| Name | CVE-2018-8768 |
| Description | In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2432-1 |
| Debian Bugs | 893436 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| ipython (PTS) | jessie, jessie (lts) | 2.3.0-2+deb8u1 | vulnerable |
| stretch (security), stretch (lts), stretch | 5.1.0-3+deb9u1 | fixed |
| buster (security), buster, buster (lts) | 5.8.0-1+deb10u1 | fixed |
| bullseye (security), bullseye | 7.20.0-1+deb11u1 | fixed |
| bookworm | 8.5.0-4 | fixed |
| sid, trixie | 8.20.0-1 | fixed |
| jupyter-notebook (PTS) | stretch (security), stretch (lts), stretch | 4.2.3-4+deb9u2 | fixed |
| buster | 5.7.8-1 | fixed |
| bullseye | 6.2.0-1 | fixed |
| bookworm | 6.4.12-2.2 | fixed |
| sid, trixie | 6.4.13-2 | fixed |
The information below is based on the following data on fixed versions.
Notes
[jessie] - ipython <no-dsa> (Minor issue)
[wheezy] - ipython <ignored> (Too invasive to fix)
After the reupload of ipython to Debian as 4.1.2-1 via experimental
src:ipython does not provide anymore the Notebook
https://www.openwall.com/lists/oss-security/2018/03/15/2
Fixed by: https://github.com/jupyter/notebook/commit/4e79ebb49acac722b37b03f1fe811e67590d3831
Ipython in Wheezy lacks sanitization of untrusted HTML completely
which means in theory this CVE does not apply. However due to the absence of
sanitization it is recommended not to use Ipython's notebook with untrusted
content. This issue is no-dsa because it cannot be determined if Ipython
in Wheezy is still affected, a fix appears to be to intrusive though. We recommend to
upgrade to a newer version instead.