Next | Query returned 17 messages, browsing 1 to 10 | Previous

History of commit frequency

CVS Commit History:


   2019-11-08 14:15:37 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-notebook: updated to 6.0.2

6.0.2
- Update JQuery dependency to version 3.4.1 to fix security vulnerability \ 
(CVE-2019-11358)
- Update CodeMirror to version 5.48.4 to fix Python formatting issues
- Continue removing obsolete Python 2.x code/dependencies
- Multiple documentation updates
   2019-08-22 10:23:27 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-notebook: updated to 6.0.1

6.0.1

- Attempt to re-establish websocket connection to Gateway
- Add missing react-dom js to package data

6.0

This is the first major release of the Jupyter Notebook since version 5.0 (March \ 
2017).

We encourage users to start trying JupyterLab, which has just announced it's 1.0 \ 
release in preparation
for a future transition.

- Remove Python 2.x support in favor of Python 3.5 and higher.
- Multiple accessibility enhancements and bug-fixes.
- Multiple translation enhancements and bug-fixes.
- Remove deprecated ANSI CSS styles.
- Native support to forward requests to Jupyter Gateway(s) (Embedded NB2KG).
- Use JavaScript to redirect users to notebook homepage.
- Enhanced SSL/TLS security by using PROTOCOL_TLS which selects the highest ssl/tls
  protocol version available that both the client and server support. When \ 
PROTOCOL_TLS
  is not available use PROTOCOL_SSLv23.
- Add ?no_track_activity=1 argument to allow API requests.
  to not be registered as activity (e.g. API calls by external activity monitors).
- Kernels shutting down due to an idle timeout is no longer considered
  an activity-updating event.
- Further improve compatibility with tornado 6 with improved
  checks for when websockets are closed.
- Launch the browser with a local file which redirects to the server address \ 
including
  the authentication token. This prevents another logged-in user from stealing \ 
the token
  from command line arguments and authenticating to the server.
  The single-use token previously used to mitigate this has been removed.
  Thanks to Dr. Owain Kenway for suggesting the local file approach.
- Respect nbconvert entrypoints as sources for exporters
- Update to CodeMirror to 5.37, which includes f-string syntax for Python 3.6.
- Update jquery-ui to 1.12
- Execute cells by clicking icon in input prompt.
- New "Save as" menu option.
- When serving on a loopback interface, protect against DNS rebinding by
  checking the Host header from the browser.
  This check can be disabled if necessary by setting
  NotebookApp.allow_remote_access.
  (Disabled by default while we work out some Mac issues in :ghissue:3754).
- Add kernel_info_timeout traitlet to enable restarting slow kernels.
- Add custom_display_host config option to override displayed URL.
- Add /metrics endpoint for Prometheus Metrics.
- Optimize large file uploads.
- Allow access control headers to be overriden in jupyter_notebook_config.py to \ 
support
  greater CORS and proxy configuration flexibility.
- Add support for terminals on windows.
- Add a "restart and run all" button to the toolbar.
- Frontend/extension-config: allow default json files in a .d directory.
- Allow setting token via jupyter_token env.
- Cull idle kernels using --MappingKernelManager.cull_idle_timeout.
- Allow read-only notebooks to be trusted.
- Convert JS tests to Selenium.

Security Fixes included in previous minor releases of Jupyter Notebook and also \ 
included in version 6.0.

- Fix Open Redirect vulnerability (CVE-2019-10255)
  where certain malicious URLs could redirect from the Jupyter login page
  to a malicious site after a successful login.

- Contains a security fix for a cross-site inclusion (XSSI) vulnerability \ 
(CVE-2019–9644),
  where files at a known URL could be included in a page from an unauthorized \ 
website if
  the user is logged into a Jupyter server. The fix involves setting the
  X-Content-Type-Options: nosniff header, and applying CSRF checks previously on all
  non-GET API requests to GET requests to API endpoints and the /files/ endpoint.

- Check Host header to more securely protect localhost deployments from DNS \ 
rebinding.
  This is a pre-emptive measure, not fixing a known vulnerability.
  Use .NotebookApp.allow_remote_access and .NotebookApp.local_hostnames to configure
  access.

- Upgrade bootstrap to 3.4, fixing an XSS vulnerability, which has been
  assigned CVE-2018-14041 <https://nvd.nist.gov/vuln/detail/CVE-2018-14041>_.

- Contains a security fix preventing malicious directory names
  from being able to execute javascript.

- Contains a security fix preventing nbconvert endpoints from executing \ 
javascript with
  access to the server API. CVE request pending.
   2019-07-22 10:42:50 by Nia Alarie | Files touched by this commit (5)
Log message:
Use https for jupyter.org.
   2019-04-25 15:19:48 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-notebook: updated to 5.7.8

5.7.8
- Fix regression in restarting kernels in 5.7.5.
  The restart handler would return before restart was completed.
- Further improve compatibility with tornado 6 with improved
  checks for when websockets are closed.
- Fix regression in 5.7.6 on Windows where .js files could have the wrong mime-type.
- Fix Open Redirect vulnerability (CVE-2019-10255)
  where certain malicious URLs could redirect from the Jupyter login page
  to a malicious site after a successful login.
  5.7.7 contained only a partial fix for this issue.
   2019-03-22 18:55:05 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-notebook: updated to 5.7.6

5.7.6
5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability,
where files at a known URL could be included in a page from an unauthorized \ 
website if the user is logged into a Jupyter server.
The fix involves setting the X-Content-Type-Options: nosniff
header, and applying CSRF checks previously on all non-GET
API requests to GET requests to API endpoints and the /files/ endpoint.

The attacking page is able to access some contents of files when using Internet \ 
Explorer through script errors,
but this has not been demonstrated with other browsers.
A CVE has been requested for this vulnerability.

5.7.5
- Fix compatibility with tornado 6
- Fix opening integer filedescriptor during startup on Python 2
- Fix compatibility with asynchronous KernelManager.restart_kernel methods
   2019-01-08 11:49:30 by Mark Davies | Files touched by this commit (1)
Log message:
py-notebook: add dependency on py-prometheus_client
   2019-01-02 16:32:41 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-notebook: updated to 5.7.4

5.7.4 fixes a bug introduced in 5.7.3, in which the list_running_servers()
function attempts to parse HTML files as JSON, and consequently crashes

5.7.3 contains one security improvement and one security fix:
- Launch the browser with a local file which redirects to the server address
  including the authentication token
  This prevents another logged-in user from stealing the token from command line
  arguments and authenticating to the server.
  The single-use token previously used to mitigate this has been removed.
  Thanks to Dr. Owain Kenway for suggesting the local file approach.
- Upgrade bootstrap to 3.4, fixing an XSS vulnerability, which has been
  assigned CVE-2018-14041
   2018-11-30 10:53:33 by Adam Ciarcinski | Files touched by this commit (1)
Log message:
py-notebook: mark as incompatible with Python 2.7
   2018-11-29 19:34:12 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
py-notebook: updated to 5.7.2

5.7.2
5.7.2 contains a security fix preventing malicious directory names
from being able to execute javascript. CVE request pending.

5.7.1
5.7.1 contains a security fix preventing nbconvert endpoints from executing \ 
javascript with access to the server API. CVE request pending.

5.7.0
New features:
- Update to CodeMirror to 5.37, which includes f-string sytax for Python 3.6
- Update jquery-ui to 1.12
- Check Host header to more securely protect localhost deployments from DNS \ 
rebinding.
  This is a pre-emptive measure, not fixing a known vulnerability
  Use .NotebookApp.allow_remote_access and .NotebookApp.local_hostnames to configure
  access.
- Allow access-control-allow-headers to be overridden
- Allow configuring max_body_size and max_buffer_size
- Allow configuring get_secure_cookie keyword-args
- Respect nbconvert entrypoints as sources for exporters
- Include translation sources in source distributions
- Various improvements to documentation

Fixing problems:
- Fix breadcrumb link when running with a base url
- Fix possible type error when closing activity stream
- Disable metadata editing for non-editable cells
- Fix some styling and alignment of prompts caused by regressions in 5.6.0.
- Enter causing page reload in shortcuts editor
- Fix uploading to the same file twice
   2018-05-11 21:46:36 by Min Sik Kim | Files touched by this commit (2)
Log message:
www/py-notebook: Use PLIST.py3x instead of defining new one

Suggested by leot@.

Next | Query returned 17 messages, browsing 1 to 10 | Previous