openrefine - Debian Package Tracker

general

source: openrefine (main)
version: 3.7.8-1
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Markus Koschany [DMD]
arch: all
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

old-bpo: 3.6.2-2~bpo11+2
stable: 3.6.2-2+deb12u2
testing: 3.7.8-1
unstable: 3.7.8-1

versioned links

3.6.2-2~bpo11+2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.2-2+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.7.8-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

openrefine

action needed

Marked for autoremoval on 23 November due to openrefine-butterfly: #1086041, #1086042 high

Version 3.7.8-1 of openrefine is marked for autoremoval from testing on Sat 23 Nov 2024. It is affected by #1086041. It depends (transitively) on openrefine-butterfly, affected by #1086042. You should try to prevent the removal by fixing these RC bugs.

Created: 2024-11-01 Last update: 2024-11-21 09:33

A new upstream version is available: 3.8.6 high

A new upstream version 3.8.6 is available, you should consider packaging it.

Created: 2024-02-13 Last update: 2024-11-21 07:31

7 security issues in bookworm high

There are 7 open security issues in bookworm.

6 important issues:

CVE-2024-47878: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue.
CVE-2024-47879: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fixes the issue.
CVE-2024-47880: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in the victim's browser as if it was part of OpenRefine. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present. The attacker must know a valid project ID of a project that contains at least one row. Version 3.8.3 fixes the issue.
CVE-2024-47881: OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.
CVE-2024-47882: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, which may be difficult. However, out-of-tree extensions may add their own calls to `respondWithErrorPage`. Version 3.8.3 has a fix for this issue.
CVE-2024-49760: OpenRefine is a free, open source tool for working with messy data. The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. But when doing so in versions prior to 3.8.3, it does not check that the resulting path is in the expected directory, which means that this command could be exploited to read other JSON files on the file system. Version 3.8.3 addresses this issue.

1 issue left for the package maintainer to handle:

CVE-2024-23833: (needs triaging) OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server. This issue has been addressed in version 3.7.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

You can find information about how to handle this issue in the security team's documentation.

Created: 2024-02-14 Last update: 2024-10-25 15:01

6 security issues in trixie high

There are 6 open security issues in trixie.

6 important issues:

CVE-2024-47878: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue.
CVE-2024-47879: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fixes the issue.
CVE-2024-47880: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in the victim's browser as if it was part of OpenRefine. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present. The attacker must know a valid project ID of a project that contains at least one row. Version 3.8.3 fixes the issue.
CVE-2024-47881: OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.
CVE-2024-47882: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, which may be difficult. However, out-of-tree extensions may add their own calls to `respondWithErrorPage`. Version 3.8.3 has a fix for this issue.
CVE-2024-49760: OpenRefine is a free, open source tool for working with messy data. The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. But when doing so in versions prior to 3.8.3, it does not check that the resulting path is in the expected directory, which means that this command could be exploited to read other JSON files on the file system. Version 3.8.3 addresses this issue.

Created: 2024-10-25 Last update: 2024-10-25 15:01

6 security issues in sid high

There are 6 open security issues in sid.

6 important issues:

CVE-2024-47878: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue.
CVE-2024-47879: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fixes the issue.
CVE-2024-47880: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in the victim's browser as if it was part of OpenRefine. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present. The attacker must know a valid project ID of a project that contains at least one row. Version 3.8.3 fixes the issue.
CVE-2024-47881: OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.
CVE-2024-47882: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, which may be difficult. However, out-of-tree extensions may add their own calls to `respondWithErrorPage`. Version 3.8.3 has a fix for this issue.
CVE-2024-49760: OpenRefine is a free, open source tool for working with messy data. The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. But when doing so in versions prior to 3.8.3, it does not check that the resulting path is in the expected directory, which means that this command could be exploited to read other JSON files on the file system. Version 3.8.3 addresses this issue.

Created: 2024-10-25 Last update: 2024-10-25 15:01

lintian reports 6 warnings normal

Lintian reports 6 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2024-04-07 Last update: 2024-04-07 14:11

AppStream hints: 1 warning normal

AppStream found metadata issues for packages:

openrefine: 1 warning

You should get rid of them to provide more metadata about this software.

Created: 2022-02-21 Last update: 2022-02-21 05:33

debian/patches: 4 patches to forward upstream low

Among the 4 debian patches available in version 3.7.8-1 of the package, we noticed the following issues:

4 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2024-04-07 08:36

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.0 instead of 4.6.2).

Created: 2024-04-07 Last update: 2024-04-07 13:15

news

[rss feed]

[2024-04-12] openrefine 3.7.8-1 MIGRATED to testing (Debian testing watch)
[2024-04-06] Accepted openrefine 3.7.8-1 (source) into unstable (Markus Koschany)
[2024-03-19] openrefine REMOVED from testing (Debian testing watch)
[2023-12-08] openrefine 3.7.7-1 MIGRATED to testing (Debian testing watch)
[2023-12-03] Accepted openrefine 3.7.7-1 (source) into unstable (Markus Koschany)
[2023-12-03] openrefine REMOVED from testing (Debian testing watch)
[2023-10-23] openrefine 3.7.6-1 MIGRATED to testing (Debian testing watch)
[2023-10-17] Accepted openrefine 3.7.6-1 (source) into unstable (Markus Koschany)
[2023-10-09] Accepted openrefine 3.6.2-2~bpo11+2 (source) into bullseye-backports (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-07] Accepted openrefine 3.6.2-2+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-10-02] Accepted openrefine 3.6.2-2~bpo11+1 (source) into bullseye-backports (Debian FTP Masters) (signed by: Markus Koschany)
[2023-09-20] openrefine 3.7.5-1 MIGRATED to testing (Debian testing watch)
[2023-09-15] Accepted openrefine 3.7.5-1 (source) into unstable (Markus Koschany)
[2023-09-13] openrefine 3.7.4-1 MIGRATED to testing (Debian testing watch)
[2023-09-09] Accepted openrefine 3.6.2-2+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-09-08] Accepted openrefine 3.7.4-1 (source) into unstable (Markus Koschany)
[2023-08-23] openrefine 3.6.2-3 MIGRATED to testing (Debian testing watch)
[2023-08-18] Accepted openrefine 3.6.2-3 (source) into unstable (Markus Koschany)
[2023-04-26] openrefine 3.6.2-2 MIGRATED to testing (Debian testing watch)
[2023-04-05] Accepted openrefine 3.6.2-2 (source) into unstable (Markus Koschany)
[2023-02-14] Accepted openrefine 3.6.2-1 (source) into unstable (Markus Koschany)
[2023-01-15] openrefine 3.6.1-1 MIGRATED to testing (Debian testing watch)
[2022-12-08] openrefine REMOVED from testing (Debian testing watch)
[2022-10-05] openrefine 3.6.1-1 MIGRATED to testing (Debian testing watch)
[2022-09-29] Accepted openrefine 3.6.1-1 (source) into unstable (Markus Koschany)
[2022-09-29] openrefine 3.5.2-2 MIGRATED to testing (Debian testing watch)
[2022-09-19] openrefine REMOVED from testing (Debian testing watch)
[2022-03-13] openrefine 3.5.2-2 MIGRATED to testing (Debian testing watch)
[2022-03-08] Accepted openrefine 3.5.2-2 (source) into unstable (Markus Koschany)
[2022-03-07] Accepted openrefine 3.5.2-1~bpo11+1 (source all) into bullseye-backports, bullseye-backports (Debian FTP Masters) (signed by: Markus Koschany)

bugs [bug history graph]

all: 3
RC: 1
I&N: 0
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (0, 6)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.7.8-1