You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -31,21 +31,21 @@ We strongly recommend that you upgrade pip to version 9+ of pip before upgrading
- Further improve compatibility with tornado 6 with improved
checks for when websockets are closed.
- Fix regression in 5.7.6 on Windows where .js files could have the wrong mime-type.
- Fix Open Redirect vulnerability where certain malicious URLs could redirect from the Jupyter login page to a malicious site after a successful login. A CVE has been requested for this vulnerability.
.. _release-5.7.6:
5.7.6
-----
5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability,
5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability (CVE-2019–9644),
where files at a known URL could be included in a page from an unauthorized website if the user is logged into a Jupyter server.
The fix involves setting the ``X-Content-Type-Options: nosniff``
header, and applying CSRF checks previously on all non-GET
API requests to GET requests to API endpoints and the /files/ endpoint.
The attacking page is able to access some contents of files when using Internet Explorer through script errors,
but this has not been demonstrated with other browsers.
d65328dThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very old site and Still a Top Rating and top Domain Authority. Thanks for Doing a Amazing work.