Your message dated Sat, 06 Apr 2024 20:37:30 +0000
with message-id <e1rtcn4-0047ep...@fasolo.debian.org>
and subject line Bug#1064192: fixed in openrefine 3.7.8-1
has caused the Debian Bug report #1064192,
regarding openrefine: CVE-2024-23833
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1064192: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064192
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: openrefine
Version: 3.7.7-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for openrefine.
Markus, please adjust severity if you think grave/RC severity is not
appropriate. openrefine updates were batches previously as well just
in point release, that might be enough here as well.
CVE-2024-23833[0]:
| OpenRefine is a free, open source power tool for working with messy
| data and improving it. A jdbc attack vulnerability exists in
| OpenRefine(version<=3.7.7) where an attacker may construct a JDBC
| query which may read files on the host filesystem. Due to the newer
| MySQL driver library in the latest version of OpenRefine (8.0.30),
| there is no associated deserialization utilization point, so
| original code execution cannot be achieved, but attackers can use
| this vulnerability to read sensitive files on the target server.
| This issue has been addressed in version 3.7.8. Users are advised to
| upgrade. There are no known workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-23833
https://www.cve.org/CVERecord?id=CVE-2024-23833
[1]
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4
[2]
https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openrefine
Source-Version: 3.7.8-1
Done: Markus Koschany <a...@debian.org>
We believe that the bug you reported is fixed in the latest version of
openrefine, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1064...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated openrefine package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Apr 2024 21:45:36 +0200
Source: openrefine
Architecture: source
Version: 3.7.8-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Closes: 1064192
Changes:
openrefine (3.7.8-1) unstable; urgency=high
.
* New upstream version 3.7.8
- Fix CVE-2024-23833: A jdbc attack vulnerability exists in OpenRefine
where an attacker may construct a JDBC query which may read files on
the host filesystem. (Closes: #1064192)
Thanks to Salvatore Bonaccorso for the report.
Checksums-Sha1:
db1ea80492009c7f88022b910aa0d0f569fb9dc7 3613 openrefine_3.7.8-1.dsc
13d0d733d33971054fa7871f5f7c7dd9452670a2 4288064 openrefine_3.7.8.orig.tar.xz
b3e70722ffd02b68caf7d650281a49c1e2b3e254 309112
openrefine_3.7.8-1.debian.tar.xz
16c43d96f6fe57d6f2bf869d9d9b528b741179a6 19133
openrefine_3.7.8-1_amd64.buildinfo
Checksums-Sha256:
0a9fbb24aa4a25d676370fb9043bb77ef8777982d2b3222486f8759e4f5dbd9c 3613
openrefine_3.7.8-1.dsc
7d79bc097c47d7fe1aae4f14c72a96a5a954f2423f13d5805b88e6e54fd73b36 4288064
openrefine_3.7.8.orig.tar.xz
7b9718dc85bf8a51bb81598bef739233a11d28294f0e1d2d5fd362bcf089f9f8 309112
openrefine_3.7.8-1.debian.tar.xz
109398ee7b162bdfa5f1f462394bdd8b2c6ea93f74edf7327c8d0e2f02b0f4c6 19133
openrefine_3.7.8-1_amd64.buildinfo
Files:
bb8e95ddf713492ab47fc311d3b6c94e 3613 java optional openrefine_3.7.8-1.dsc
9d8c0ccd036a61609d402d99cf6c0503 4288064 java optional
openrefine_3.7.8.orig.tar.xz
ebf7337b97b7bbceb84f48c4585eff0e 309112 java optional
openrefine_3.7.8-1.debian.tar.xz
aae95b881f31b05963a9f681a10c31d7 19133 java optional
openrefine_3.7.8-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmYRp4BfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk+A8QAM2kS8rEA0WFD5K0/mJnRh6uX2eWlVrIxOGc
nO1B1/5pX6hiLc8BAcbArGNpcT5boakA57ckV3Rbqm/oW2CGydC/1gEURiksanFj
Agy4dy3q9cVSIJ8Q0AlcxX7+wVroAffd8hjIEAD4t7XsCGYAVdxX6v92g2wfwpbB
E4e5WX7EnEO8g397mSog/EZXNZ7xhVQKnUapZUdi0fVyaI9CPo2DlrKuT7gaZpL6
N+jfVjh7TEuGMDWMiZ7puIW+SF82UVGvgkH6HwgqsU6v5UfswVnC1Zngh3rt0jBt
XuXhOCY6jrJCimt/UkZ5mqIF2TLJbVlTm5pkR9MEWSCUCbQ74cvidkKwHW3Yy2rj
qb8C3yel6OW5q3ua86TD6oZlcgalahyE48oP6GIdlZuAnN6Bsa6dzX/G6BLHNfow
EL1VoZFvK+nKTJm+ZrG3z1WVTXDYK8rkMOMDj7uXv6JqdiARp/lzxpskstui2Xoe
AkT+OdiSa5Mqx8huNmgG/v5RF6oJZCbmP6eT2RXkMKN4iajtvt5tlU/P6bnP1GKY
Z+Zr7mPZQCAQuUntdxhFRGJv1PngoOk8efBCrj/kQXLrMLiG/d/CxOHYupu2vkx1
ufYBDr+V/5S9Sv14nRltzgUG4GXHT69i0J86Bsr6IW55nGnN1DKyiIDM8WDC+a7u
whNLBy1N
=dl8/
-----END PGP SIGNATURE-----
pgp2BIFbRT4GB.pgp
Description: PGP signature
--- End Message ---
