Your message dated Fri, 18 Aug 2023 00:12:48 +0000
with message-id <[email protected]>
and subject line Bug#1041422: fixed in openrefine 3.6.2-3
has caused the Debian Bug report #1041422,
regarding openrefine: CVE-2023-37476
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1041422: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041422
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openrefine
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for openrefine.
CVE-2023-37476[0]:
| OpenRefine is a free, open source tool for data processing. A
| carefully crafted malicious OpenRefine project tar file can be used
| to trigger arbitrary code execution in the context of the OpenRefine
| process if a user can be convinced to import it. The vulnerability
| exists in all versions of OpenRefine up to and including 3.7.3.
| Users should update to OpenRefine 3.7.4 as soon as possible. Users
| unable to upgrade should only import OpenRefine projects from
| trusted sources.
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq
https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-37476
https://www.cve.org/CVERecord?id=CVE-2023-37476
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: openrefine
Source-Version: 3.6.2-3
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openrefine, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated openrefine package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 18 Aug 2023 01:37:01 +0200
Source: openrefine
Architecture: source
Version: 3.6.2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1041422
Changes:
openrefine (3.6.2-3) unstable; urgency=medium
.
* Tighten B-D on commons-io to >= 2.11.0.
* Fix CVE-2023-37476 and automatically refresh all other patches.
OpenRefine is a free, open source tool for data processing. A carefully
crafted malicious OpenRefine project tar file can be used to trigger
arbitrary code execution in the context of the OpenRefine process if a user
can be convinced to import it. (Closes: #1041422)
* Declare compliance with Debian Policy 4.6.2.
Checksums-Sha1:
c0ea5c7ff89fe3ed60880bb33963efaba2aa521f 3594 openrefine_3.6.2-3.dsc
086d8ea4f865c529bf19da15dee1697022b53513 309624
openrefine_3.6.2-3.debian.tar.xz
72b4137a132e07866f2579f228a008362bf50b35 18207
openrefine_3.6.2-3_amd64.buildinfo
Checksums-Sha256:
a7068a72811602b299d4f34b90ee472cca6a166cb3c1bda06f5fd4a390b99489 3594
openrefine_3.6.2-3.dsc
16ee4fa9f6e36d5e4f7cc222455e3b2afed102e8d5ece9dca9079b8f17d524b0 309624
openrefine_3.6.2-3.debian.tar.xz
0aca365e595d347169f688f879d73a5278f928c27f05cb3bc160f60abe5d8fa9 18207
openrefine_3.6.2-3_amd64.buildinfo
Files:
30a765993f3ece851d062c9e52fd125d 3594 java optional openrefine_3.6.2-3.dsc
7c7e685af6e1db8615a724f6bcbc6a4c 309624 java optional
openrefine_3.6.2-3.debian.tar.xz
a39a8b5a391be99e29d7467997fdb821 18207 java optional
openrefine_3.6.2-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmTesSZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkqD8P/iNCqtYAfPj1NeIsvywSMSfNd7JIDcn+Xgoo
CpGH/3pBebelBOWxVF43ZVFAuk8WLEp4AdYALTw3vm9E1YkUf7uQQwPVTE8SsQ1a
+Vgr3thN6DzAfhJNiRkOf3alUlLaJJPW0BiRXNweGNXiunjw13wFPfCvP1SdC/Hz
rKuQ/rE7yMnBqTtaAuFAsbgdQZrKZemgTeAnAJlo3GK32PZAw2Pn/QhrVNCHz7nh
wysvrxJsZjb0OG6ZQvtxAZzC0BUIPisjSJG3D+RfnuxGmNPuBLQw6ZoDU3rWX72o
QzLS8/0jQ6fV9XHaYrGLkTizTR/LKAPbmVQGs7W9VTxfOQm1ir0VxrucwfE1Mvhg
wB/Si6hnMN1r3QGTYuj/6g3u4Iu35B7bar4d4k+DPxP4q9B4M/tNT5t4GuZf1WVS
0HqfKhkikomSQBaaz3mvjrSKkNOuzP4HchMCSoDGHCg2Oi6NH6XE7X6U7qJJD2Hp
5i41LvJyDOs1kQp61EC6vugRBgnLI2LdT4JDXQsh6Qwrt3R7CenHBuZEb/LX4gzD
HMKgryJJOHZU1X3kwI9377wSIZ7Kr3BV9gFffpXGOMxGmNPMPYcLgQWRtBXOs5Uk
hxwdJMzZtsUwnTios9DEUum3kgGdgVwQCC3G5eeb6fmvMHT6e0JqMQff8sTVRfwY
+pc/wG6L
=Na+6
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
