Your message dated Fri, 03 Jan 2025 15:41:12 +0000
with message-id <[email protected]>
and subject line Bug#1086041: fixed in openrefine 3.8.7-1
has caused the Debian Bug report #1086041,
regarding openrefine: CVE-2024-49760 CVE-2024-47882 CVE-2024-47881
CVE-2024-47880 CVE-2024-47879 CVE-2024-47878
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1086041: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086041
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openrefine
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for openrefine.
CVE-2024-49760[0]:
| OpenRefine is a free, open source tool for working with messy data.
| The load-language command expects a `lang` parameter from which it
| constructs the path of the localization file to load, of the form
| `translations-$LANG.json`. But when doing so in versions prior to
| 3.8.3, it does not check that the resulting path is in the expected
| directory, which means that this command could be exploited to read
| other JSON files on the file system. Version 3.8.3 addresses this
| issue.
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qfwq-6jh6-8xx4
https://github.com/OpenRefine/OpenRefine/commit/24d084052dc55426fe460f2a17524fd18d28b20c
CVE-2024-47882[1]:
| OpenRefine is a free, open source tool for working with messy data.
| Prior to version 3.8.3, the built-in "Something went wrong!" error
| page includes the exception message and exception traceback without
| escaping HTML tags, enabling injection into the page if an attacker
| can reliably produce an error with an attacker-influenced message.
| It appears that the only way to reach this code in OpenRefine itself
| is for an attacker to somehow convince a victim to import a
| malicious file, which may be difficult. However, out-of-tree
| extensions may add their own calls to `respondWithErrorPage`.
| Version 3.8.3 has a fix for this issue.
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-j8hp-f2mj-586g
https://github.com/OpenRefine/OpenRefine/commit/85594e75e7b36025f7b6a67dcd3ec253c5dff8c2
CVE-2024-47881[2]:
| OpenRefine is a free, open source tool for working with messy data.
| Starting in version 3.4-beta and prior to version 3.8.3, in the
| `database` extension, the "enable_load_extension" property can be
| set for the SQLite integration, enabling an attacker to load (local
| or remote) extension DLLs and so run arbitrary code on the server.
| The attacker needs to have network access to the OpenRefine
| instance. Version 3.8.3 fixes this issue.
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8
https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056
CVE-2024-47880[3]:
| OpenRefine is a free, open source tool for working with messy data.
| Prior to version 3.8.3, the `export-rows` command can be used in
| such a way that it reflects part of the request verbatim, with a
| Content-Type header also taken from the request. An attacker could
| lead a user to a malicious page that submits a form POST that
| contains embedded JavaScript code. This code would then be included
| in the response, along with an attacker-controlled `Content-Type`
| header, and so potentially executed in the victim's browser as if it
| was part of OpenRefine. The attacker-provided code can do anything
| the user can do, including deleting projects, retrieving database
| passwords, or executing arbitrary Jython or Closure expressions, if
| those extensions are also present. The attacker must know a valid
| project ID of a project that contains at least one row. Version
| 3.8.3 fixes the issue.
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-79jv-5226-783f
https://github.com/OpenRefine/OpenRefine/commit/8060477fa53842ebabf43b63e039745932fa629d
CVE-2024-47879[4]:
| OpenRefine is a free, open source tool for working with messy data.
| Prior to version 3.8.3, lack of cross-site request forgery
| protection on the `preview-expression` command means that visiting a
| malicious website could cause an attacker-controlled expression to
| be executed. The expression can contain arbitrary Clojure or Python
| code. The attacker must know a valid project ID of a project that
| contains at least one row, and the attacker must convince the victim
| to open a malicious webpage. Version 3.8.3 fixes the issue.
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-3jm4-c6qf-jrh3
https://github.com/OpenRefine/OpenRefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126
CVE-2024-47878[5]:
| OpenRefine is a free, open source tool for working with messy data.
| Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint
| includes the `state` GET parameter verbatim in a `<script>` tag in
| the output, so without escaping. An attacker could lead or redirect
| a user to a crafted URL containing JavaScript code, which would then
| cause that code to be executed in the victim's browser as if it was
| part of OpenRefine. Version 3.8.3 fixes this issue.
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-pw3x-c5vp-mfc3
https://github.com/OpenRefine/OpenRefine/commit/10bf0874d67f1018a58b3732332d76b840192fea
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-49760
https://www.cve.org/CVERecord?id=CVE-2024-49760
[1] https://security-tracker.debian.org/tracker/CVE-2024-47882
https://www.cve.org/CVERecord?id=CVE-2024-47882
[2] https://security-tracker.debian.org/tracker/CVE-2024-47881
https://www.cve.org/CVERecord?id=CVE-2024-47881
[3] https://security-tracker.debian.org/tracker/CVE-2024-47880
https://www.cve.org/CVERecord?id=CVE-2024-47880
[4] https://security-tracker.debian.org/tracker/CVE-2024-47879
https://www.cve.org/CVERecord?id=CVE-2024-47879
[5] https://security-tracker.debian.org/tracker/CVE-2024-47878
https://www.cve.org/CVERecord?id=CVE-2024-47878
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: openrefine
Source-Version: 3.8.7-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openrefine, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated openrefine package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Jan 2025 18:55:19 +0100
Source: openrefine
Architecture: source
Version: 3.8.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1086041
Changes:
openrefine (3.8.7-1) unstable; urgency=medium
.
* New upstream version 3.8.7.
- Fix CVE-2024-49760, CVE-2024-47882, CVE-2024-47881, CVE-2024-47880,
CVE-2024-47879 and CVE-2024-47878. (Closes: #1086041)
* Refresh the patches.
* Add new maven plugins to maven.ignore rules.
* Add jetty9.patch and revert back to Debian's Jetty9 version. We upgrade to
Jetty12 in the near future.
* Declare compliance with Debian Policy 4.7.0.
Checksums-Sha1:
46ed5108b8246c8c35c3eeff4f135044e4d77807 3612 openrefine_3.8.7-1.dsc
d848964b3fcd9654ae2ceaf285c47e4f1abc2c28 4265532 openrefine_3.8.7.orig.tar.xz
88fb17cd3861c42d346640ae7accba0675db5d83 311308
openrefine_3.8.7-1.debian.tar.xz
be8e03d7e8ce146a9e32152028ae9bbd91ef1479 19823
openrefine_3.8.7-1_amd64.buildinfo
Checksums-Sha256:
b3575a842c3d2e422e1f35930765b03d1e462200e50f152bdc2d4252892e38fc 3612
openrefine_3.8.7-1.dsc
695c53cbaa231faf755c80c0df4786c232530a4c36bff869b82189aa998283b4 4265532
openrefine_3.8.7.orig.tar.xz
053f90be065880389757debb09a17fecb94ae6dc124981ca97b13c5e9750d3ed 311308
openrefine_3.8.7-1.debian.tar.xz
82b3ba29a55ce3052c6d7a017380889ec82aaa175f8bd5bacd9ea9f4bbacf8a2 19823
openrefine_3.8.7-1_amd64.buildinfo
Files:
a2d37d58f7678a5d37c4960ad19830bb 3612 java optional openrefine_3.8.7-1.dsc
40ad48bd8478d681633abd04b7fab51b 4265532 java optional
openrefine_3.8.7.orig.tar.xz
c8e93ecaccfdd311322a00a0a3e852ec 311308 java optional
openrefine_3.8.7-1.debian.tar.xz
09b60cac0b6ed31d652a28eb42d041c6 19823 java optional
openrefine_3.8.7-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmd3+oZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk6B4P/2FSW3qVlAU7w5ygG9Or+TuNdCagmLLjEuld
fmBCcNsrVbQLVnVdl9+w+UvUetIl8IhduKySo3NC+vb8Ao/VOFB/8daSq8ci9R/X
eeg/pLn69uUay59qIWFaU5jwwEv4mLd36uUYE4s5w0eE8tlqir0StFBkgaBlg7j2
uwcTmBBgIoGqIPsDLHgE5wDDkHY/uDNAij+YMhbem5d9rGO0VfJj8h+NIxJ8ehfJ
FhV2/2hnNtCvzr0Vao+N3gGwH+dsbJkYzSs09OpTA4Rni5pGeyTQIkyRSYvhee5s
q/Uv6sx0i9cm/FjhFJJ/ONE51OE94TYMfqassII3hQUgQTVf65Pz++RZeYHG7iV6
GQ59LHagXVSIco9vxSbzzDfmE/ZySB2684Cu1QihrdZXTQvW4N8MrhFTkYTMBP3a
ZwJxd4iILIrvYpeZbOGx1Gr3ud4vBnkHJowiTu/NnbMddJmWFdLt+wbeRFwIZrFQ
57EuadUm0P8W7h+wNtySp5ueI6IYFcUBa1P8ASRt2Hu2OSRgSC6eY6MBR3zFviYZ
MJq9sAA3N3U+l6O9FidAyth4DWkPlmfOWqhCFs64cRuzM1zgOi8+bNL0JB90mkod
3ddbtpQ53AAF9ioxPEvAU/ycIBuQ/yp1dJH5jH0/UQXxdanCDQZ3CMN7EqcxX8+o
rBrJcP3S
=ak9w
-----END PGP SIGNATURE-----
pgpUT3I_NF29Q.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
