Subject: CVS commit: pkgsrc/www/py-notebook
From: Adam Ciarcinski
Date: 2019-03-22 18:55:05
Message id: 20190322175505.61553FB16@cvs.NetBSD.org

Log Message:
py-notebook: updated to 5.7.6

5.7.6
5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability,
where files at a known URL could be included in a page from an unauthorized \ 
website if the user is logged into a Jupyter server.
The fix involves setting the X-Content-Type-Options: nosniff
header, and applying CSRF checks previously on all non-GET
API requests to GET requests to API endpoints and the /files/ endpoint.

The attacking page is able to access some contents of files when using Internet \ 
Explorer through script errors,
but this has not been demonstrated with other browsers.
A CVE has been requested for this vulnerability.

5.7.5
- Fix compatibility with tornado 6
- Fix opening integer filedescriptor during startup on Python 2
- Fix compatibility with asynchronous KernelManager.restart_kernel methods

Files:
RevisionActionfile
1.13modifypkgsrc/www/py-notebook/Makefile
1.9modifypkgsrc/www/py-notebook/distinfo