203668 – devel/ipython: security update 3.2.1 -> 3.2.2 (or 4.0.0) (CVE-2015-6938)

Bug 203668 - devel/ipython: security update 3.2.1 -> 3.2.2 (or 4.0.0) (CVE-2015-6938)

Summary: devel/ipython: security update 3.2.1 -> 3.2.2 (or 4.0.0) (CVE-2015-6938)

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Jimmy Olgeni

URL:	http://www.openwall.com/lists/oss-sec...
Keywords:

Depends on:
Blocks:

Reported:	2015-10-10 00:01 UTC by Jason Unovitch
Modified:	2016-01-10 23:23 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (olgeni) junovitch: merge-quarterly?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jason Unovitch freebsd_committer

2015-10-10 00:01:22 UTC

Cross site scripting attack: CVE-2015-6938
http://www.openwall.com/lists/oss-security/2015/09/02/3

Comment 1 Jason Unovitch freebsd_committer

2015-10-10 00:02:33 UTC

It looks like the upstream changed names to Jupyter for the 4.x release if we want to chase the major version bump.  What do you want to do with this one?  I can help as needed.

Comment 2 Jason Unovitch freebsd_committer

2015-10-10 00:05:44 UTC

It looks like there was another one as well -- CVE-2015-7337.
http://www.openwall.com/lists/oss-security/2015/09/16/3

Comment 3 commit-hook freebsd_committer

2015-10-10 10:52:12 UTC

A commit references this bug:

Author: olgeni
Date: Sat Oct 10 10:52:06 UTC 2015
New revision: 398988
URL: https://svnweb.freebsd.org/changeset/ports/398988

Log:
  Upgrade devel/ipython to version 3.2.2.

  PR:		203668
  Submitted by:	Jason Unovitch
  Security:	CVE-2015-6938
  Security:	CVE-2015-7337

Changes:
  head/devel/ipython/Makefile
  head/devel/ipython/distinfo

Comment 4 Jimmy Olgeni freebsd_committer

2015-10-10 10:55:23 UTC

(In reply to Jason Unovitch from comment #1)

I'm a bit maxed-out - would you be able to check what is needed to upgrade to 4.0?

Comment 5 commit-hook freebsd_committer

2015-10-10 15:02:40 UTC

A commit references this bug:

Author: junovitch
Date: Sat Oct 10 15:01:55 UTC 2015
New revision: 399002
URL: https://svnweb.freebsd.org/changeset/ports/399002

Log:
  Document iPython vulnerabilities fixed in 3.2.2

  PR:		203668
  Security:	CVE-2015-6938
  Security:	CVE-2015-7337
  Security:	https://vuxml.FreeBSD.org/freebsd/290351c9-6f5c-11e5-a2a1-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml

Comment 6 Jason Unovitch freebsd_committer

2015-10-10 15:06:21 UTC

(In reply to Jimmy Olgeni from comment #4)
Given the upstream renamed to Jupyter, my thoughts are we do this:

1. Create a new port, devel/jupyter, based of iPython.

2. Mark devel/ipython as deprecated.

3. Create an UPDATING entry, refer to http://jupyter.readthedocs.org/en/latest/migrating.html for how to migrate to Jupyter.

4. At some point in the future, remove devel/ipython and do the MOVED entry to reflect the rename to devel/jupyter.  Folks should have had time to do the migration per UDPATING in the meantime.

Comment 7 Jason Unovitch freebsd_committer

2015-12-12 23:32:44 UTC

I haven't been able to get back to this and I don't use it myself.  In my opinion, I would rather spent my time on the open PRs.  Do you just want to close this out after MFH and let someone who actually wants the new Jupyter port to come along at some point and make a port for it?

Also, add merge-quarterly?.  Can you request an MFH?  Looks like we forgot that initially.

Comment 8 Jimmy Olgeni freebsd_committer

2016-01-10 23:23:48 UTC

(In reply to Jason Unovitch from comment #7)

3.2.2 ended up in 2016Q1.

I had a look at Jupyter and we have a lot of dependencies already in place, but quite a few are missing. I'll have to check what is the minimum required to get it up and running...