Security fix for Jupyter Notebook
We have just released Jupyter Notebook 5.6.0. This release fixes a vulnerability that could allow a maliciously crafted notebook to execute JavaScript when it is opened, bypassing the trusted-notebook mechanism.
We recommend updating the notebook immediately, via pip:
pip install notebook>=5.6.0
or conda:
conda install notebook>=5.6.0
Affected versions: all releases prior to 5.6.0
JupyterLab users are affected, independent of the version of JupyterLab itself. Upgrading the notebook package to 5.6.0 resolves the issue for users of both JupyterLab and the classic notebook.
A CVE has been requested for the vulnerability. Release notes for 5.6.0 and this post will be updated as the CVE is assigned. More details of the vulnerability will be released in 30 days, on August 16, 2018.
Security reports for Jupyter are greatly appreciated. You can report security issues to security@ipython.org.
Thanks to Jonathan Kamens for reporting this issue to the security list.
[Update July 28] The vulnerability have been assigned number CVE-2018–1999024.
[Update August 16] MathJax versions prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in potentially untrusted Javascript running within a web browser, for example at notebook load. Notebook 5.6.0 ships with an updated mathjax version 2.7.4 which fixes this vulnerability.
