Bug 1119890 (CVE-2014-3429)

Summary: CVE-2014-3429 ipython: cross-domain websocket hijacking vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dcantrell, jrusnack, mrunge, orion, rgbkrk, shahms, tomspur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipython 2.0.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-28 19:54:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1119891, 1119892    
Bug Blocks:    

Description Vincent Danen 2014-07-15 18:34:49 UTC 
It was reported [1],[2] that IPython's Notebook server suffered from a flaw where it did not verify the origin of websocket requests.  An attacker with knowledge of the IPython kernel ID could run arbitrary code on a user's machine with the privileges of the user running the IPython Notebook server, if the client visited a crafted malicious page.  This was corrected upstream [3] in the 2.0.0 release [4].  Further details on the flaw were also published [5].

The report that indicates versions 0.12 through to the fixed 2.0.0 release are vulnerable to this flaw.  As a result, the version of IPython shipped with EPEL5 (0.8.4) is not vulnerable to this issue as the vulnerable websocket code is not present.


[1] http://openwall.com/lists/oss-security/2014/07/15/2
[2] http://permalink.gmane.org/gmane.comp.python.ipython.devel/13198
[3] https://github.com/ipython/ipython/pull/4845
[4] http://ipython.org/ipython-doc/stable/whatsnew/github-stats-2.0.html
[5] http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython
Comment 1 Vincent Danen 2014-07-15 18:38:13 UTC 
Created ipython tracking bugs for this issue:

Affects: fedora-all [bug 1119891]
Affects: epel-6 [bug 1119892]
Comment 2 Thomas Spura 2014-07-15 20:05:25 UTC 
Are CVEs handled special in bodhi, so that this bug doesn't get closed/modified just yet, although, this bug is used in the update:
https://admin.fedoraproject.org/updates/ipython-0.13.2-4.fc20

?


I'd expect a comment about the update, but maybe this bug must be closed manually, once the dependent bugs are properly closed automatically?
Comment 3 Tomas Hoger 2014-07-15 21:01:37 UTC 
There is.  Comment is added here only when update is pushed to stable, not when it's submitted or pushed to testing.  Bug status is not changed by Bodhi at all.
Comment 4 Kyle Kelley 2014-07-17 15:23:04 UTC 
Thanks for the excellent response.

Note: This was also backported for the 1.x series in 1.2.
Comment 5 Fedora Update System 2014-07-25 10:01:50 UTC 
ipython-0.13.2-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-07-25 10:06:02 UTC 
ipython-0.13.2-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.