[IPython-dev] Vulnerability in IPython Notebook ≤ 1.1

Kyle Kelley rgbkrk at gmail.com
Fri Jul 18 18:37:24 EDT 2014


Julian,

I agree. One hard lesson we've learned on this is that we should have sent
a notice to oss-security first, to disseminate straight to package
maintainers (it was good to see the fast response). Going through MITRE
directly was letting it languish. We should have done a better job
communicating this and timed it right with the release of 1.2. The CVE
process was new to everyone on the team.

Would you like to help us with this in the future?

Regards,

Kyle Kelley


On Wed, Jul 16, 2014 at 1:19 PM, Julian Taylor <
jtaylor.debian at googlemail.com> wrote:

> Why wasn't this disclosed on the appropriate channels 6 month ago when
> it was fixed?
> It didn't even get a proper changelog entry nor did distribution
> maintainers get informed at all.
>
> Remote execution on localhost notebooks is really really bad, even if
> you do need the kernel id.
> This should have been posted to oss-security at the latest when 1.2.0
> was released ...
>
> On 14.07.2014 17:20, Kyle Kelley wrote:
> > Whoops!
> >
> > Correction, CVE ID was truncated. It should read:
> >
> > The CVE ID is CVE-2014-3429
> > (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3429).
> >
> >
> >
> > On Sun, Jul 13, 2014 at 3:56 PM, Kyle Kelley <rgbkrk at gmail.com
> > <mailto:rgbkrk at gmail.com>> wrote:
> >
> >     Everyone,
> >
> >     On IPython ≤ 1.1, a remote site could have exploited a vulnerability
> >     in cross origin websocket handling to execute code on an IPython
> >     kernel, with knowledge of the kernel id (which requires user
> >     intervention).
> >
> >     This vulnerability was patched
> >     in https://github.com/ipython/ipython/pull/4845 and reported to the
> >     CVE (Common Vulnerabilities and Exposure) database.
> >
> >     Summary given to the CVE database: The origin of websocket requests
> >     was not verified within the IPython notebook server. If an attacker
> >     has knowledge of an IPython kernel id they can run arbitrary code on
> >     a user's machine when the client visits a crafted malicious page.
> >
> >     The CVE ID is CVE-2014-342
> >     (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-342).
> >
> >     If you were at SciPy and watched the final round of lightning talks,
> >     you already know about this vulnerability (as much as you can within
> >     a 5 minute talk that is).
> >
> >     I wrote a more detailed explanation
> >     at http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython
> >
> >     Feel free to ask us (the IPython team) any questions!
> >
> >     Regards,
> >
> >     Kyle Kelley
> >
> >
> >
> >
> > _______________________________________________
> > IPython-dev mailing list
> > IPython-dev at scipy.org
> > http://mail.scipy.org/mailman/listinfo/ipython-dev
> >
>
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140718/c4687ad5/attachment.html>


More information about the IPython-dev mailing list