We have just published a security advisory that affects JupyterHub deployments on kubernetes which have enabled
allowNamedServers: true, where collisions could occur between the default server of certain usernames that require escapes, and other users’ named servers. See the security advisory for more details.
We have published 0.9.1 of the jupyterhub helm chart and kubespawner 0.12 with fixes.
The issue can be resolved by any of the following actions:
- Upgrading jupyterhub-kubespawner in the Hub image to 0.12 or
- Upgrading the jupyterhub helm chart to 0.9.1 or
- Specifying your own
pvc_name_templatetemplates that do not allow collisions, or
- Disabling named_servers
Named servers are not enabled by default, so if you have not enabled them, you are not affected. Additionally, not all Authenticators permit usernames that allow collisions in this way.