Bug 1180458 - (CVE-2020-26215) VUL-0: CVE-2020-26215: python-notebook, python-jupyter_notebook: open redirect vulnerability
(CVE-2020-26215)
VUL-0: CVE-2020-26215: python-notebook, python-jupyter_notebook: open redirec...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/272017/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-12-30 15:35 UTC by Wolfgang Frisch
Modified: 2021-01-28 13:56 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-12-30 15:35:50 UTC
CVE-2020-26215

Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A
maliciously crafted link to a notebook server could redirect the browser to a
different website. All notebook servers are technically affected, however, these
maliciously crafted links can only be reasonably made for known notebook server
hosts. A link to your notebook server may appear safe, but ultimately redirect
to a spoofed server on the public internet. The issue is patched in version
6.1.5.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26215
https://github.com/jupyter/notebook/security/advisories/GHSA-c7vm-f5p4-8fqh
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26215
https://github.com/jupyter/notebook/commit/3cec4bbe21756de9f0c4bccf18cf61d840314d74
https://lists.debian.org/debian-lts-announce/2020/12/msg00004.html
Comment 1 Wolfgang Frisch 2020-12-30 18:26:30 UTC
openSUSE:Factory    python-notebook          Already fixed
openSUSE:Leap:15.2  python-notebook          Affected
openSUSE:Leap:15.1  python-jupyter_notebook  Affected
Comment 2 Markéta Machová 2021-01-04 14:08:40 UTC
Leap 15.1: https://build.opensuse.org/request/show/860211
Leap 15.2: https://build.opensuse.org/request/show/860208

Do I have to fix it in any other project?
Comment 3 Wolfgang Frisch 2021-01-04 14:36:41 UTC
(In reply to Markéta Machová from comment #2)
> Leap 15.1: https://build.opensuse.org/request/show/860211
> Leap 15.2: https://build.opensuse.org/request/show/860208
> 
> Do I have to fix it in any other project?

That should be all. Factory is already fixed.
Comment 4 Swamp Workflow Management 2021-01-07 20:16:17 UTC
openSUSE-SU-2021:0024-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1180458
CVE References: CVE-2020-26215
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    python-notebook-5.7.8-lp152.2.3.1
Comment 5 Swamp Workflow Management 2021-01-16 14:28:41 UTC
openSUSE-SU-2021:0078-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1180458
CVE References: CVE-2020-26215
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    python-jupyter_notebook-5.7.7-lp151.2.3.1
Comment 6 Swamp Workflow Management 2021-01-19 20:20:40 UTC
openSUSE-SU-2021:0117-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1180458
CVE References: CVE-2020-26215
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP1 (src):    python-jupyter_notebook-5.7.7-bp151.3.3.1
Comment 7 Wolfgang Frisch 2021-01-28 13:56:31 UTC
Released.