openrefine - Debian Package Tracker

general

source: openrefine (main)
version: 3.8.7-1
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Markus Koschany [DMD]
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

old-bpo: 3.6.2-2~bpo11+2
stable: 3.6.2-2+deb12u2
testing: 3.8.7-1
unstable: 3.8.7-1
exp: 3.9.3-1

versioned links

3.6.2-2~bpo11+2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.2-2+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.8.7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.9.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

openrefine (2 bugs: 0, 2, 0, 0)

action needed

A new upstream version is available: 3.9.3 high

A new upstream version 3.9.3 is available, you should consider packaging it.

Created: 2025-01-19 Last update: 2025-05-30 07:33

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2025-05-25 Last update: 2025-05-26 04:34

lintian reports 673 warnings normal

Lintian reports 673 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-01-04 Last update: 2025-01-04 04:00

AppStream hints: 1 warning normal

AppStream found metadata issues for packages:

openrefine: 1 warning

You should get rid of them to provide more metadata about this software.

Created: 2022-02-21 Last update: 2022-02-21 05:33

7 low-priority security issues in bookworm low

There are 7 open security issues in bookworm.

7 issues left for the package maintainer to handle:

CVE-2024-23833: (needs triaging) OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server. This issue has been addressed in version 3.7.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-47878: (needs triaging) OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue.
CVE-2024-47879: (needs triaging) OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fixes the issue.
CVE-2024-47880: (needs triaging) OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in the victim's browser as if it was part of OpenRefine. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present. The attacker must know a valid project ID of a project that contains at least one row. Version 3.8.3 fixes the issue.
CVE-2024-47881: (needs triaging) OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.
CVE-2024-47882: (needs triaging) OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, which may be difficult. However, out-of-tree extensions may add their own calls to `respondWithErrorPage`. Version 3.8.3 has a fix for this issue.
CVE-2024-49760: (needs triaging) OpenRefine is a free, open source tool for working with messy data. The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. But when doing so in versions prior to 3.8.3, it does not check that the resulting path is in the expected directory, which means that this command could be exploited to read other JSON files on the file system. Version 3.8.3 addresses this issue.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-02-14 Last update: 2025-02-27 05:02

debian/patches: 5 patches to forward upstream low

Among the 5 debian patches available in version 3.8.7-1 of the package, we noticed the following issues:

5 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-01-04 10:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-02-27 13:25

news

[rss feed]

[2025-05-25] Accepted openrefine 3.9.3-1 (source) into experimental (Markus Koschany)
[2025-01-09] openrefine 3.8.7-1 MIGRATED to testing (Debian testing watch)
[2025-01-03] Accepted openrefine 3.8.7-1 (source) into unstable (Markus Koschany)
[2024-11-25] openrefine REMOVED from testing (Debian testing watch)
[2024-04-12] openrefine 3.7.8-1 MIGRATED to testing (Debian testing watch)
[2024-04-06] Accepted openrefine 3.7.8-1 (source) into unstable (Markus Koschany)
[2024-03-19] openrefine REMOVED from testing (Debian testing watch)
[2023-12-08] openrefine 3.7.7-1 MIGRATED to testing (Debian testing watch)
[2023-12-03] Accepted openrefine 3.7.7-1 (source) into unstable (Markus Koschany)
[2023-12-03] openrefine REMOVED from testing (Debian testing watch)
[2023-10-23] openrefine 3.7.6-1 MIGRATED to testing (Debian testing watch)
[2023-10-17] Accepted openrefine 3.7.6-1 (source) into unstable (Markus Koschany)
[2023-10-09] Accepted openrefine 3.6.2-2~bpo11+2 (source) into bullseye-backports (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-07] Accepted openrefine 3.6.2-2+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-02] Accepted openrefine 3.6.2-2~bpo11+1 (source) into bullseye-backports (Debian FTP Masters) (signed by: Markus Koschany)
[2023-09-20] openrefine 3.7.5-1 MIGRATED to testing (Debian testing watch)
[2023-09-15] Accepted openrefine 3.7.5-1 (source) into unstable (Markus Koschany)
[2023-09-13] openrefine 3.7.4-1 MIGRATED to testing (Debian testing watch)
[2023-09-09] Accepted openrefine 3.6.2-2+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-09-08] Accepted openrefine 3.7.4-1 (source) into unstable (Markus Koschany)
[2023-08-23] openrefine 3.6.2-3 MIGRATED to testing (Debian testing watch)
[2023-08-18] Accepted openrefine 3.6.2-3 (source) into unstable (Markus Koschany)
[2023-04-26] openrefine 3.6.2-2 MIGRATED to testing (Debian testing watch)
[2023-04-05] Accepted openrefine 3.6.2-2 (source) into unstable (Markus Koschany)
[2023-02-14] Accepted openrefine 3.6.2-1 (source) into unstable (Markus Koschany)
[2023-01-15] openrefine 3.6.1-1 MIGRATED to testing (Debian testing watch)
[2022-12-08] openrefine REMOVED from testing (Debian testing watch)
[2022-10-05] openrefine 3.6.1-1 MIGRATED to testing (Debian testing watch)
[2022-09-29] Accepted openrefine 3.6.1-1 (source) into unstable (Markus Koschany)
[2022-09-29] openrefine 3.5.2-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 4
RC: 0
I&N: 2
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (0, 673)
buildd: logs, exp, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.8.7-1