OpenRefine 3.7.9 was released today and it fixes a vulnerability with moderate severity (CVE-2024-23833). We encourage all users to update swiftly to the latest version. See the release notes for more details about the vulnerability.
These vulnerability could really do with some more details to let user know if they are affected or not, what component is affected? The which is the commit fixing it? etc.
It a pain to back and try to figure out what commit actually fixes the vulnerability especially as the commits usually has an obscure message like "Merge pull request from ".
More transparency in these situations would make OpenRefine more secure.
I agree the commit message generated by GitHub is really not ideal. It says "Merge pull request from GHSA-6p92-qfqf-qwx4" but is not even a merge commit, as it has a single parent… It seems to have forgotten the commit message I have put in the private fork generated for the fix. Not sure if this obfuscation is intentional.
Hopefully the description at What's new | OpenRefine is helpful at least?
The original vulnerability report is also available here:
Ah nice! The release notes should link to these as well as the commit in my opinion!
Currently the release notes look almost intentionally obscured, and it doesn't help that the point releases shares notes with each other as well as the last release.
Normally CVEs are pretty easy to find, but part of the problem is that this CVE didn't get published until last night, so there was a delay between 1) announcing the release, 2) Github publishing the vulnerability, and 3) the CVE getting officially published.
Now that the CVE is published it would be useful to link to it to save folks the trouble of searching for it.
Tom
Has anyone had any difficulties with the 3.7.9 download? For the first time ever it's not pulled in all my previous projects when I've changed version. I'd saved all my projects in a back up file, but can't find a way to import them.
Thanks
Helen
Quick update to say that our IT team have worked out how to restore all the files from the back up - though we're not quite sure why they didn't come in to start with. But immediate issue solved!
I can see my projects, but when I open them they are unusable - this is my view! Same in Firefox and Chrome. One row visible, no data showing for that row. I can filter on a row and it comes up with correct number but will never actually stop showing the 'working' popup. And although I deleted the schema that was there, it has somehow computed hundreds of thousands of errors Completely broken (and if I go back to a previous install, the files are still borked).
Hi @DrThneed, this is likely due to the Commons extension. Could you try uninstalling it and opening your project again?
ooooh! Thank you. I'll try that.
Yep, that worked, all back to normal. Thanks Antonin!
I'm training people on Commons and OpenRefine in a couple of weeks - I won't be needing the Commons extension for it, but people are likely to ask about it. I'll advise that they should uninstall the extension for the time being, and hope the incompatability will be able to fixed soon?
Yes, this is probably the best advice to give at the moment. I am sorry about that, hopefully we'll be able to fix this soon!
