Your message dated Thu, 02 Jan 2025 18:54:51 +0000
with message-id <[email protected]>
and subject line Bug#1086042: fixed in openrefine-butterfly 1.2.6-1
has caused the Debian Bug report #1086042,
regarding openrefine-butterfly: CVE-2024-47883
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1086042: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086042
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openrefine-butterfly
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for openrefine-butterfly.
CVE-2024-47883[0]:
| The OpenRefine fork of the MIT Simile Butterfly server is a modular
| web application framework. The Butterfly framework uses the
| `java.net.URL` class to refer to (what are expected to be) local
| resource files, like images or templates. This works: "opening a
| connection" to these URLs opens the local file. However, prior to
| version 1.2.6, if a `file:/` URL is directly given where a relative
| path (resource name) is expected, this is also accepted in some code
| paths; the app then fetches the file, from a remote machine if
| indicated, and uses it as if it was a trusted part of the app's
| codebase. This leads to multiple weaknesses and potential
| weaknesses. An attacker that has network access to the application
| could use it to gain access to files, either on the the server's
| filesystem (path traversal) or shared by nearby machines (server-
| side request forgery with e.g. SMB). An attacker that can lead or
| redirect a user to a crafted URL belonging to the app could cause
| arbitrary attacker-controlled JavaScript to be loaded in the
| victim's browser (cross-site scripting). If an app is written in
| such a way that an attacker can influence the resource name used for
| a template, that attacker could cause the app to fetch and execute
| an attacker-controlled template (remote code execution). Version
| 1.2.6 contains a patch.
https://github.com/OpenRefine/simile-butterfly/security/advisories/GHSA-3p8v-w8mr-m3x8
https://github.com/OpenRefine/simile-butterfly/commit/537f64bfa72746f8b21d4bda461fad843435319c
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-47883
https://www.cve.org/CVERecord?id=CVE-2024-47883
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: openrefine-butterfly
Source-Version: 1.2.6-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openrefine-butterfly, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated openrefine-butterfly
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Jan 2025 19:33:27 +0100
Source: openrefine-butterfly
Architecture: source
Version: 1.2.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1086042
Changes:
openrefine-butterfly (1.2.6-1) unstable; urgency=medium
.
* New upstream version 1.2.6.
- Fix CVE-2024-47883. (Closes: #1086042)
* Declare compliance with Debian Policy 4.7.0.
Checksums-Sha1:
83c4fde8ea55cf547fd34efa45c03b6512baeb1d 2419 openrefine-butterfly_1.2.6-1.dsc
f6cfc1431419c2b7db7b422be41be74c2e0f77fa 324752
openrefine-butterfly_1.2.6.orig.tar.xz
31ab82ccc43df94fb725f2dcc7462536c09e2b9d 3016
openrefine-butterfly_1.2.6-1.debian.tar.xz
afad3897bc381d931d04fc98df3afe4cfd81f7bb 15107
openrefine-butterfly_1.2.6-1_amd64.buildinfo
Checksums-Sha256:
ca5b51e9fda0aa4add2df853149732b47206ee84326ce5a6991682f1c88cd9e3 2419
openrefine-butterfly_1.2.6-1.dsc
c4bf82bf64e47c7c2b20c68ae5503b75b2f1dee12240598c441b73e4eaf204aa 324752
openrefine-butterfly_1.2.6.orig.tar.xz
bdb1259acad3115997425a7e6739015796738a6a0a2bb9f173766131820f0bfd 3016
openrefine-butterfly_1.2.6-1.debian.tar.xz
8dcdaf9d7992f34ed131a642d8d210b60d25cfe91426ccdc76ff67cb53f90f17 15107
openrefine-butterfly_1.2.6-1_amd64.buildinfo
Files:
7bb50796f55dc739f6f4eff65b41c315 2419 java optional
openrefine-butterfly_1.2.6-1.dsc
70316ae096835d0f16a140acf57578e7 324752 java optional
openrefine-butterfly_1.2.6.orig.tar.xz
dfae6c53804dac1e40b9a5d057741e48 3016 java optional
openrefine-butterfly_1.2.6-1.debian.tar.xz
11a4b6f74fe9967265f2e14d1b2db390 15107 java optional
openrefine-butterfly_1.2.6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmd23RVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkgcgP/jQDuodS+mygiv9D4AWgvPuo/pcYxus+CQmG
KXxFdCScgJ4IzxbxIeMmrn253LWVx4IOxVIx0Wsi4GG5cwogdUUjLo0m/e2w1i7G
EdLvAxahRJ2KTFpMRBomPlvnptEv8Ya3HbZVYVlO+jKjWvvJPo2y/22Q7fXsRnxG
H1YzX79ygh0AYN92aLseEeMgtBPnRYTjA7fTS4CC/CtWD8Ay1w9gkLRRNsxHztn0
ZpdPZQkyA+vwPaetPZC5vJnlpDWN9gsWaZgcQcKm2d5ogAT+7+TfAL9PmqG+0nBf
b3CtMsLqDLJdvS4K5uPLLwk7W2TzlRvPAsOWL0hC042IQo2gQS1+IQgVoifIfXO6
SkHlw46caYjUbqdLZkXvhAgImGnCCb+liTEHwjHvjj840jZuhDijzV481x8zk5Of
8L0Ew/vp4EThEjL607BV8gzZiC1c5h+pr3jYUWSC46xF3fUmVYfi/gUXEsHucP6n
FRPR9GiROkFjOZv6dZK1aCbvx7wHKZgAHdHsWguoZ4PPBst0IbFB5XI+9uuM9CyG
JPiGLdj1lemVAd7VsrKv3vx6DQep+dV5QDQaBDJv3LPHS7QJY93Czu8Nza+LkhbN
3JWJ3dLFYuUCXQ7eJZgmvp54QcpBvbp8DSbmKkSvGCwHiYG37gW3kM9wp9IaQZcZ
P1IwnKns
=dRRA
-----END PGP SIGNATURE-----
pgpZFXw0RgT6Y.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
