Skip to content
Permalink
Browse files Browse the repository at this point in the history
changelog for redirect check
and update cve for 5.7.6
  • Loading branch information
minrk committed Mar 27, 2019
1 parent b9d9e65 commit d65328d
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions docs/source/changelog.rst
Expand Up @@ -31,21 +31,21 @@ We strongly recommend that you upgrade pip to version 9+ of pip before upgrading
- Further improve compatibility with tornado 6 with improved
checks for when websockets are closed.
- Fix regression in 5.7.6 on Windows where .js files could have the wrong mime-type.
- Fix Open Redirect vulnerability where certain malicious URLs could redirect from the Jupyter login page to a malicious site after a successful login. A CVE has been requested for this vulnerability.

.. _release-5.7.6:

5.7.6
-----

5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability,
5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability (CVE-2019–9644),
where files at a known URL could be included in a page from an unauthorized website if the user is logged into a Jupyter server.
The fix involves setting the ``X-Content-Type-Options: nosniff``
header, and applying CSRF checks previously on all non-GET
API requests to GET requests to API endpoints and the /files/ endpoint.

The attacking page is able to access some contents of files when using Internet Explorer through script errors,
but this has not been demonstrated with other browsers.
A CVE has been requested for this vulnerability.

.. _release-5.7.5:

Expand Down

0 comments on commit d65328d

Please sign in to comment.