Your message dated Sat, 09 Sep 2023 16:17:16 +0000
with message-id <[email protected]>
and subject line Bug#1041422: fixed in openrefine 3.6.2-2+deb12u1
has caused the Debian Bug report #1041422,
regarding openrefine: CVE-2023-37476
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1041422: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041422
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openrefine
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for openrefine.
CVE-2023-37476[0]:
| OpenRefine is a free, open source tool for data processing. A
| carefully crafted malicious OpenRefine project tar file can be used
| to trigger arbitrary code execution in the context of the OpenRefine
| process if a user can be convinced to import it. The vulnerability
| exists in all versions of OpenRefine up to and including 3.7.3.
| Users should update to OpenRefine 3.7.4 as soon as possible. Users
| unable to upgrade should only import OpenRefine projects from
| trusted sources.
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq
https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-37476
https://www.cve.org/CVERecord?id=CVE-2023-37476
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: openrefine
Source-Version: 3.6.2-2+deb12u1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openrefine, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated openrefine package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Sep 2023 21:22:17 +0200
Source: openrefine
Architecture: source
Version: 3.6.2-2+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1041422
Changes:
openrefine (3.6.2-2+deb12u1) bookworm; urgency=medium
.
* Fix CVE-2023-37476:
OpenRefine is a free, open source tool for data processing. A carefully
crafted malicious OpenRefine project tar file can be used to trigger
arbitrary code execution in the context of the OpenRefine process if a user
can be convinced to import it. (Closes: #1041422)
Checksums-Sha1:
b163b5dd903000b77770bfa4167b3ae4addf292b 3614 openrefine_3.6.2-2+deb12u1.dsc
1741f366a21fb35cb4753043d63b66af767401b2 309536
openrefine_3.6.2-2+deb12u1.debian.tar.xz
e6cfb6d9990f8cf6a4a1ddbb27834320962681fc 18195
openrefine_3.6.2-2+deb12u1_amd64.buildinfo
Checksums-Sha256:
96aadff5d8331514a5ba7a755eda3d390d1edef86dc57d50ae6fd1cfadde8117 3614
openrefine_3.6.2-2+deb12u1.dsc
3e2213494740fc369c4b59710a98d58fda0c38a711779098ab4b1fc71128fc88 309536
openrefine_3.6.2-2+deb12u1.debian.tar.xz
2271c58c18a3e120c70fd15d682f536477c50e82c1258971ff3fdafe4a2e7775 18195
openrefine_3.6.2-2+deb12u1_amd64.buildinfo
Files:
ac277dbf04896f8e0254071f6acc1dc3 3614 java optional
openrefine_3.6.2-2+deb12u1.dsc
cb40e81147aedb71eba05267c9065629 309536 java optional
openrefine_3.6.2-2+deb12u1.debian.tar.xz
8214071a02b969f63b57767d30031d3c 18195 java optional
openrefine_3.6.2-2+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmT6JP1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkzVEP/A/RyvhlrcR+ppx051ny5IzTirn+36FZFPeU
EROJhEvY4zNSlyr3A+7I6XToZgfh1P5SX518ITxDy3XfZAKlVM0rVi0LwMh+xv/z
BB5v5oEl3aiFQvSoA8Gkd3fe9ehY9ATHaSSd2BRscV4ESg0OvItNCcj2g7Ejx+3R
rUnIYoORyr7CKlwE8+CeMuciWkmkNa7iHr90D6STr4Fh3U3r9RvDDy1UiOJd6zq5
rhNln4e1gPPN8JokCKPkqnly9ihN9c6j08P/1GEJ/5hQFJ8w/gojcTacZ9tbhTeu
Y6oYjj5xxBa3rwGe1rSswpZEz9G2J2hGDVZdYZLziN+tRqL0wIpvIM7yBST/miYR
PhWkM/OQMMzep2mOZdgU1RRRwnT0GUJgYR9yqZ+8rSyN8T9qHIEwnI7ORgqaZeFS
b3HzTdR0Xi+vvkvPJpjx+CnVC9iN3DxcRQXbjQDYf1PsH1vFScudthF48VOfrJJU
7dcCexFlibEXlYqonmpYdhI9pxMkGN8E/MOtOhgfsaVzJ8Wz7TCu4y/KkbiNzitU
FiYTo9It9vwl2mkQNgdmXM4kXfjjgpdp6EbuOL30pcOd0wGnp0tXVgUDYCxKs3Q/
QbDjAcldfjFydldbCIxE+Av3OJd/RQ7EEXxo9DpwPHDcqaKv6ExcwLcnJjdZj/vX
T05CqKe4
=bJD6
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
