Bugzilla – Bug 887577
VUL-0: IPython: CVE-2014-3429: ipython: cross-domain websocket hijacking vulnerability
Last modified: 2016-04-27 19:30:23 UTC
CVE-2014-3429 It was reported that IPython's Notebook server suffered from a flaw where it did not verify the origin of websocket requests. An attacker with knowledge of the IPython kernel ID could run arbitrary code on a user's machine with the privileges of the user running the IPython Notebook server, if the client visited a crafted malicious page. This was corrected upstream in the 2.0.0 release. References: http://openwall.com/lists/oss-security/2014/07/15/2 https://github.com/ipython/ipython/pull/4845 http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython https://bugzilla.redhat.com/show_bug.cgi?id=1119890 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3429 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3429
bugbot adjusting priority
Affected packages: SLE-11-SP3: IPython
SLE11 is in fact not affected, because its IPython 0.8.4 does not have the Notebook feature. SLE12 is fixed in SR 42488 openSUSE 12.3 and 13.1 are affected, Factory has a fixed version already
12.3 and 13.1 fixed, handing over to security
This is an autogenerated message for OBS integration: This bug (887577) was mentioned in https://build.opensuse.org/request/show/244254 12.3 / IPython https://build.opensuse.org/request/show/244257 13.1 / IPython
openSUSE-SU-2014:1060-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 887577 CVE References: CVE-2014-3429 Sources used: openSUSE 13.1 (src): IPython-0.13.1-4.4.1, IPython-1.0.0-2.4.3, python-pyzmq-13.0.0-4.4.1 openSUSE 12.3 (src): IPython-0.13.1-4.4.1, python3-IPython-0.13.1-4.4.1
was released