CVE-2019-10255

Advisory

[This advisory has been limited. Please create a free account to view the full advisory.]

Affected package

Affected versions

[This affected versions has been limited. Please create a free account to view the full affected versions.]

Fixed versions

[This fixed versions has been limited. Please create a free account to view the full fixed versions.]

Vulnerability changelog

- Fix regression in restarting kernels in 5.7.5. The restart handler
would return before restart was completed.
- Further improve compatibility with tornado 6 with improved checks
for when websockets are closed.
- Fix regression in 5.7.6 on Windows where .js files could have the
wrong mime-type.
- Fix Open Redirect vulnerability (CVE-2019-10255) where certain
malicious URLs could redirect from the Jupyter login page to a
malicious site after a successful login. 5.7.7 contained only a
partial fix for this issue.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10255
• https://github.com/jupyter/notebook/compare/05aa4b2...16cf97c
• https://github.com/jupyter/notebook/commit/d65328d4841892b412aef9015165db1eb029a8ed
• https://github.com/jupyter/notebook/commit/70fe9f0ddb3023162ece21fbb77d5564306b913b
• https://github.com/jupyter/notebook/commit/08c4c898182edbe97aadef1815cce50448f975cb
• https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4
• https://lists.fedoraproject.org/archives/list/[email protected]/message/UP5RLEES2JBBNSNLBR65XM6PCD4EMF7D/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/VMDPJBVXOVO6LYGAT46VZNHH6JKSCURO/