[Git][java-team/openrefine][master] 3 commits: New upstream version 3.7.8
Markus Koschany (@apo)
gitlab at salsa.debian.org
Sat Apr 6 21:02:18 BST 2024
Markus Koschany pushed to branch master at Debian Java Maintainers / openrefine
Commits:
d8b7345d by Markus Koschany at 2024-04-06T21:44:53+02:00
New upstream version 3.7.8
- - - - -
8fd4b027 by Markus Koschany at 2024-04-06T21:45:03+02:00
Update upstream source from tag 'upstream/3.7.8'
Update to upstream version '3.7.8'
with Debian dir a918841fe72f049d5012566ff0b6ed532759b53e
- - - - -
87602a73 by Markus Koschany at 2024-04-06T21:47:44+02:00
Update changelog
- - - - -
16 changed files:
- benchmark/pom.xml
- debian/changelog
- extensions/database/pom.xml
- extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
- extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
- extensions/gdata/pom.xml
- extensions/jython/pom.xml
- extensions/pc-axis/pom.xml
- extensions/phonetic/pom.xml
- extensions/pom.xml
- extensions/wikibase/pom.xml
- main/pom.xml
- main/src/com/google/refine/RefineServlet.java
- packaging/pom.xml
- pom.xml
- server/pom.xml
Changes:
=====================================
benchmark/pom.xml
=====================================
@@ -6,7 +6,7 @@
<parent>
<artifactId>openrefine</artifactId>
<groupId>org.openrefine</groupId>
- <version>3.7.7</version>
+ <version>3.7.8</version>
</parent>
<artifactId>benchmark</artifactId>
=====================================
debian/changelog
=====================================
@@ -1,3 +1,13 @@
+openrefine (3.7.8-1) unstable; urgency=high
+
+ * New upstream version 3.7.8
+ - Fix CVE-2024-23833: A jdbc attack vulnerability exists in OpenRefine
+ where an attacker may construct a JDBC query which may read files on
+ the host filesystem. (Closes: #1064192)
+ Thanks to Salvatore Bonaccorso for the report.
+
+ -- Markus Koschany <apo at debian.org> Sat, 06 Apr 2024 21:45:36 +0200
+
openrefine (3.7.7-1) unstable; urgency=medium
* New upstream version 3.7.7.
=====================================
extensions/database/pom.xml
=====================================
@@ -11,7 +11,7 @@
<parent>
<groupId>org.openrefine</groupId>
<artifactId>extensions</artifactId>
- <version>3.7.7</version>
+ <version>3.7.8</version>
</parent>
<build>
=====================================
extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
=====================================
@@ -67,6 +67,13 @@ public class DatabaseConfiguration {
}
public void setDatabaseHost(String databaseServer) {
+ // forbid setting settings inside the host parameter:
+ // https://dev.mysql.com/doc/connector-j/en/connector-j-reference-jdbc-url-format.html
+ if (databaseServer == null ||
+ databaseServer.contains("(") ||
+ databaseServer.contains("=")) {
+ throw new IllegalArgumentException("Invalid host supplied");
+ }
this.databaseHost = databaseServer;
}
=====================================
extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
=====================================
@@ -1,5 +1,8 @@
package com.google.refine.extension.database;
+import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.assertThrows;
+
import org.testng.annotations.Test;
import static org.testng.Assert.assertEquals;
@@ -18,4 +21,13 @@ public class DatabaseConfigurationTest {
// the database name is escaped, preventing the exploit
assertEquals(url, "jdbc:mysql://my.host/test%3FallowLoadLocalInfile=true%23");
}
+
+ @Test
+ public void testSetMaliciousHost() {
+ DatabaseConfiguration config = new DatabaseConfiguration();
+ config.setDatabaseType("mysql");
+
+ assertThrows(IllegalArgumentException.class,
+ () -> config.setDatabaseHost("127.0.0.1:3306,(allowLoadLocalInfile=true,allowUrlInLocalInfile=true),127.0.0.1"));
+ }
}
=====================================
extensions/gdata/pom.xml
=====================================
@@ -11,7 +11,7 @@
<parent>
<groupId>org.openrefine</groupId>
<artifactId>extensions</artifactId>
- <version>3.7.7</version>
+ <version>3.7.8</version>
</parent>
<properties>
=====================================
extensions/jython/pom.xml
=====================================
@@ -5,7 +5,7 @@
<groupId>org.openrefine</groupId>
<artifactId>jython</artifactId>
<packaging>jar</packaging>
- <version>3.7.7</version>
+ <version>3.7.8</version>
<name>OpenRefine - Jython extension</name>
<description>OpenRefine integration of Python as an expression language</description>
@@ -13,7 +13,7 @@
<parent>
<groupId>org.openrefine</groupId>
<artifactId>extensions</artifactId>
- <version>3.7.7</version>
+ <version>3.7.8</version>
</parent>
<build>
=====================================
extensions/pc-axis/pom.xml
=====================================
@@ -11,7 +11,7 @@
<parent>
<groupId>org.openrefine</groupId>
<artifactId>extensions</artifactId>
- <version>3.7.7</version>
+ <version>3.7.8</version>
</parent>
<build>
=====================================
extensions/phonetic/pom.xml
=====================================
@@ -5,7 +5,7 @@
<groupId>org.openrefine</groupId>
<artifactId>phonetic</artifactId>
<packaging>jar</packaging>
- <version>3.7.7</version>
+ <version>3.7.8</version>
<name>OpenRefine - Phonetic clustering extension</name>
<description>Adds a few advanced phonetic clustering methods</description>
@@ -13,7 +13,7 @@
<parent>
<groupId>org.openrefine</groupId>
<artifactId>extensions</artifactId>
- <version>3.7.7</version>
+ <version>3.7.8</version>
</parent>
<build>
=====================================
extensions/pom.xml
=====================================
@@ -5,7 +5,7 @@
<groupId>org.openrefine</groupId>
<artifactId>extensions</artifactId>
<packaging>pom</packaging>
- <version>3.7.7</version>
+ <version>3.7.8</version>
<name>OpenRefine - extensions</name>
<description>Extensions add importers, exporters and other sorts of features to OpenRefine</description>
@@ -14,7 +14,7 @@
<parent>
<groupId>org.openrefine</groupId>
<artifactId>openrefine</artifactId>
- <version>3.7.7</version>
+ <version>3.7.8</version>
</parent>
<modules>
=====================================
extensions/wikibase/pom.xml
=====================================
@@ -11,7 +11,7 @@
<parent>
<groupId>org.openrefine</groupId>
<artifactId>extensions</artifactId>
- <version>3.7.7</version>
+ <version>3.7.8</version>
</parent>
<properties>
=====================================
main/pom.xml
=====================================
@@ -11,7 +11,7 @@
<parent>
<groupId>org.openrefine</groupId>
<artifactId>openrefine</artifactId>
- <version>3.7.7</version>
+ <version>3.7.8</version>
</parent>
<properties>
=====================================
main/src/com/google/refine/RefineServlet.java
=====================================
@@ -65,7 +65,7 @@ import edu.mit.simile.butterfly.ButterflyModule;
public class RefineServlet extends Butterfly {
- static private String ASSIGNED_VERSION = "3.7.7";
+ static private String ASSIGNED_VERSION = "3.7.8";
static public String VERSION = "";
static public String REVISION = "";
=====================================
packaging/pom.xml
=====================================
@@ -10,7 +10,7 @@
<parent>
<groupId>org.openrefine</groupId>
<artifactId>openrefine</artifactId>
- <version>3.7.7</version>
+ <version>3.7.8</version>
</parent>
<properties>
<rootdir>${basedir}/..</rootdir>
=====================================
pom.xml
=====================================
@@ -5,7 +5,7 @@
<groupId>org.openrefine</groupId>
<artifactId>openrefine</artifactId>
<packaging>pom</packaging>
- <version>3.7.7</version>
+ <version>3.7.8</version>
<name>OpenRefine</name>
<description>OpenRefine is a free, open source power tool for working with messy data and improving it</description>
=====================================
server/pom.xml
=====================================
@@ -11,7 +11,7 @@
<parent>
<groupId>org.openrefine</groupId>
<artifactId>openrefine</artifactId>
- <version>3.7.7</version>
+ <version>3.7.8</version>
</parent>
<properties>
View it on GitLab: https://salsa.debian.org/java-team/openrefine/-/compare/eccebce35f2e0177c172ade0ae6c68d60323c8a0...87602a734fa2ccf27dfe399a5e7b6cdf4151b2e2
--
View it on GitLab: https://salsa.debian.org/java-team/openrefine/-/compare/eccebce35f2e0177c172ade0ae6c68d60323c8a0...87602a734fa2ccf27dfe399a5e7b6cdf4151b2e2
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20240406/5c967895/attachment.htm>
More information about the pkg-java-commits
mailing list