Bug 1180458 (CVE-2020-26215)

Summary: VUL-0: CVE-2020-26215: python-notebook, python-jupyter_notebook: open redirect vulnerability
Product: [openSUSE] openSUSE Distribution Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: mmachova, toddrme2178
Version: Leap 15.1   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/272017/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-12-30 15:35:50 UTC
CVE-2020-26215

Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A
maliciously crafted link to a notebook server could redirect the browser to a
different website. All notebook servers are technically affected, however, these
maliciously crafted links can only be reasonably made for known notebook server
hosts. A link to your notebook server may appear safe, but ultimately redirect
to a spoofed server on the public internet. The issue is patched in version
6.1.5.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26215
https://github.com/jupyter/notebook/security/advisories/GHSA-c7vm-f5p4-8fqh
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26215
https://github.com/jupyter/notebook/commit/3cec4bbe21756de9f0c4bccf18cf61d840314d74
https://lists.debian.org/debian-lts-announce/2020/12/msg00004.html
Comment 1 Wolfgang Frisch 2020-12-30 18:26:30 UTC
openSUSE:Factory    python-notebook          Already fixed
openSUSE:Leap:15.2  python-notebook          Affected
openSUSE:Leap:15.1  python-jupyter_notebook  Affected
Comment 2 Markéta Machová 2021-01-04 14:08:40 UTC
Leap 15.1: https://build.opensuse.org/request/show/860211
Leap 15.2: https://build.opensuse.org/request/show/860208

Do I have to fix it in any other project?
Comment 3 Wolfgang Frisch 2021-01-04 14:36:41 UTC
(In reply to Markéta Machová from comment #2)
> Leap 15.1: https://build.opensuse.org/request/show/860211
> Leap 15.2: https://build.opensuse.org/request/show/860208
> 
> Do I have to fix it in any other project?

That should be all. Factory is already fixed.
Comment 4 Swamp Workflow Management 2021-01-07 20:16:17 UTC
openSUSE-SU-2021:0024-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1180458
CVE References: CVE-2020-26215
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    python-notebook-5.7.8-lp152.2.3.1
Comment 5 Swamp Workflow Management 2021-01-16 14:28:41 UTC
openSUSE-SU-2021:0078-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1180458
CVE References: CVE-2020-26215
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    python-jupyter_notebook-5.7.7-lp151.2.3.1
Comment 6 Swamp Workflow Management 2021-01-19 20:20:40 UTC
openSUSE-SU-2021:0117-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1180458
CVE References: CVE-2020-26215
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP1 (src):    python-jupyter_notebook-5.7.7-bp151.3.3.1
Comment 7 Wolfgang Frisch 2021-01-28 13:56:31 UTC
Released.