A version of ipywidget has been released, which fixes important security issues. Please upgrade ipywidgets as soon as you can:
$ pip install ipywidgets --upgrade
Please do so in all your environments.
More details follow. We requested a CVE number and were asked to wait before any public disclosure of the vulnerability. As we have now been delaying the disclosure for over a resonable time, and we're still waiting for the CVE number, we decided to still disclose the vulnerability. This post will be updated once/if a CVE number is made available.
[Update Dec 15, 2016]
A CVE number cannot be assigned for lack of sufficient information. No explanation of what more is needed was provided.
ipywidgets version 5.1.5 (widgetsnbextension 1.2.3) fixes a security vulnerability (CVE-PENDING) which affects the usage of ipywidgets in conjunction with the Jupyter Notebook.
ipywidgets version 5.0.0 ≤ V ≤ 5.1.4 (widgetsnbextension < 1.2.3).
Only users who installed ipywidgets using pip or from source on the GitHub repository are affected.
Anaconda users are unaffected because the vulnerable version of ipywidget has never been released to the default conda channel.
We released ipywidgets version 5.1.5 (widgetsnbextension version 1.2.3).
You can check whether your system is affected by running the following command from a Python or IPython prompt:
>>> from distutils.version import LooseVersion as V >>> import ipywidgets >>> if V('5.0.0') <= V(ipywidgets.__version__) < V('5.1.5'): print("Upgrade ipywidgets to 5.1.5")
If your system is vulnerable, you will see the following output:
Upgrade ipywidgets to 5.1.5
If your system is vulnerable please upgrade to ipywidgets version 5.1.5. Use the following command to install:
$ pip install "ipywidgets>=5.1.5"
$ conda install "ipywidgets>=5.1.5"
The vulnerability was discovered following an investigation of a potential vulnerability reported by Brian Granger to the ipython-security mailing list (
firstname.lastname@example.org) on May 5.
The reason for such behavior was determined on May 5 by Matthias Bussonnier.
A fix was proposed written and reviewed, then merged into the development branch on May 20, and a non vulnerable version released on May 25.
We recommend immediate upgrade of the ipywidgets package.
There is no simple configuration option that could mitigate the system for vulnerability. The user must upgrade to ipywidget version 5.1.5 or downgrade to 4.x.
The security issue resulted from the seemingly harmless combination of calls:
json = cell.get_json() json = update_json(json) cell.clear_output() cell.from_json(json)
We plan on improving the notebook API so that
clear_output() does not change the trusted status of a cell (or a notebook), to prevent mistakes like this from having security consequences. This will lead to the slight behavior change that an empty cell with no output can be untrusted.
Doing better next time
We learned that we are not completely ready for fast release of security fixes. The time from vulnerability discovery to available fix and release could have been better. The announcement was delayed while waiting for a CVE number which is still not there. We will consider a sorter timescale to publication even if we don't get assigned a CVE number quickly. The standard seem to be 90 days from security vulnerability report, we might end up selecting this as well.
We encourage users who find possible security issues to notify