OpenRefine 3.7.9 was released today and it fixes a vulnerability with moderate severity (CVE-2024-23833).
We encourage all users to update swiftly to the latest version.
See the release notes for more details about the vulnerability.
This is a companion discussion topic for the original entry at https://openrefine.org/blog/2024/02/10/version-3-7-9
These vulnerability could really do with some more details to let user know if they are affected or not, what component is affected? The which is the commit fixing it? etc.
It a pain to back and try to figure out what commit actually fixes the vulnerability especially as the commits usually has an obscure message like "Merge pull request from ".
More transparency in these situations would make OpenRefine more secure.
I agree the commit message generated by GitHub is really not ideal. It says "Merge pull request from GHSA-6p92-qfqf-qwx4" but is not even a merge commit, as it has a single parent… It seems to have forgotten the commit message I have put in the private fork generated for the fix. Not sure if this obfuscation is intentional.
Hopefully the description at What's new | OpenRefine is helpful at least?
The original vulnerability report is also available here:
Ah nice! The release notes should link to these as well as the commit in my opinion!
Currently the release notes look almost intentionally obscured, and it doesn't help that the point releases shares notes with each other as well as the last release.
Normally CVEs are pretty easy to find, but part of the problem is that this CVE didn't get published until last night, so there was a delay between 1) announcing the release, 2) Github publishing the vulnerability, and 3) the CVE getting officially published.
Now that the CVE is published it would be useful to link to it to save folks the trouble of searching for it.
Has anyone had any difficulties with the 3.7.9 download? For the first time ever it's not pulled in all my previous projects when I've changed version. I'd saved all my projects in a back up file, but can't find a way to import them.
Quick update to say that our IT team have worked out how to restore all the files from the back up - though we're not quite sure why they didn't come in to start with. But immediate issue solved!