Publishing details

Published on 2022-08-30
Copied from ubuntu bionic in PPA for Ubuntu Security Proposed by Nishit Majithia

Changelog

jupyter-notebook (5.2.2-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Cross-site scripting via untrusted notebook (LP: #1982670)
    - debian/patches/CVE-2018-19351.patch: Apply CSP sandboxing to nbconvert
      responses.
    - CVE-2018-19351
  * SECURITY UPDATE: Cross-site inclusion on malicious pages (LP: #1982670)
    - debian/patches/CVE-2019-9644-1.patch: Block cross-origin GET and HEAD
      requests with mismatched Referer.
    - debian/patches/CVE-2019-9644-2.patch: Add CSRF checks on files endpoints.
    - debian/patches/CVE-2019-9644-3.patch: Set X-Content-Type-Options: nosniff
      on all handlers for protecting non-script resources.
    - CVE-2019-9644
  * SECURITY UPDATE: Crafted link to login page redirects to malicious site
    (LP: #1982670)
    - debian/patches/CVE-2019-10255-1.patch: Parse URLs when validating redirect
      targets.
    - debian/patches/CVE-2019-10255-2.patch: Protect against Chrome mishandling
      backslashes as slashes in URLs.
    - debian/patches/CVE-2019-10255-3.patch: Handle empty netloc being
      interpreted as first path part being the netloc by buggy browsers.
    - CVE-2019-10255, CVE-2019-10856
  * SECURITY UPDATE: Cross-site scripting (LP: #1982670)
    - debian/patches/CVE-2018-21030-1.patch: Use CSP header to treat served
      files as belonging to a separate origin.
    - debian/patches/CVE-2018-21030-2.patch: Add a content_security_policy
      property instead of the CSP header.
    - CVE-2018-21030
  * SECURITY UPDATE: Crafted link to login page redirects to spoofed server
    (LP: #1982670)
    - debian/patches/CVE-2020-26215.patch: Validate redirect target in
      TrailingSlashHandler.
    - CVE-2020-26215
  * SECURITY UPDATE: Sensitive information disclosure leading to unauthorized
    access (LP: #1982670)
    - debian/patches/CVE-2022-24758.patch: Log only a non-sensitive subset of
      the headers when a HTTP 5xx error other than HTTP 502 is triggered.
    - CVE-2022-24758
  * Address Lintian warnings.

 -- Luís Infante da Câmara <email address hidden>  Sun, 28 Aug 2022 23:00:01 +0100

Available diffs

diff from 5.2.2-1 (in Debian) to 5.2.2-1ubuntu0.1 (7.6 KiB)

Builds

amd64

Built packages

jupyter-notebook Jupyter interactive notebook

python-notebook Jupyter interactive notebook (Python 2)

python-notebook-doc Jupyter interactive notebook (documentation)

python3-notebook Jupyter interactive notebook (Python 3)

Package files

jupyter-notebook_5.2.2-1ubuntu0.1.debian.tar.xz (54.2 KiB)
jupyter-notebook_5.2.2-1ubuntu0.1.dsc (3.7 KiB)
jupyter-notebook_5.2.2-1ubuntu0.1_all.deb (5.6 KiB)
jupyter-notebook_5.2.2.orig.tar.gz (5.4 MiB)
python-notebook-doc_5.2.2-1ubuntu0.1_all.deb (2.3 MiB)
python-notebook_5.2.2-1ubuntu0.1_all.deb (933.8 KiB)
python3-notebook_5.2.2-1ubuntu0.1_all.deb (934.1 KiB)