Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency ipython to v8 [security] #1145

Merged
merged 1 commit into from
Mar 17, 2025
Merged

fix(deps): update dependency ipython to v8 [security] #1145

merged 1 commit into from
Mar 17, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
ipython ^7.16.3 -> ^8.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-24816

IPython provides an interactive Python shell and Jupyter kernel to use Python interactively. Versions prior to 8.10.0 are vulnerable to command injection in the set_term_title function under specific conditions. This has been patched in version 8.10.0.

Impact

Users are only vulnerable when calling this function in Windows in a Python environment where ctypes is not available. The dependency on ctypes in IPython.utils._process_win32 prevents the vulnerable code from ever being reached (making it effectively dead code). However, as a library that could be used by another tool, set_term_title could introduce a vulnerability for dependencies. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user to cd into this directory, then the attacker can execute arbitrary commands contained in the folder names.

Release Notes

ipython/ipython (ipython)

v8.10.0

Compare Source

v8.9.0

Compare Source

v8.8.0

Compare Source

v8.7.0

Compare Source

v8.6.0

Compare Source

v8.5.0

Compare Source

v8.4.0

Compare Source

v8.3.0

Compare Source

v8.2.0

Compare Source

v8.1.1

Compare Source

v8.1.0

Compare Source

v8.0.1

Compare Source

v8.0.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone US/Eastern, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/pypi-ipython-vulnerability branch from 5c6ec63 to 4c8791b Compare August 6, 2024 12:10
@renovate renovate bot force-pushed the renovate/pypi-ipython-vulnerability branch 2 times, most recently from bcbd036 to 5fe0305 Compare September 26, 2024 23:05
@renovate renovate bot force-pushed the renovate/pypi-ipython-vulnerability branch 2 times, most recently from 15bb953 to 89878fb Compare March 10, 2025 10:40
@renovate renovate bot force-pushed the renovate/pypi-ipython-vulnerability branch 2 times, most recently from 913ab0f to e7fbf30 Compare March 14, 2025 10:01
@marslanabdulrauf marslanabdulrauf self-assigned this Mar 14, 2025
@renovate renovate bot force-pushed the renovate/pypi-ipython-vulnerability branch 2 times, most recently from 00eb479 to a6fd890 Compare March 14, 2025 11:15
@marslanabdulrauf marslanabdulrauf removed their assignment Mar 14, 2025
@renovate renovate bot force-pushed the renovate/pypi-ipython-vulnerability branch from a6fd890 to 6e78ee7 Compare March 14, 2025 12:11
@marslanabdulrauf marslanabdulrauf self-assigned this Mar 14, 2025
@renovate renovate bot force-pushed the renovate/pypi-ipython-vulnerability branch from 6e78ee7 to 4d87ace Compare March 14, 2025 14:12
@renovate renovate bot changed the title Update dependency ipython to v8 [SECURITY] fix(deps): update dependency ipython to v8 [security] Mar 14, 2025
@renovate renovate bot force-pushed the renovate/pypi-ipython-vulnerability branch from 4d87ace to ce218ce Compare March 17, 2025 07:49
@marslanabdulrauf marslanabdulrauf merged commit 89f5d1d into master Mar 17, 2025
7 checks passed
@marslanabdulrauf marslanabdulrauf deleted the renovate/pypi-ipython-vulnerability branch March 17, 2025 08:25
@odlbot odlbot mentioned this pull request Mar 19, 2025
Open
30 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marslanabdulrauf marslanabdulrauf marslanabdulrauf approved these changes

Assignees

@marslanabdulrauf marslanabdulrauf

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@marslanabdulrauf