JupyterHub 1.5.0, zero-to-jupyterhub 1.2.0 security release

We’ve just published JupyterHub 1.5.0 and zero-to-jupyterhub chart 1.2.0. These fix a moderate security vulnerability, where logout could fail to clear all credentials when JupyterLab is open in more than one tab when you try to logout.

These are minor releases because they include a couple small, fully backward-compatible features backported from 2.0. Users of jupyterhub 1.4 should not have any issues upgrading to 1.5.

Note that in container-based deployments where the Hub and user environments may have slightly different versions of JupyterHub, it is the version in the user environment that needs upgrading. Upgrading only the Hub itself won’t fix the issue. Similarly, you can keep the Hub on 1.4.2 and upgrade only your user environment to 1.5.0, and everything will be fixed. You won’t get the new features in 1.5 until you upgrade the hub, but the vulnerability will be patched.

The published security advisory.

Thanks to Florian Ritterhoff for reporting the issue.

1 Like