Bugzilla – Bug 945828
VUL-1: CVE-2015-6938: ipython: XSS vulnerability due to local folder name used in HTML templates withoutescaping
Last modified: 2016-09-06 16:20:00 UTC
CVE-2015-6938 If you create a new folder in the iPython file browser and set Javascript code as its name the code injected will be executed. So, if I create a folder called "><img src=x onerror=alert(document.cookie)> and then I access to it, the cookies will be prompted. The XSS code is also executed if you access a link pointing directly at the folder. submissions: 3.x: https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892 4.0.x: https://github.com/jupyter/notebook/commit/dd9876381f0ef09873d8c5f6f2063269172331e3 4.x: https://github.com/jupyter/notebook/commit/35f32dd2da804d108a3a3585b69ec3295b2677ed Affected versions: 0.12 <= version <= 4.0 (Note, software change name between 3.x and 4.0) References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6938 http://seclists.org/oss-sec/2015/q3/544 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-6938.html
bugbot adjusting priority
This will be fixed for the IPython package by OBS Request #333157 (currently pending for openSUSE:Factory). This will be fixed for the python3-IPython package in OBS Request #333168 (currently pending for openSUSE:Factory). This is fixed for python-jupyter_notebook by OBS Request #333154 (the package is still waiting for inclusion in openSUSE:Factory) This is fixed for python3-jupyter_notebook by OBS Request #333151 (the package is still waiting for inclusion in openSUSE:Factory)
Which openSUSE releases should this be backported to, if any?
Hi, 13.1 and 13.2 please!
As I understand it, this update should be applied to openSUSE 13.1 and 13.2.
After this is an security-issue, I've changed the needinfo to our security-team. Thank you.
please submit?
Where do I submit it?
osc maintained IPython: openSUSE:13.1:Update/IPython openSUSE:13.2:Update/IPython
python3-IPython needs to be updated too.
submit it also against openSUSE:13.1:Update and openSUSE:13.2:Update
The submissions have been made. This can probably be closed once they are accepted.
This is an autogenerated message for OBS integration: This bug (945828) was mentioned in https://build.opensuse.org/request/show/334380 13.2 / IPython https://build.opensuse.org/request/show/334381 13.2 / python3-IPython https://build.opensuse.org/request/show/334385 13.1 / IPython
openSUSE-SU-2015:1699-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 945828 CVE References: CVE-2015-6938 Sources used: openSUSE 13.2 (src): IPython-2.2.0-2.5.1, python3-IPython-2.2.0-2.4.1 openSUSE 13.1 (src): IPython-1.0.0-2.7.1
What is the status of this? Can I delete the projects I submitted the patches from or are they still needed?
seems ok and released