Security update for python-notebook SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0231-1 Final 1 1 2024-08-02T10:51:39Z current 2024-08-02T10:51:39Z 2024-08-02T10:51:39Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-notebook This update for python-notebook fixes the following issues: - Update to 5.7.11 * sanitizer fix CVE-2021-32798 (boo#1227583) - Update to 5.7.10 * no upstream changelog - Update to 5.7.9 * Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358) * Update from preact to React The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-231 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MGXYA34Z6RRQFK6OU2VOIH22CODOT5ES/ E-Mail link for openSUSE-SU-2024:0231-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1227583 SUSE Bug 1227583 https://www.suse.com/security/cve/CVE-2019-11358/ SUSE CVE CVE-2019-11358 page https://www.suse.com/security/cve/CVE-2021-32798/ SUSE CVE CVE-2021-32798 page SUSE Package Hub 15 SP6 openSUSE Leap 15.6 jupyter-notebook-5.7.11-bp156.4.3.1 jupyter-notebook-doc-5.7.11-bp156.4.3.1 jupyter-notebook-lang-5.7.11-bp156.4.3.1 jupyter-notebook-latex-5.7.11-bp156.4.3.1 python3-notebook-5.7.11-bp156.4.3.1 python3-notebook-lang-5.7.11-bp156.4.3.1 jupyter-notebook-5.7.11-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 jupyter-notebook-doc-5.7.11-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 jupyter-notebook-lang-5.7.11-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 jupyter-notebook-latex-5.7.11-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 python3-notebook-5.7.11-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 python3-notebook-lang-5.7.11-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 jupyter-notebook-5.7.11-bp156.4.3.1 as a component of openSUSE Leap 15.6 jupyter-notebook-doc-5.7.11-bp156.4.3.1 as a component of openSUSE Leap 15.6 jupyter-notebook-lang-5.7.11-bp156.4.3.1 as a component of openSUSE Leap 15.6 jupyter-notebook-latex-5.7.11-bp156.4.3.1 as a component of openSUSE Leap 15.6 python3-notebook-5.7.11-bp156.4.3.1 as a component of openSUSE Leap 15.6 python3-notebook-lang-5.7.11-bp156.4.3.1 as a component of openSUSE Leap 15.6 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. CVE-2019-11358 SUSE Package Hub 15 SP6:jupyter-notebook-5.7.11-bp156.4.3.1 SUSE Package Hub 15 SP6:jupyter-notebook-doc-5.7.11-bp156.4.3.1 SUSE Package Hub 15 SP6:jupyter-notebook-lang-5.7.11-bp156.4.3.1 SUSE Package Hub 15 SP6:jupyter-notebook-latex-5.7.11-bp156.4.3.1 SUSE Package Hub 15 SP6:python3-notebook-5.7.11-bp156.4.3.1 SUSE Package Hub 15 SP6:python3-notebook-lang-5.7.11-bp156.4.3.1 openSUSE Leap 15.6:jupyter-notebook-5.7.11-bp156.4.3.1 openSUSE Leap 15.6:jupyter-notebook-doc-5.7.11-bp156.4.3.1 openSUSE Leap 15.6:jupyter-notebook-lang-5.7.11-bp156.4.3.1 openSUSE Leap 15.6:jupyter-notebook-latex-5.7.11-bp156.4.3.1 openSUSE Leap 15.6:python3-notebook-5.7.11-bp156.4.3.1 openSUSE Leap 15.6:python3-notebook-lang-5.7.11-bp156.4.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MGXYA34Z6RRQFK6OU2VOIH22CODOT5ES/ https://www.suse.com/security/cve/CVE-2019-11358.html CVE-2019-11358 The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to execute arbitrary code on the victim computer using Jupyter APIs. CVE-2021-32798 SUSE Package Hub 15 SP6:jupyter-notebook-5.7.11-bp156.4.3.1 SUSE Package Hub 15 SP6:jupyter-notebook-doc-5.7.11-bp156.4.3.1 SUSE Package Hub 15 SP6:jupyter-notebook-lang-5.7.11-bp156.4.3.1 SUSE Package Hub 15 SP6:jupyter-notebook-latex-5.7.11-bp156.4.3.1 SUSE Package Hub 15 SP6:python3-notebook-5.7.11-bp156.4.3.1 SUSE Package Hub 15 SP6:python3-notebook-lang-5.7.11-bp156.4.3.1 openSUSE Leap 15.6:jupyter-notebook-5.7.11-bp156.4.3.1 openSUSE Leap 15.6:jupyter-notebook-doc-5.7.11-bp156.4.3.1 openSUSE Leap 15.6:jupyter-notebook-lang-5.7.11-bp156.4.3.1 openSUSE Leap 15.6:jupyter-notebook-latex-5.7.11-bp156.4.3.1 openSUSE Leap 15.6:python3-notebook-5.7.11-bp156.4.3.1 openSUSE Leap 15.6:python3-notebook-lang-5.7.11-bp156.4.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MGXYA34Z6RRQFK6OU2VOIH22CODOT5ES/ https://www.suse.com/security/cve/CVE-2021-32798.html CVE-2021-32798 https://bugzilla.suse.com/1227583 SUSE Bug 1227583