Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency ipython to v8 [SECURITY] #1685

Open
wants to merge 1 commit into
base: master-dev
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 21, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
ipython ==7.34.0 -> ==8.10.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-24816

IPython provides an interactive Python shell and Jupyter kernel to use Python interactively. Versions prior to 8.10.0 are vulnerable to command injection in the set_term_title function under specific conditions. This has been patched in version 8.10.0.

Impact

Users are only vulnerable when calling this function in Windows in a Python environment where ctypes is not available. The dependency on ctypes in IPython.utils._process_win32 prevents the vulnerable code from ever being reached (making it effectively dead code). However, as a library that could be used by another tool, set_term_title could introduce a vulnerability for dependencies. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user to cd into this directory, then the attacker can execute arbitrary commands contained in the folder names.


Release Notes

ipython/ipython (ipython)

v8.10.0

Compare Source

v8.9.0

Compare Source

v8.8.0

Compare Source

v8.7.0

Compare Source

v8.6.0

Compare Source

v8.5.0

Compare Source

v8.4.0

Compare Source

v8.3.0

Compare Source

v8.2.0

Compare Source

v8.1.1

Compare Source

v8.1.0

Compare Source

v8.0.1

Compare Source

v8.0.0

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added dependencies Pull requests that update a dependency file security labels Apr 21, 2024
@renovate renovate bot force-pushed the renovate/pypi-ipython-vulnerability branch 2 times, most recently from 8b13709 to 2d5b7ce Compare June 4, 2024 12:32
@renovate renovate bot force-pushed the renovate/pypi-ipython-vulnerability branch 2 times, most recently from b8b538c to 71dddc3 Compare June 17, 2024 16:20
@renovate renovate bot force-pushed the renovate/pypi-ipython-vulnerability branch from 71dddc3 to cf1bad2 Compare October 2, 2024 16:03
@renovate renovate bot force-pushed the renovate/pypi-ipython-vulnerability branch from cf1bad2 to 997b5ba Compare October 9, 2024 17:07
@renovate renovate bot force-pushed the renovate/pypi-ipython-vulnerability branch from 997b5ba to 4883e3c Compare November 15, 2024 18:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants