{"id":"MGASA-2015-0300","summary":"Updated ipython package fixes security vulnerability","details":"JSON error responses from the IPython notebook REST API contained\nURL parameters and were incorrectly reported as text/html instead of\napplication/json. The error messages included some of these URL params,\nresulting in a cross site scripting attack (CVE-2015-4707).\n\nPOST requests exposed via the IPython REST API are vulnerable to\ncross-site request forgery (CSRF). Web pages on different domains can make\nnon-AJAX POST requests to known IPython URLs, and IPython will honor them.\nThe user's browser will automatically send IPython cookies along with the\nrequests. The response is blocked by the Same-Origin Policy, but the\nrequest isn't (CVE-2015-5607).\n\nThe Mageia 5 package has been patched to fix these issues.  The Mageia 4\npackage wasn't vulnerable to CVE-2015-4707, but it has been updated and\npatched to fix CVE-2015-5607.\n","modified":"2026-01-31T18:45:41.359331Z","published":"2015-08-03T20:55:18Z","related":["CVE-2015-4707","CVE-2015-5607"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0300.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=16183"},{"type":"REPORT","url":"http://openwall.com/lists/oss-security/2015/06/22/7"},{"type":"REPORT","url":"http://openwall.com/lists/oss-security/2015/07/12/4"}],"affected":[{"package":{"name":"ipython","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/ipython?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.3.0-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0300.json"}},{"package":{"name":"ipython","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/ipython?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.3.0-2.2.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0300.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}