@ -31,13 +31,14 @@ We strongly recommend that you upgrade pip to version 9+ of pip before upgrading
- Further improve compatibility with tornado 6 with improved
checks for when websockets are closed.
- Fix regression in 5.7.6 on Windows where .js files could have the wrong mime-type.
- Fix Open Redirect vulnerability where certain malicious URLs could redirect from the Jupyter login page to a malicious site after a successful login. A CVE has been requested for this vulnerability.
.._release-5.7.6:
5.7.6
-----
5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability,
5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability (CVE-2019–9644),
where files at a known URL could be included in a page from an unauthorized website if the user is logged into a Jupyter server.
The fix involves setting the ``X-Content-Type-Options: nosniff``
header, and applying CSRF checks previously on all non-GET
@ -45,7 +46,6 @@ API requests to GET requests to API endpoints and the /files/ endpoint.
The attacking page is able to access some contents of files when using Internet Explorer through script errors,
but this has not been demonstrated with other browsers.
Min RK
7 years ago