If you are not using custom-built images for your JupyterHub, then 2i2c has already taken action to secure your hub. Please disregard the rest of this message.
We would like you to be aware of a potential vulnerability for JupyterHubs. If you are using a custom image with jupyter-server-proxy installed, then please take action to secure your hub. The affected versions are <=4.1.0 and <=3.2.2 and may be pulled in as a dependency of other packages.
Recommended actions
If your custom image is based on an upstream community image, then update your base image to the latest version
If your custom image is using pip, conda or similar, then you may need to explicitly pin all of your packages to versions compatible with patched versions of jupyter-server-proxy
Once you have updated and re-built your image, test that it is indeed using a patched version >=4.1.1, >=3.2.3 of jupyter-server-proxy.
See the security advisory on GitHub for full details and instructions on how to check for this vulnerability GHSA-w3vc-fx9p-wp4v.
Optional: A note on upgrading JupyterHub
You may also want to take this opportunity to upgrade your custom image to JupyterHub version >=4.1.0 to address a separate JupyterHub vulnerability GHSA-7r3h-4ph8-w38g. You may experience XSRF and 403 bugs in JupyterHub versions 4.1.0 – 4.1.4, therefore we recommend
upgrading JupyterHub to >=4.1.5
upgrading nbgitpuller to >=1.2.1 (if using)
upgrading jupyterhub-singleuser to the latest version (if using conda/mamba)
You are receiving this email because you are noted as a 'technical contact' for your community. If you do not wish to receive such emails or there is someone else in your organization who should be receiving this kind of email, please let me know at jwong@2i2c.org. Thank you!
Dear Hub Champion,
If you are not using custom-built images for your JupyterHub, then 2i2c has already taken action to secure your hub. Please disregard the rest of this message.
We would like you to be aware of a potential vulnerability for JupyterHubs. If you are using a custom image with jupyter-server-proxy installed, then please take action to secure your hub. The affected versions are <=4.1.0 and <=3.2.2 and may be pulled in as a dependency of other packages.
Recommended actions
If your custom image is based on an upstream community image, then update your base image to the latest version If your custom image is using pip, conda or similar, then you may need to explicitly pin all of your packages to versions compatible with patched versions of jupyter-server-proxy Once you have updated and re-built your image, test that it is indeed using a patched version >=4.1.1, >=3.2.3 of jupyter-server-proxy. See the security advisory on GitHub for full details and instructions on how to check for this vulnerability GHSA-w3vc-fx9p-wp4v.
Optional: A note on upgrading JupyterHub
You may also want to take this opportunity to upgrade your custom image to JupyterHub version >=4.1.0 to address a separate JupyterHub vulnerability GHSA-7r3h-4ph8-w38g. You may experience XSRF and 403 bugs in JupyterHub versions 4.1.0 – 4.1.4, therefore we recommend
upgrading JupyterHub to >=4.1.5 upgrading nbgitpuller to >=1.2.1 (if using) upgrading jupyterhub-singleuser to the latest version (if using conda/mamba) You are receiving this email because you are noted as a 'technical contact' for your community. If you do not wish to receive such emails or there is someone else in your organization who should be receiving this kind of email, please let me know at jwong@2i2c.org. Thank you!
Best wishes, Jenny Wong 2i2c