OpenRefine 3.5.1 released
51 views
Skip to first unread message
Antonin Delpeuch (lists)
Dec 19, 2021, 6:45:38 AM12/19/21
to OpenRefine
Dear OpenRefine users,
A new version of OpenRefine, 3.5.1, is available.
The changes since 3.5.0 are as follows:
- The log4j dependency was upgraded to 2.16.0 (following the Log4Shell
vulnerability, even though OpenRefine is likely not affected by it)
- OpenRefine is now compatible with Java versions 8 to 17
https://openrefine.org/download.html
Happy refining,
Antonin
A new version of OpenRefine, 3.5.1, is available.
The changes since 3.5.0 are as follows:
- The log4j dependency was upgraded to 2.16.0 (following the Log4Shell
vulnerability, even though OpenRefine is likely not affected by it)
- OpenRefine is now compatible with Java versions 8 to 17
https://openrefine.org/download.html
Happy refining,
Antonin
Thad Guidry
Dec 19, 2021, 9:38:35 AM12/19/21
to openr...@googlegroups.com
Thanks so much for these quick fixes.
--
You received this message because you are subscribed to the Google Groups "OpenRefine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openrefine+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openrefine/8b0e2424-0a50-dd3e-2561-3cbd39f0c8d8%40antonin.delpeuch.eu.
Antoine Beaubien
Dec 19, 2021, 2:25:57 PM12/19/21
to OpenRefine
That was quick!
Thanks Antonin.
Regards, Antoine
Joe Wicentowski
Dec 19, 2021, 11:14:22 PM12/19/21
to openr...@googlegroups.com
Many thanks, Antonin! This brings great peace of mind to many users.
Cheers,
Joe
--
You received this message because you are subscribed to the Google Groups "OpenRefine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openrefine+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openrefine/8b0e2424-0a50-dd3e-2561-3cbd39f0c8d8%40antonin.delpeuch.eu.
Sent from my iPhone
Vladimir Stavrov
Dec 20, 2021, 8:48:12 AM12/20/21
to OpenRefine
Antonin, thanks!
It does not seem to be the end of story - https://www.reddit.com/r/programming/comments/rj48ol/log4j_2170_released_with_a_fix_of_dos/
But I simulated Log4shell for OpenRefine 3.5.0 on my notebooks with Windows 10 and Ubuntu 20.04,
using link https://log4shell.huntress.com/ , and looks like nothing wrong happens...
If OR is started locally, and default port 3333 is not visible/reachable from internet, there is no chance for intruder to explore
CVE-2021-45105/CVE-2021-44228/CVE-2021-45046 vulnerabilities
Kind regards,
Vladimir
воскресенье, 19 декабря 2021 г. в 14:45:38 UTC+3, Antonin Delpeuch (lists):
hervé Piedcoq
Dec 20, 2021, 1:00:28 PM12/20/21
to openr...@googlegroups.com
The problem is that starting OR on a local machine is not the only way to use it.
In my organization, we have a instance based on docker that is daily used by several users.
--
You received this message because you are subscribed to the Google Groups "OpenRefine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openrefine+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openrefine/6a99d476-fbb0-44db-a426-8a2f79caa4b6n%40googlegroups.com.
Vladimir Stavrov
Dec 21, 2021, 7:20:45 AM12/21/21
to OpenRefine
Ahh, ok, sure, OR can be used by this way too.
In this case I would think about running OR in isolated network environment, excluding access to OR port from outside users.
It would prevent not only Log4j/Log4shell issue, but any other future vulnerabilities, related to Java components, as well.
понедельник, 20 декабря 2021 г. в 21:00:28 UTC+3, hpiedcoq:
Reply all
Reply to author
Forward
0 new messages