It was reported [1],[2] that IPython's Notebook server suffered from a flaw where it did not verify the origin of websocket requests. An attacker with knowledge of the IPython kernel ID could run arbitrary code on a user's machine with the privileges of the user running the IPython Notebook server, if the client visited a crafted malicious page. This was corrected upstream [3] in the 2.0.0 release [4]. Further details on the flaw were also published [5]. The report that indicates versions 0.12 through to the fixed 2.0.0 release are vulnerable to this flaw. As a result, the version of IPython shipped with EPEL5 (0.8.4) is not vulnerable to this issue as the vulnerable websocket code is not present. [1] http://openwall.com/lists/oss-security/2014/07/15/2 [2] http://permalink.gmane.org/gmane.comp.python.ipython.devel/13198 [3] https://github.com/ipython/ipython/pull/4845 [4] http://ipython.org/ipython-doc/stable/whatsnew/github-stats-2.0.html [5] http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython
Created ipython tracking bugs for this issue: Affects: fedora-all [bug 1119891] Affects: epel-6 [bug 1119892]
Are CVEs handled special in bodhi, so that this bug doesn't get closed/modified just yet, although, this bug is used in the update: https://admin.fedoraproject.org/updates/ipython-0.13.2-4.fc20 ? I'd expect a comment about the update, but maybe this bug must be closed manually, once the dependent bugs are properly closed automatically?
There is. Comment is added here only when update is pushed to stable, not when it's submitted or pushed to testing. Bug status is not changed by Bodhi at all.
Thanks for the excellent response. Note: This was also backported for the 1.x series in 1.2.
ipython-0.13.2-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
ipython-0.13.2-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.