File tree Expand file tree Collapse file tree 1 file changed +15
-0
lines changed Expand file tree Collapse file tree 1 file changed +15
-0
lines changed Original file line number Diff line number Diff line change @@ -21,6 +21,21 @@ We strongly recommend that you upgrade pip to version 9+ of pip before upgrading
2121 Use ``pip install pip --upgrade `` to upgrade pip. Check pip version with
2222 ``pip --version ``.
2323
24+ .. _release-5.7.6 :
25+
26+ 5.7.6
27+ -----
28+
29+ 5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability,
30+ where files at a known URL could be included in a page from an unauthorized website if the user is logged into a Jupyter server.
31+ The fix involves setting the ``X-Content-Type-Options: nosniff ``
32+ header, and applying CSRF checks previously on all non-GET
33+ API requests to GET requests to API endpoints and the /files/ endpoint.
34+
35+ The attacking page is able to access some contents of files when using Internet Explorer through script errors,
36+ but this has not been demonstrated with other browsers.
37+ A CVE has been requested for this vulnerability.
38+
2439.. _release-5.7.5 :
2540
26415.7.5
You can’t perform that action at this time.
0 commit comments