Bug 1119890 (CVE-2014-3429) - CVE-2014-3429 ipython: cross-domain websocket hijacking vulnerability
Summary: CVE-2014-3429 ipython: cross-domain websocket hijacking vulnerability
Status: CLOSED ERRATA
Alias: CVE-2014-3429
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20140121,repor...
Keywords: Security
Depends On: 1119891 1119892
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-15 18:34 UTC by Vincent Danen
Modified: 2014-10-01 07:49 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2014-07-28 19:54:37 UTC


Attachments (Terms of Use)

Description Vincent Danen 2014-07-15 18:34:49 UTC
It was reported [1],[2] that IPython's Notebook server suffered from a flaw where it did not verify the origin of websocket requests.  An attacker with knowledge of the IPython kernel ID could run arbitrary code on a user's machine with the privileges of the user running the IPython Notebook server, if the client visited a crafted malicious page.  This was corrected upstream [3] in the 2.0.0 release [4].  Further details on the flaw were also published [5].

The report that indicates versions 0.12 through to the fixed 2.0.0 release are vulnerable to this flaw.  As a result, the version of IPython shipped with EPEL5 (0.8.4) is not vulnerable to this issue as the vulnerable websocket code is not present.


[1] http://openwall.com/lists/oss-security/2014/07/15/2
[2] http://permalink.gmane.org/gmane.comp.python.ipython.devel/13198
[3] https://github.com/ipython/ipython/pull/4845
[4] http://ipython.org/ipython-doc/stable/whatsnew/github-stats-2.0.html
[5] http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython

Comment 1 Vincent Danen 2014-07-15 18:38:13 UTC
Created ipython tracking bugs for this issue:

Affects: fedora-all [bug 1119891]
Affects: epel-6 [bug 1119892]

Comment 2 Thomas Spura 2014-07-15 20:05:25 UTC
Are CVEs handled special in bodhi, so that this bug doesn't get closed/modified just yet, although, this bug is used in the update:
https://admin.fedoraproject.org/updates/ipython-0.13.2-4.fc20

?


I'd expect a comment about the update, but maybe this bug must be closed manually, once the dependent bugs are properly closed automatically?

Comment 3 Tomas Hoger 2014-07-15 21:01:37 UTC
There is.  Comment is added here only when update is pushed to stable, not when it's submitted or pushed to testing.  Bug status is not changed by Bodhi at all.

Comment 4 Kyle Kelley 2014-07-17 15:23:04 UTC
Thanks for the excellent response.

Note: This was also backported for the 1.x series in 1.2.

Comment 5 Fedora Update System 2014-07-25 10:01:50 UTC
ipython-0.13.2-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2014-07-25 10:06:02 UTC
ipython-0.13.2-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.