You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/source/changelog.rst
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,21 +31,21 @@ We strongly recommend that you upgrade pip to version 9+ of pip before upgrading
31
31
- Further improve compatibility with tornado 6 with improved
32
32
checks for when websockets are closed.
33
33
- Fix regression in 5.7.6 on Windows where .js files could have the wrong mime-type.
34
+
- Fix Open Redirect vulnerability where certain malicious URLs could redirect from the Jupyter login page to a malicious site after a successful login. A CVE has been requested for this vulnerability.
34
35
35
36
.. _release-5.7.6:
36
37
37
38
5.7.6
38
39
-----
39
40
40
-
5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability,
41
+
5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability (CVE-2019–9644),
41
42
where files at a known URL could be included in a page from an unauthorized website if the user is logged into a Jupyter server.
42
43
The fix involves setting the ``X-Content-Type-Options: nosniff``
43
44
header, and applying CSRF checks previously on all non-GET
44
45
API requests to GET requests to API endpoints and the /files/ endpoint.
45
46
46
47
The attacking page is able to access some contents of files when using Internet Explorer through script errors,
47
48
but this has not been demonstrated with other browsers.
0 commit comments