": [ { "data": { "text/html": [ "<select><iframe></select><img src=x: onerror=alert('xss')>\n"], "text/plain": [] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "" ] }

CVE-2021-32797

Impact

Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.

Patches

Patched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21.

References

OWASP Page on Restricting Form Submissions

For more information

If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.

Credit: Guillaume Jeanne from Google

CVE-2022-24758

Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server.

Upgrade to notebook version 6.4.10

For more information

If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.

Credit: @​3coins for reporting. Thank you!

CVE-2022-29238

Impact

What kind of vulnerability is it? Who is impacted?

Authenticated requests to the notebook server with ContentsManager.allow_hidden = False only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed.

Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. ~/.ssh while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed.

Patches

Has the problem been patched? What versions should users upgrade to?

notebook 6.4.12

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

• Do not run the notebook server in a directory with hidden files, use subdirectories
• Use a custom ContentsManager with additional checks for self.is_hidden(path) prior to completing actions

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

• Open an issue in example link to repo
• Email us at example email address

CVE-2020-26215

localhost

Impact

What kind of vulnerability is it? Who is impacted?

Open redirect vulnerability - a maliciously crafted link to a notebook server could redirect the browser to a different website.

All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet.

Patches

Has the problem been patched? What versions should users upgrade to?

Patched in notebook 6.1.5

References

OWASP page on open redirects

For more information

If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.

Credit: zhuonan li of Alibaba Application Security Team

---

Release Notes

jupyter/notebook (notebook)

v6.4.12

Compare Source

What's Changed

• Address security advisory GHSA-v7vq-3x77-87vg

Full Changelog: jupyter/notebook@v6.4.11...6.4.12

v6.4.11

Compare Source

6.4.11

(Full Changelog)

Bugs fixed

• Update further to ipykernel comm refactoring #​6358 (@​echarles)

Maintenance and upkeep improvements

• Add testpath to the test dependencies. #​6357 (@​echarles)
• Temporary workaround to fix js-tests related to sanitizer js loading by phantomjs #​6356 (@​echarles)
• Use place-hold.it instead of plaecehold.it to create image placeholders #​6320 (@​echarles)
• Migrate to python 3.7+ #​6260 - Fixes #​6256 (@​penguinolog)

Contributors to this release

(GitHub contributors page for this release)

@​blink1073 | @​echarles | @​fcollonval | @​github-actions | @​jtpio | @​penguinolog

v6.4.10

Compare Source

v6.4.9

Compare Source

v6.4.8

Compare Source

(Full Changelog)

Bugs fixed

• Fix to remove potential memory leak on Jupyter Notebooks ZMQChannelHandler code #​6251 (@​Vishwajeet0510)

Contributors to this release

(GitHub contributors page for this release)

@​Vishwajeet0510

v6.4.7

Compare Source

(Full Changelog)

Bugs fixed

• Fix Chinese punctuation #​6268 (@​LiHua-Official)
• Add date field to kernel message header #​6265 (@​kevin-bates)
• Fix deprecation warning #​6253 (@​tornaria)

Maintenance and upkeep improvements

• Enforce labels on PRs #​6235 (@​blink1073)
• Fix: CI error for python 3.6 & macOS #​6215 (@​penguinolog)

Other merged PRs

• handle KeyError when get session #​6245 (@​ccw630)
• Updated doc for passwd #​6209 (@​antoinecarme)

Contributors to this release

(GitHub contributors page for this release)

@​antoinecarme | @​blink1073 | @​ccw630 | @​kevin-bates | @​LiHua-Official | @​penguinolog | @​tornaria

v6.4.6

Compare Source

(Full Changelog)

Bugs fixed

• Fix asyncio error when opening notebooks #​6221 (@​dleen)
• Change to use a universal Chinese translation on certain words #​6218 (@​jackexu)
• Fix Chinese translation typo #​6211 (@​maliubiao
• Fix send2trash tests failing on Windows #​6127 (@​dolfinus)

Maintenance and upkeep improvements

• TST: don't look in user site for serverextensions #​6233 (@​bnavigator)
• Enable terminal tests as pywinpty is ported for python 3.9 #​6228 (@nsait-linaro)

Contributors to this release

(GitHub contributors page for this release)

@​bnavigator | @​dleen | @​dolfinus | @​jackexu | @​kevin-bates | @​maliubiao | @nsait-linaro | @​takluyver | @​Zsailer

v6.4.5

Compare Source

(Full Changelog)

Bug fixes

• Recover from failure to render mimetype #​6181 (@​martinRenou)

Maintenance and upkeep improvements

• Fix crypto handling #​6197 (@​blink1073)
• Fix jupyter_client warning #​6178 (@​martinRenou)

Documentation improvements

• Fix nbsphinx settings #​6200 (@​mgeier)
• Fully revert the pinning of nbsphinx to 0.8.6 #​6201 (@​kevin-bates)
• Pin nbsphinx to 0.8.6, clean up orphaned resources #​6194 (@​kevin-bates)
• Fix typo in docstring #​6188 (@​jgarte)

Contributors to this release

(GitHub contributors page for this release)

@​blink1073 | @​jgarte | @​kevin-bates | @​martinRenou | @​mgeier

v6.4.4

Compare Source

(Full Changelog)

Documentation improvements

• Update Manual Release Instructions #​6152 (@​blink1073)

Other merged PRs

• Use default JupyterLab CSS sanitizer options for Markdown #​6160 (@​krassowski)
• Fix syntax highlight #​6128 (@​massongit)

Contributors to this release

(GitHub contributors page for this release)

@​blink1073 | @​kevin-bates | @​krassowski | @​massongit | @​minrk | @​Zsailer

v6.4.3

Compare Source

(Full Changelog)

Bugs fixed

• Add @​babel/core dependency #​6133 (@​afshin)
• Switch webpack to production mode #​6131 (@​afshin)

Maintenance and upkeep improvements

• Clean up link checking #​6130 (@​blink1073)

Contributors to this release

(GitHub contributors page for this release)

@​afshin | @​blink1073 | @​Zsailer

v6.4.2

Compare Source

(Full Changelog)

Bugs fixed

• Add missing file to manifest #​6122 (@​afshin)
• Fix issue #​3218 #​6108 (@​Nazeeh21)
• Fix version of jupyter-packaging in pyproject.toml #​6101 (@​frenzymadness)
• "#element".tooltip is not a function on home page fixed. #​6070 @​ilayh123

Maintenance and upkeep improvements

• Enhancements to the desktop entry #​6099 (@​Amr-Ibra)
• Add missing spaces to help messages in config file #​6085 (@​saiwing-yeung)

Contributors to this release

(GitHub contributors page for this release)

@​afshin | @​Amr-Ibra | @​frenzymadness | @​ilayh123 | @​kevin-bates | @​Nazeeh21 | @​saiwing-yeung

v6.4.1

Compare Source

v6.4.0

Compare Source

(Full Changelog)

Bugs fixed

• Fix Handling of Encoded Paths in Save As Dialog #​6030 (@​afshin)
• Fix: split_cell doesn't always split cell #​6017 (@​gamestrRUS)
• Correct 'Content-Type' headers #​6026 (@​faucct)
• Fix skipped tests & remove deprecation warnings #​6018 (@​befeleme)
• [Gateway] Track only this server's kernels #​5980 (@​kevin-bates)
• Bind the HTTPServer in start #​6061

Maintenance and upkeep improvements

• Revert "do not apply asyncio patch for tornado >=6.1" #​6052 (@​minrk)
• Use Jupyter Releaser #​6048 (@​afshin)
• Add Workflow Permissions for Lock Bot #​6042 (@​jtpio)
• Fixes related to the recent changes in the documentation #​6021 (@​frenzymadness)
• Add maths checks in CSS reference test #​6035 (@​stef4k)
• Add Issue Lock and Answered Bots #​6019 (@​afshin)

Documentation improvements

• Spelling correction #​6045 (@​wggillen)
• Minor typographical and comment changes #​6025 (@​misterhay)
• Fixes related to the recent changes in the documentation #​6021 (@​frenzymadness)
• Fix readthedocs environment #​6020 (@​blink1073)

Contributors to this release

(GitHub contributors page for this release)

@​afshin | @​befeleme | @​blink1073 | @​faucct | @​frenzymadness | @​gamestrRUS | @​jtpio | @​kevin-bates | @​minrk | @​misterhay | @​stef4k | @​wggillen

v6.3.0

Compare Source

Merged PRs

• Add square logo and desktop entry files #​6010 (@​befeleme)
• Modernize Changelog #​6008 (@​afshin)
• Add missing "import inspect" #​5999 (@​mgeier)
• Add Codecov badge to README #​5989 (@​thomasrockhu)
• Remove configuration for nosetests from setup.cfg #​5986 (@​frenzymadness)
• Update security.rst #​5978 (@​dlrice)
• Docs-Translations: Updated Hindi and Chinese Readme.md #​5976 (@​rjn01)
• Allow /metrics by default if auth is off #​5974 (@​blairdrummond)
• Skip terminal tests on Windows 3.9+ (temporary) #​5968 (@​kevin-bates)
• Update GatewayKernelManager to derive from AsyncMappingKernelManager #​5966 (@​kevin-bates)
• Drop use of deprecated pyzmq.ioloop #​5965 (@​kevin-bates)
• Drop support for Python 3.5 #​5962 (@​kevin-bates)
• Allow jupyter_server-based contents managers in notebook #​5957 (@​afshin)
• Russian translation fixes #​5954 (@​insolor)
• Increase culling test idle timeout #​5952 (@​kevin-bates)
• Re-enable support for answer_yes flag #​5941 (@​afshin)
• Replace Travis and Appveyor with Github Actions #​5938 (@​kevin-bates)
• DOC: Server extension, extra docs on configuration/authentication. #​5937 (@​Carreau)

Contributors to this release

(GitHub contributors page for this release)

@​abielhammonds | @​afshin | @​ajharry | @​Alokrar | @​befeleme | @​blairdrummond | @​blink1073 | @​bollwyvl | @​Carreau | @​ChenChenDS | @​cosmoscalibur | @​dlrice | @​dwanneruchi | @​ElisonSherton | @​FazeelUsmani | @​frenzymadness | @​goerz | @​insolor | @​jasongrout | @​JianghuiDu | @​JuzerShakir | @​kevin-bates | @​Khalilsqu | @​meeseeksdev | @​mgeier | @​michaelpedota | @​mjbright | @​MSeal | @​ncoughlin | @​NTimmons | @​ProsperousHeart | @​rjn01 | @​slw07g | @​stenivan | @​takluyver | @​thomasrockhu | @​wgilpin | @​wxtt522 | @​yuvipanda | @​Zsailer

v6.2.0

Compare Source

v6.1.6

Compare Source

v6.1.5

Compare Source

6.1.5 is a security release, fixing one vulnerability:

• Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned)

v6.1.4

Compare Source

• Fix broken links to jupyter documentation (5686)
• Add additional entries to troubleshooting section (5695)
• Revert change in page alignment (5703)
• Bug fix: remove double encoding in download files (5720)
• Fix typo for Check in zh_CN (5730)
• Require a file name in the "Save As" dialog (5733)

Thank you to all the contributors:

• bdbai
• Jaipreet Singh
• Kevin Bates
• Pavel Panchekha
• Zach Sailer

v6.1.3

Compare Source

• Title new buttons with label if action undefined (5676)

Thank you to all the contributors:

• Kyle Kelley

v6.1.2

Compare Source

• Fix russian message format for delete/duplicate actions (5662)
• Remove unnecessary import of bind_unix_socket (5666)
• Tooltip style scope fix (5672)

Thank you to all the contributors:

• Dmitry Akatov
• Kevin Bates
• Magda Stenius

v6.1.1

Compare Source

• Prevent inclusion of requests_unixsocket on Windows (5650)

Thank you to all the contributors:

• Kevin Bates

v6.1.0

Compare Source

Please note that this repository is currently maintained by a skeleton
crew of maintainers from the Jupyter community. For our approach moving
forward, please see this
notice from the README.
Thank you.

Here is an enumeration of changes made since the last release and
included in 6.1.0.

• Remove deprecated encoding parameter for Python 3.9 compatibility. (5174)
• Add support for async kernel management (4479)
• Fix typo in password_required help message (5320)
• Gateway only: Ensure launch and request timeouts are in sync (5317)
• Update Markdown Cells example to HTML5 video tag (5411)
• Integrated LoginWidget into edit to enable users to logout from the t... (5406)
• Update message about minimum Tornado version (5222)
• Logged notebook type (5425)
• Added nl language (5354)
• Add UNIX socket support to notebook server. (4835)
• Update CodeMirror dependency (5198)
• Tree added download multiple files (5351)
• Toolbar buttons tooltip: show help instead of label (5107)
• Remove unnecessary import of requests_unixsocket (5451)
• Add ability to cull terminals and track last activity (5372)
• Code refactoring notebook.js (5352)
• Install terminado for docs build (5462)
• Convert notifications JS test to selenium (5455)
• Add cell attachments to markdown example (5412)
• Add Japanese document (5231)
• Migrate Move multiselection test to selenium (5158)
• Use cmdtrl-enter to run a cell (5120)
• Fix broken "Raw cell MIME type" dialog (5385)
• Make a notebook writable after successful save-as (5296)
• Add actual watch script (4738)
• Added --autoreload flag to NotebookApp (4795)
• Enable check_origin on gateway websocket communication (5471)
• Restore detection of missing terminado package (5465)
• Culling: ensure last_activity attr exists before use (5355)
• Added functionality to allow filter kernels by Jupyter Enterprise Gat... (5484)
• 'Play' icon for run-cell toolbar button (2922)
• Bump minimum version of jQuery to 3.5.0 (5491)
• Remove old JS markdown tests, add a new one in selenium (5497)
• Add support for more RTL languages (5036)
• Make markdown cells stay RTL in edit mode (5037)
• Unforce RTL output display (5039)
• Fixed multicursor backspacing (4880)
• Implemented Split Cell for multicursor (4824)
• Alignment issue [FIXED] (3173)
• MathJax: Support for \gdef (4407)
• Another (Minor) Duplicate Code Reduction (5316)
• Update readme regarding maintenance (5500)
• Document contents chunks (5508)
• Backspace deletes empty line (5516)
• The dropdown submenu at notebook page is not keyboard accessible (4732)
• Tooltips visible through keyboard navigation for specified buttons (4729)
• Fix for recursive symlink (4670)
• Fix for the terminal shutdown issue (4180)
• Add japanese translation files (4490)
• Workaround for socket permission errors on Cygwin (4584)
• Implement optional markdown header and footer files (4043)
• Remove double link when using custom_display_url (5544)
• Respect cell.is_editable during find-and-replace (5545)
• Fix exception causes all over the codebase (5556
• Improve login shell heuristics (5588)
• Added support for JUPYTER_TOKEN_FILE (5587)
• Kill notebook itself when server cull idle kernel (5593)
• Implement password hashing with bcrypt (3793)
• Fix broken links (5600)
• Russian internationalization support (5571)
• Add a metadata tag to override notebook direction (ltr/rtl) (5052)
• Paste two images from clipboard in markdown cell (5598)
• Add keyboard shortcuts to menu dropdowns (5525)
• Update codemirror to 5.56.0+components1 (5637)

Thank you to all the contributors:

• Aaron Myatt
• Adam Blake
• Afshin Taylor Darian
• Aman Bansal
• Ben Thayer
• berendjan
• Bruno P. Kinoshita
• bzinberg
• Christophe Cadilhac
• Daiki Katsuragawa
• David Lukes
• Dmitriy Q
• dmpe
• dylanzjy
• dSchurch
• E. M. Bray
• ErwinRussel
• Felix Mönckemeyer
• Grant Nestor
• Jarrad Whitaker
• Jesus Panales Castillo
• Joshua Zeltser
• Karthikeyan Singaravelan
• Kenichi Ito
• Kevin Bates
• Koki Nishihara
• Kris Wilson
• Kyle Kelley
• Laura Merlo
• levinxo
• Luciano Resende
• Luis Cabezon Manchado
• Madhusudhan Srinivasa
• Matthias Geier
• mattn
• Max Klein
• Min RK
• Mingxuan Lin
• Mohammad Mostafa Farzan
• Niko Felger
• Norah Abanumay
• Onno Broekmans
• PierreMB
• pinarkavak
• Ram Rachum
• Reece Hart
• Remi Rampin
• Rohit Sanjay
• Shane Canon
• Simon Li
• Steinar Sturlaugsson
• Steven Silvester
• taohan16
• Thew Dhanat
• Thomas Kluyver
• Toon Baeyens
• Vidar Tonaas Fauske
• Zachary Sailer

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.