Your message dated Sat, 06 Apr 2024 20:37:30 +0000 with message-id <e1rtcn4-0047ep...@fasolo.debian.org> and subject line Bug#1064192: fixed in openrefine 3.7.8-1 has caused the Debian Bug report #1064192, regarding openrefine: CVE-2024-23833 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1064192: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064192 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openrefine Version: 3.7.7-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for openrefine. Markus, please adjust severity if you think grave/RC severity is not appropriate. openrefine updates were batches previously as well just in point release, that might be enough here as well. CVE-2024-23833[0]: | OpenRefine is a free, open source power tool for working with messy | data and improving it. A jdbc attack vulnerability exists in | OpenRefine(version<=3.7.7) where an attacker may construct a JDBC | query which may read files on the host filesystem. Due to the newer | MySQL driver library in the latest version of OpenRefine (8.0.30), | there is no associated deserialization utilization point, so | original code execution cannot be achieved, but attackers can use | this vulnerability to read sensitive files on the target server. | This issue has been addressed in version 3.7.8. Users are advised to | upgrade. There are no known workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-23833 https://www.cve.org/CVERecord?id=CVE-2024-23833 [1] https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4 [2] https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: openrefine Source-Version: 3.7.8-1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of openrefine, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1064...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated openrefine package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 06 Apr 2024 21:45:36 +0200 Source: openrefine Architecture: source Version: 3.7.8-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1064192 Changes: openrefine (3.7.8-1) unstable; urgency=high . * New upstream version 3.7.8 - Fix CVE-2024-23833: A jdbc attack vulnerability exists in OpenRefine where an attacker may construct a JDBC query which may read files on the host filesystem. (Closes: #1064192) Thanks to Salvatore Bonaccorso for the report. Checksums-Sha1: db1ea80492009c7f88022b910aa0d0f569fb9dc7 3613 openrefine_3.7.8-1.dsc 13d0d733d33971054fa7871f5f7c7dd9452670a2 4288064 openrefine_3.7.8.orig.tar.xz b3e70722ffd02b68caf7d650281a49c1e2b3e254 309112 openrefine_3.7.8-1.debian.tar.xz 16c43d96f6fe57d6f2bf869d9d9b528b741179a6 19133 openrefine_3.7.8-1_amd64.buildinfo Checksums-Sha256: 0a9fbb24aa4a25d676370fb9043bb77ef8777982d2b3222486f8759e4f5dbd9c 3613 openrefine_3.7.8-1.dsc 7d79bc097c47d7fe1aae4f14c72a96a5a954f2423f13d5805b88e6e54fd73b36 4288064 openrefine_3.7.8.orig.tar.xz 7b9718dc85bf8a51bb81598bef739233a11d28294f0e1d2d5fd362bcf089f9f8 309112 openrefine_3.7.8-1.debian.tar.xz 109398ee7b162bdfa5f1f462394bdd8b2c6ea93f74edf7327c8d0e2f02b0f4c6 19133 openrefine_3.7.8-1_amd64.buildinfo Files: bb8e95ddf713492ab47fc311d3b6c94e 3613 java optional openrefine_3.7.8-1.dsc 9d8c0ccd036a61609d402d99cf6c0503 4288064 java optional openrefine_3.7.8.orig.tar.xz ebf7337b97b7bbceb84f48c4585eff0e 309112 java optional openrefine_3.7.8-1.debian.tar.xz aae95b881f31b05963a9f681a10c31d7 19133 java optional openrefine_3.7.8-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmYRp4BfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk+A8QAM2kS8rEA0WFD5K0/mJnRh6uX2eWlVrIxOGc nO1B1/5pX6hiLc8BAcbArGNpcT5boakA57ckV3Rbqm/oW2CGydC/1gEURiksanFj Agy4dy3q9cVSIJ8Q0AlcxX7+wVroAffd8hjIEAD4t7XsCGYAVdxX6v92g2wfwpbB E4e5WX7EnEO8g397mSog/EZXNZ7xhVQKnUapZUdi0fVyaI9CPo2DlrKuT7gaZpL6 N+jfVjh7TEuGMDWMiZ7puIW+SF82UVGvgkH6HwgqsU6v5UfswVnC1Zngh3rt0jBt XuXhOCY6jrJCimt/UkZ5mqIF2TLJbVlTm5pkR9MEWSCUCbQ74cvidkKwHW3Yy2rj qb8C3yel6OW5q3ua86TD6oZlcgalahyE48oP6GIdlZuAnN6Bsa6dzX/G6BLHNfow EL1VoZFvK+nKTJm+ZrG3z1WVTXDYK8rkMOMDj7uXv6JqdiARp/lzxpskstui2Xoe AkT+OdiSa5Mqx8huNmgG/v5RF6oJZCbmP6eT2RXkMKN4iajtvt5tlU/P6bnP1GKY Z+Zr7mPZQCAQuUntdxhFRGJv1PngoOk8efBCrj/kQXLrMLiG/d/CxOHYupu2vkx1 ufYBDr+V/5S9Sv14nRltzgUG4GXHT69i0J86Bsr6IW55nGnN1DKyiIDM8WDC+a7u whNLBy1N =dl8/ -----END PGP SIGNATURE-----pgpnPgwMwSxUl.pgp
Description: PGP signature
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.