Version in base suite: 3.6.2-2+deb12u2

Base version: openrefine_3.6.2-2+deb12u2
Target version: openrefine_3.6.2-2+deb12u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openrefine/openrefine_3.6.2-2+deb12u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openrefine/openrefine_3.6.2-2+deb12u3.dsc

 changelog                     |   10 ++
 patches/CVE-2024-23833.patch  |   56 ++++++++++++
 patches/CVE-2024-47878.patch  |  156 ++++++++++++++++++++++++++++++++++++
 patches/CVE-2024-47880.patch  |   40 +++++++++
 patches/CVE-2024-47881.patch  |  181 ++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2024-47882.patch  |   33 +++++++
 patches/CVE-2024-49760.patch  |   54 ++++++++++++
 patches/build.patch           |    2 
 patches/gdata-extension.patch |    2 
 patches/log4j-api.patch       |    2 
 patches/no-java-files.patch   |    4 
 patches/series                |    6 +
 12 files changed, 541 insertions(+), 5 deletions(-)

diff -Nru openrefine-3.6.2/debian/changelog openrefine-3.6.2/debian/changelog
--- openrefine-3.6.2/debian/changelog	2023-10-04 13:02:45.000000000 +0000
+++ openrefine-3.6.2/debian/changelog	2025-09-27 22:52:50.000000000 +0000
@@ -1,3 +1,13 @@
+openrefine (3.6.2-2+deb12u3) bookworm; urgency=medium
+
+  * Fix CVE-2024-23833, CVE-2024-47878, CVE-2024-47880, CVE-2024-47881,
+    CVE-2024-47882 and CVE-2024-49760.
+    OpenRefine is a free, open source tool for data processing. Users could be
+    tricked into opening malicious websites which then enabled attackers to run
+    arbitrary code on the server due to improper escaping or code restrictions.
+
+ -- Markus Koschany <apo@debian.org>  Sun, 28 Sep 2025 00:52:50 +0200
+
 openrefine (3.6.2-2+deb12u2) bookworm; urgency=medium
 
   * Fix CVE-2023-41887 and CVE-2023-41886:
diff -Nru openrefine-3.6.2/debian/patches/CVE-2024-23833.patch openrefine-3.6.2/debian/patches/CVE-2024-23833.patch
--- openrefine-3.6.2/debian/patches/CVE-2024-23833.patch	1970-01-01 00:00:00.000000000 +0000
+++ openrefine-3.6.2/debian/patches/CVE-2024-23833.patch	2025-09-27 22:52:50.000000000 +0000
@@ -0,0 +1,56 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 27 Sep 2025 15:13:00 +0200
+Subject: CVE-2024-23833
+
+Origin: https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a
+Debian-Bug: https://bugs.debian.org/1064192
+---
+ .../refine/extension/database/DatabaseConfiguration.java     |  7 +++++++
+ .../refine/extension/database/DatabaseConfigurationTest.java | 12 ++++++++++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
+index 3f0dd57..579ee00 100644
+--- a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
++++ b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
+@@ -68,6 +68,13 @@ public class DatabaseConfiguration {
+     }
+     
+     public void setDatabaseHost(String databaseServer) {
++        // forbid setting settings inside the host parameter:
++        // https://dev.mysql.com/doc/connector-j/en/connector-j-reference-jdbc-url-format.html
++        if (databaseServer == null ||
++                databaseServer.contains("(") ||
++                databaseServer.contains("=")) {
++            throw new IllegalArgumentException("Invalid host supplied");
++        }
+         this.databaseHost = databaseServer;
+     }
+     
+diff --git a/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java b/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
+index 5a571e8..928aeac 100644
+--- a/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
++++ b/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
+@@ -1,5 +1,8 @@
+ package com.google.refine.extension.database;
+ 
++import static org.testng.Assert.assertEquals;
++import static org.testng.Assert.assertThrows;
++
+ import org.testng.annotations.Test;
+ 
+ import static org.testng.Assert.assertEquals;
+@@ -18,4 +21,13 @@ public class DatabaseConfigurationTest {
+         // the database name is escaped, preventing the exploit
+         assertEquals(url, "jdbc:mysql://my.host/test%3FallowLoadLocalInfile=true%23");
+     }
++
++    @Test
++    public void testSetMaliciousHost() {
++        DatabaseConfiguration config = new DatabaseConfiguration();
++        config.setDatabaseType("mysql");
++
++        assertThrows(IllegalArgumentException.class,
++                () -> config.setDatabaseHost("127.0.0.1:3306,(allowLoadLocalInfile=true,allowUrlInLocalInfile=true),127.0.0.1"));
++    }
+ }
diff -Nru openrefine-3.6.2/debian/patches/CVE-2024-47878.patch openrefine-3.6.2/debian/patches/CVE-2024-47878.patch
--- openrefine-3.6.2/debian/patches/CVE-2024-47878.patch	1970-01-01 00:00:00.000000000 +0000
+++ openrefine-3.6.2/debian/patches/CVE-2024-47878.patch	2025-09-27 22:52:50.000000000 +0000
@@ -0,0 +1,156 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 27 Sep 2025 15:15:58 +0200
+Subject: CVE-2024-47878
+
+Origin: https://github.com/OpenRefine/OpenRefine/commit/37b375478eca41b8948b104bf6790ebf659a88cb
+Bug-Debian: https://bugs.debian.org/1086041
+---
+ extensions/gdata/module/MOD-INF/controller.js      | 21 +-----
+ extensions/gdata/module/authorized.vt              |  6 +-
+ .../refine/extension/gdata/AuthorizedCommand.java  | 88 ++++++++++++++++++++++
+ 3 files changed, 94 insertions(+), 21 deletions(-)
+ create mode 100644 extensions/gdata/src/com/google/refine/extension/gdata/AuthorizedCommand.java
+
+diff --git a/extensions/gdata/module/MOD-INF/controller.js b/extensions/gdata/module/MOD-INF/controller.js
+index fc6ff96..549c6be 100644
+--- a/extensions/gdata/module/MOD-INF/controller.js
++++ b/extensions/gdata/module/MOD-INF/controller.js
+@@ -101,23 +101,10 @@ function process(path, request, response) {
+     
+     send(request, response, "authorize.vt", context);
+   } else if (path == "authorized") {
+-    var context = {};
+-    context.state = request.getParameter("state");
+-    
+-    (function() {
+-      if (Packages.com.google.refine.extension.gdata.TokenCookie.getToken(request) !== null) {
+-          return;
+-      }
+-      var tokenAndExpiresInSeconds =  Packages.com.google.refine.extension.gdata.GoogleAPIExtension.getTokenFromCode(module,request);
+-      if (tokenAndExpiresInSeconds) {
+-        var tokenInfo = tokenAndExpiresInSeconds.split(",");
+-        Packages.com.google.refine.extension.gdata.TokenCookie.setToken(request, response, tokenInfo[0], tokenInfo[1]);
+-        return;
+-      }
+-      Packages.com.google.refine.extension.gdata.TokenCookie.deleteToken(request, response);
+-    })();
+-    
+-    send(request, response, "authorized.vt", context);
++    // it's a command but we handle it manually here, so as to preserve the URL
++    var command = new Packages.com.google.refine.extension.gdata.AuthorizedCommand(module);
++    command.doGet(request, response);
++    butterfly.responded();
+   } else if (path == "/" || path == "") {
+       var context = {};
+       context.version = version;
+diff --git a/extensions/gdata/module/authorized.vt b/extensions/gdata/module/authorized.vt
+index 67ed3f5..3c16371 100644
+--- a/extensions/gdata/module/authorized.vt
++++ b/extensions/gdata/module/authorized.vt
+@@ -40,10 +40,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+   <span id="gdata-authorized"></span>
+   
+   <script>
+-    var state = JSON.parse(window.atob("$state"));
+-    
+-    var windowName = state.winname;
+-    var callbackName = state.cb;
++    var windowName = "$winname";
++    var callbackName = "$cb";
+     
+     var w = window.open("", windowName);
+     var callback = w[callbackName];
+diff --git a/extensions/gdata/src/com/google/refine/extension/gdata/AuthorizedCommand.java b/extensions/gdata/src/com/google/refine/extension/gdata/AuthorizedCommand.java
+new file mode 100644
+index 0000000..b3dbb4b
+--- /dev/null
++++ b/extensions/gdata/src/com/google/refine/extension/gdata/AuthorizedCommand.java
+@@ -0,0 +1,88 @@
++
++package com.google.refine.extension.gdata;
++
++import java.io.IOException;
++import java.util.Base64;
++import java.util.regex.Pattern;
++
++import javax.servlet.ServletException;
++import javax.servlet.http.HttpServletRequest;
++import javax.servlet.http.HttpServletResponse;
++
++import com.fasterxml.jackson.databind.JsonNode;
++import com.fasterxml.jackson.databind.node.ObjectNode;
++import edu.mit.simile.butterfly.ButterflyModule;
++import org.apache.velocity.VelocityContext;
++
++import com.google.refine.commands.Command;
++import com.google.refine.util.ParsingUtilities;
++
++public class AuthorizedCommand extends Command {
++
++    Pattern callbackPattern = Pattern.compile("^cb[0-9]+$");
++    Pattern winnamePattern = Pattern.compile("^openrefine[0-9]+$");
++
++    ButterflyModule module;
++
++    public AuthorizedCommand(ButterflyModule module) {
++        this.module = module;
++    }
++
++    @Override
++    public void doGet(HttpServletRequest request, HttpServletResponse response)
++            throws ServletException, IOException {
++        VelocityContext velocityContext = new VelocityContext();
++        String state = request.getParameter("state");
++        if (state == null) {
++            respond(response, "error", "No 'state' parameter provided");
++            return;
++        }
++        try {
++            byte[] decoded = Base64.getDecoder().decode(state);
++            JsonNode parsed = ParsingUtilities.mapper.readTree(decoded);
++            if (parsed instanceof ObjectNode && parsed.has("winname") && parsed.has("cb")) {
++                ObjectNode object = (ObjectNode) parsed;
++                String cb = object.get("cb").asText();
++                String winname = object.get("winname").asText();
++                if (!winnamePattern.matcher(winname).find()) {
++                    respond(response, "error", "Invalid winname provided");
++                    return;
++                }
++                if (!callbackPattern.matcher(cb).find()) {
++                    respond(response, "error", "Invalid callback provided");
++                    return;
++                }
++                velocityContext.internalPut("winname", winname);
++                velocityContext.internalPut("cb", cb);
++
++            } else {
++                throw new IllegalArgumentException("expected a JSON object");
++            }
++        } catch (IllegalArgumentException | IOException e) {
++            respond(response, "error", "Invalid 'state' parameter provided");
++            return;
++        }
++
++        updateToken(request, response);
++
++        try {
++            module.sendTextFromTemplate(request, response, velocityContext, "authorized.vt", "UTF-8", "text/html", false);
++        } catch (Exception e) {
++            respondException(response, e);
++        }
++    }
++
++    private void updateToken(HttpServletRequest request, HttpServletResponse response) throws IOException {
++        if (TokenCookie.getToken(request) != null) {
++            return;
++        }
++        var tokenAndExpiresInSeconds = GoogleAPIExtension.getTokenFromCode(module, request);
++        if (tokenAndExpiresInSeconds != null) {
++            var tokenInfo = tokenAndExpiresInSeconds.split(",");
++            TokenCookie.setToken(request, response, tokenInfo[0], tokenInfo[1]);
++            return;
++        }
++        TokenCookie.deleteToken(request, response);
++    }
++
++}
diff -Nru openrefine-3.6.2/debian/patches/CVE-2024-47880.patch openrefine-3.6.2/debian/patches/CVE-2024-47880.patch
--- openrefine-3.6.2/debian/patches/CVE-2024-47880.patch	1970-01-01 00:00:00.000000000 +0000
+++ openrefine-3.6.2/debian/patches/CVE-2024-47880.patch	2025-09-27 22:52:50.000000000 +0000
@@ -0,0 +1,40 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 27 Sep 2025 15:27:12 +0200
+Subject: CVE-2024-47880
+
+Origin: https://github.com/OpenRefine/OpenRefine/commit/fbf94fe3f001d6e2aa02e890930cf1affb0847b0
+Bug-Debian: https://bugs.debian.org/1086041
+---
+ .../google/refine/commands/project/ExportRowsCommand.java    | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/main/src/com/google/refine/commands/project/ExportRowsCommand.java b/main/src/com/google/refine/commands/project/ExportRowsCommand.java
+index 1912078..78d1f13 100644
+--- a/main/src/com/google/refine/commands/project/ExportRowsCommand.java
++++ b/main/src/com/google/refine/commands/project/ExportRowsCommand.java
+@@ -64,7 +64,8 @@ public class ExportRowsCommand extends Command {
+     private  static final Logger logger = LoggerFactory.getLogger("ExportRowsCommand");
+     
+ 	/**
+-	 * This command uses POST but is left CSRF-unprotected as it does not incur a state change.
++	 * This command uses POST but is left CSRF-unprotected as it does not incur a state change. TODO: add CSRF
++	 * protection anyway, as it does not cost much and could still have prevented an XSS vulnerability
+ 	 */
+ 
+     @SuppressWarnings("unchecked")
+@@ -96,11 +97,10 @@ public class ExportRowsCommand extends Command {
+                 exporter = new CsvExporter('\t');
+             }
+             
+-            String contentType = params.getProperty("contentType");
+-            if (contentType == null) {
+-                contentType = exporter.getContentType();
+-            }
+-            response.setHeader("Content-Type", contentType);
++
++            response.setHeader("Content-Type", exporter.getContentType());
++            // in case the content-type is text/html, to avoid XSS attacks
++            response.setHeader("Content-Security-Policy", "script-src 'none'; connect-src 'none'");
+ 
+             String preview = params.getProperty("preview");
+             if (!"true".equals(preview)) {
diff -Nru openrefine-3.6.2/debian/patches/CVE-2024-47881.patch openrefine-3.6.2/debian/patches/CVE-2024-47881.patch
--- openrefine-3.6.2/debian/patches/CVE-2024-47881.patch	1970-01-01 00:00:00.000000000 +0000
+++ openrefine-3.6.2/debian/patches/CVE-2024-47881.patch	2025-09-27 22:52:50.000000000 +0000
@@ -0,0 +1,181 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 27 Sep 2025 15:59:27 +0200
+Subject: CVE-2024-47881
+
+Origin: https://github.com/OpenRefine/OpenRefine/commit/8a5cced755f9d4544cfc9fd1b9dc9274807b5020
+Bug-Debian: https://bugs.debian.org/1086041
+---
+ .../database/sqlite/SQLiteConnectionManager.java   | 16 ++++++++-
+ extensions/database/tests/conf/tests.xml           |  2 +-
+ .../extension/database/DBExtensionTests.java       |  2 +-
+ .../sqlite/SQLiteConnectionManagerTest.java        | 10 ------
+ .../database/sqlite/SQLiteDatabaseServiceTest.java | 42 +++++++++++++++-------
+ 5 files changed, 47 insertions(+), 25 deletions(-)
+
+diff --git a/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java
+index 7d42e00..0def4d2 100644
+--- a/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java
++++ b/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java
+@@ -35,6 +35,7 @@ import com.google.refine.extension.database.SQLType;
+ import org.slf4j.Logger;
+ import org.slf4j.LoggerFactory;
+ 
++import java.io.File;
+ import java.net.URI;
+ import java.net.URISyntaxException;
+ import java.sql.Connection;
+@@ -68,8 +69,21 @@ public class SQLiteConnectionManager {
+     }
+ 
+     public static String getDatabaseUrl(DatabaseConfiguration dbConfig) {
++        String dbPath = dbConfig.getDatabaseName();
++        if (dbPath.contains("?")) {
++            throw new IllegalArgumentException("Paths to SQLite databases are not allowed to contain '?'");
++        }
++        if (dbPath.startsWith("//") || dbPath.startsWith("\\\\") || dbPath.startsWith("\\/") || dbPath.startsWith("/\\")) {
++            throw new IllegalArgumentException("File path starts with illegal prefix; only local files are accepted.");
++        }
++        if (!new File(dbPath).isFile()) {
++            throw new IllegalArgumentException("File could not be read: " + dbPath);
++        }
+         try {
+-            URI uri = new URI("jdbc:" + dbConfig.getDatabaseType().toLowerCase(), dbConfig.getDatabaseName(), null);
++            URI uri = new URI(
++                    "jdbc:" + dbConfig.getDatabaseType().toLowerCase(),
++                    dbPath + "?open_mode=1&limit_attached=0", // open_mode=1 means read-only
++                    null);
+             return uri.toASCIIString();
+         } catch (URISyntaxException e) {
+             throw new IllegalArgumentException(e);
+diff --git a/extensions/database/tests/conf/tests.xml b/extensions/database/tests/conf/tests.xml
+index 7885174..a0910c9 100644
+--- a/extensions/database/tests/conf/tests.xml
++++ b/extensions/database/tests/conf/tests.xml
+@@ -29,7 +29,7 @@
+     <parameter name = "mariadbDbPassword" value=""/>
+     <parameter name = "mariadbTestTable" value="test_table"/>
+ 
+-    <parameter name = "sqliteDbName" value="extension_test_db.sqlite"/>
++    <parameter name = "sqliteDbName" value="tests/resources/test_db.sqlite"/>
+     <parameter name = "sqliteDbHost" value=""/>
+     <parameter name = "sqliteDbPort" value=""/>
+     <parameter name = "sqliteDbUser" value=""/>
+diff --git a/extensions/database/tests/src/com/google/refine/extension/database/DBExtensionTests.java b/extensions/database/tests/src/com/google/refine/extension/database/DBExtensionTests.java
+index bd1d0bc..a98f55a 100644
+--- a/extensions/database/tests/src/com/google/refine/extension/database/DBExtensionTests.java
++++ b/extensions/database/tests/src/com/google/refine/extension/database/DBExtensionTests.java
+@@ -61,7 +61,7 @@ public class DBExtensionTests {
+     protected final String DEFAULT_MARIADB_NAME = "testdb";
+ 
+     protected final String SQLITE_DB_NAME = "sqlite";
+-    protected final String DEFAULT_SQLITE_DB_NAME = "extension_test_db.sqlite";
++    protected final String DEFAULT_SQLITE_DB_NAME = "tests/resources/test_db.sqlite";
+ 
+     protected final String DEFAULT_TEST_TABLE = "test_data";
+ 
+diff --git a/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManagerTest.java b/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManagerTest.java
+index 2daf059..5afcdcb 100644
+--- a/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManagerTest.java
++++ b/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManagerTest.java
+@@ -37,7 +37,6 @@ import org.mockito.MockitoAnnotations;
+ import org.testng.Assert;
+ import org.testng.annotations.*;
+ 
+-import java.io.File;
+ import java.sql.Connection;
+ import java.sql.SQLException;
+ 
+@@ -61,15 +60,6 @@ public class SQLiteConnectionManagerTest extends DBExtensionTests {
+         DatabaseService.DBType.registerDatabase(SQLiteDatabaseService.DB_NAME, SQLiteDatabaseService.getInstance());
+     }
+ 
+-    @AfterTest
+-    @Parameters({ "sqliteDbName" })
+-    public void afterTest(@Optional(DEFAULT_SQLITE_DB_NAME) String sqliteDbName) {
+-        File f = new File(sqliteDbName);
+-        if (f.exists()) {
+-            f.delete();
+-        }
+-    }
+-
+     @Test
+     public void testTestConnection() throws DatabaseServiceException {
+         boolean isConnected = SQLiteConnectionManager.getInstance().testConnection(testDbConfig);
+diff --git a/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteDatabaseServiceTest.java b/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteDatabaseServiceTest.java
+index c29cc82..cd6f244 100644
+--- a/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteDatabaseServiceTest.java
++++ b/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteDatabaseServiceTest.java
+@@ -37,7 +37,6 @@ import org.mockito.MockitoAnnotations;
+ import org.testng.Assert;
+ import org.testng.annotations.*;
+ 
+-import java.io.File;
+ import java.sql.Connection;
+ import java.sql.SQLException;
+ import java.util.List;
+@@ -60,20 +59,10 @@ public class SQLiteDatabaseServiceTest extends DBExtensionTests {
+         testDbConfig.setDatabaseType(SQLiteDatabaseService.DB_NAME);
+ 
+         testTable = sqliteTestTable;
+-        DBExtensionTestUtils.initTestData(testDbConfig, sqliteTestTable);
+ 
+         DatabaseService.DBType.registerDatabase(SQLiteDatabaseService.DB_NAME, SQLiteDatabaseService.getInstance());
+     }
+ 
+-    @AfterTest
+-    @Parameters({ "sqliteDbName" })
+-    public void afterTest(@Optional(DEFAULT_SQLITE_DB_NAME) String sqliteDbName) {
+-        File f = new File(sqliteDbName);
+-        if (f.exists()) {
+-            f.delete();
+-        }
+-    }
+-
+     @Test
+     public void testGetDatabaseUrl() {
+         SQLiteDatabaseService sqLiteDatabaseService = (SQLiteDatabaseService) DatabaseService
+@@ -81,7 +70,7 @@ public class SQLiteDatabaseServiceTest extends DBExtensionTests {
+         String dbUrl = sqLiteDatabaseService.getDatabaseUrl(testDbConfig);
+ 
+         Assert.assertNotNull(dbUrl);
+-        Assert.assertEquals(dbUrl, "jdbc:sqlite:extension_test_db.sqlite");
++        Assert.assertEquals(dbUrl, "jdbc:sqlite:tests/resources/test_db.sqlite?open_mode=1&limit_attached=0");
+     }
+ 
+     @Test
+@@ -94,6 +83,35 @@ public class SQLiteDatabaseServiceTest extends DBExtensionTests {
+         Assert.assertNotNull(conn);
+     }
+ 
++    /*
++     * We don't allow loading extensions because that executes arbitrary code
++     */
++    @Test(expectedExceptions = IllegalArgumentException.class)
++    public void testGetConnectionWithExtensions() throws DatabaseServiceException {
++        DatabaseConfiguration testDbConfigWithExtensions = new DatabaseConfiguration();
++        testDbConfigWithExtensions.setDatabaseName("test_db.sqlite?enable_load_extension=true");
++        testDbConfigWithExtensions.setDatabaseType(SQLiteDatabaseService.DB_NAME);
++
++        SQLiteDatabaseService sqLiteDatabaseService = (SQLiteDatabaseService) DatabaseService
++                .get(SQLiteDatabaseService.DB_NAME);
++        sqLiteDatabaseService.getConnection(testDbConfigWithExtensions);
++    }
++
++    /*
++     * We don't allow loading a remote SQLite file to make remote code execution harder
++     */
++    @Test(expectedExceptions = IllegalArgumentException.class)
++    public void testGetConnectionWithRemoteFile() throws DatabaseServiceException {
++        DatabaseConfiguration testDbConfigWithExtensions = new DatabaseConfiguration();
++        testDbConfigWithExtensions
++                .setDatabaseName("https://github.com/xerial/sqlite-jdbc/raw/master/src/test/resources/org/sqlite/sample.db");
++        testDbConfigWithExtensions.setDatabaseType(SQLiteDatabaseService.DB_NAME);
++
++        SQLiteDatabaseService sqLiteDatabaseService = (SQLiteDatabaseService) DatabaseService
++                .get(SQLiteDatabaseService.DB_NAME);
++        sqLiteDatabaseService.getConnection(testDbConfigWithExtensions);
++    }
++
+     @Test
+     public void testTestConnection() throws DatabaseServiceException {
+         SQLiteDatabaseService sqLiteDatabaseService = (SQLiteDatabaseService) DatabaseService
diff -Nru openrefine-3.6.2/debian/patches/CVE-2024-47882.patch openrefine-3.6.2/debian/patches/CVE-2024-47882.patch
--- openrefine-3.6.2/debian/patches/CVE-2024-47882.patch	1970-01-01 00:00:00.000000000 +0000
+++ openrefine-3.6.2/debian/patches/CVE-2024-47882.patch	2025-09-27 22:52:50.000000000 +0000
@@ -0,0 +1,33 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 27 Sep 2025 16:40:21 +0200
+Subject: CVE-2024-47882
+
+Bug-Debian: https://bugs.debian.org/1086041
+Origin: https://github.com/OpenRefine/OpenRefine/commit/b0d5dd0a6a40369593f4a6b593e3e0ffa213339e
+---
+ main/src/com/google/refine/commands/HttpUtilities.java | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/main/src/com/google/refine/commands/HttpUtilities.java b/main/src/com/google/refine/commands/HttpUtilities.java
+index defea78..faa64cc 100644
+--- a/main/src/com/google/refine/commands/HttpUtilities.java
++++ b/main/src/com/google/refine/commands/HttpUtilities.java
+@@ -41,6 +41,8 @@ import org.slf4j.Logger;
+ import org.slf4j.LoggerFactory;
+ 
+ import com.fasterxml.jackson.core.JsonGenerator;
++import com.google.common.escape.Escaper;
++import com.google.common.html.HtmlEscapers;
+ import com.google.refine.RefineServlet;
+ import com.google.refine.util.ParsingUtilities;
+ 
+@@ -171,7 +173,8 @@ abstract public class HttpUtilities {
+             
+             e.printStackTrace(new PrintWriter(writer));
+             
+-            context.put("stack", writer.toString());
++            Escaper escaper = HtmlEscapers.htmlEscaper();
++            context.put("stack", escaper.escape(writer.toString()));
+         } else {
+             context.put("stack", "");
+         }
diff -Nru openrefine-3.6.2/debian/patches/CVE-2024-49760.patch openrefine-3.6.2/debian/patches/CVE-2024-49760.patch
--- openrefine-3.6.2/debian/patches/CVE-2024-49760.patch	1970-01-01 00:00:00.000000000 +0000
+++ openrefine-3.6.2/debian/patches/CVE-2024-49760.patch	2025-09-27 22:52:50.000000000 +0000
@@ -0,0 +1,54 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 27 Sep 2025 17:51:56 +0200
+Subject: CVE-2024-49760
+
+Bug-Debian: https://bugs.debian.org/1086041
+Origin: https://github.com/OpenRefine/OpenRefine/commit/478285afffea59c893ac472faa74898ab9e5e95a
+---
+ .../com/google/refine/commands/lang/LoadLanguageCommand.java |  9 ++++++++-
+ .../refine/commands/lang/LoadLanguageCommandTests.java       | 12 ++++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/main/src/com/google/refine/commands/lang/LoadLanguageCommand.java b/main/src/com/google/refine/commands/lang/LoadLanguageCommand.java
+index 002b908..85bf2e0 100644
+--- a/main/src/com/google/refine/commands/lang/LoadLanguageCommand.java
++++ b/main/src/com/google/refine/commands/lang/LoadLanguageCommand.java
+@@ -126,7 +126,14 @@ public class LoadLanguageCommand extends Command {
+     static ObjectNode loadLanguage(RefineServlet servlet, String modname, String lang) throws UnsupportedEncodingException {
+         
+         ButterflyModule module = servlet.getModule(modname);
+-        File langFile = new File(module.getPath(), "langs" + File.separator + "translation-" + lang + ".json");
++        String strLangFile = "translation-" + lang + ".json";
++        File langsDir = new File(module.getPath(), "langs");
++        File langFile = new File(langsDir, strLangFile);
++        if (!langFile.toPath().normalize().toAbsolutePath().startsWith(langsDir.toPath().normalize().toAbsolutePath())) {
++            logger.error("Security: Attempt to escape the langs directory to read another file");
++            return null;
++        }
++
+         try {
+             Reader reader = new BufferedReader(new InputStreamReader(new FileInputStream(langFile), "UTF-8"));
+             return ParsingUtilities.mapper.readValue(reader, ObjectNode.class);
+diff --git a/main/tests/server/src/com/google/refine/commands/lang/LoadLanguageCommandTests.java b/main/tests/server/src/com/google/refine/commands/lang/LoadLanguageCommandTests.java
+index ce569b5..0e073d3 100644
+--- a/main/tests/server/src/com/google/refine/commands/lang/LoadLanguageCommandTests.java
++++ b/main/tests/server/src/com/google/refine/commands/lang/LoadLanguageCommandTests.java
+@@ -77,6 +77,18 @@ public class LoadLanguageCommandTests extends CommandTestBase {
+         assertEquals(response.get("lang").asText(), "en");
+     }
+ 
++    @Test
++    public void testLoadLanguageWithDirectorySlip() throws JsonParseException, JsonMappingException, IOException, ServletException {
++        when(request.getParameter("module")).thenReturn("core");
++        when(request.getParameterValues("lang")).thenReturn(new String[] { "../../../secrets" });
++
++        command.doPost(request, response);
++
++        JsonNode response = ParsingUtilities.mapper.readValue(writer.toString(), JsonNode.class);
++        assertTrue(response.has("dictionary"));
++        assertEquals(response.get("lang").asText(), "en");
++    }
++
+     @Test
+     public void testLanguageFallback() throws JsonParseException, JsonMappingException, IOException {
+         String fallbackJson = "{"
diff -Nru openrefine-3.6.2/debian/patches/build.patch openrefine-3.6.2/debian/patches/build.patch
--- openrefine-3.6.2/debian/patches/build.patch	2023-10-04 13:02:45.000000000 +0000
+++ openrefine-3.6.2/debian/patches/build.patch	2025-09-27 22:52:50.000000000 +0000
@@ -7,7 +7,7 @@
  1 file changed, 4 insertions(+)
 
 diff --git a/main/pom.xml b/main/pom.xml
-index c0b409c..27f789d 100644
+index 17b8ddc..4b61428 100644
 --- a/main/pom.xml
 +++ b/main/pom.xml
 @@ -337,6 +337,10 @@
diff -Nru openrefine-3.6.2/debian/patches/gdata-extension.patch openrefine-3.6.2/debian/patches/gdata-extension.patch
--- openrefine-3.6.2/debian/patches/gdata-extension.patch	2023-10-04 13:02:45.000000000 +0000
+++ openrefine-3.6.2/debian/patches/gdata-extension.patch	2025-09-27 22:52:50.000000000 +0000
@@ -7,7 +7,7 @@
  1 file changed, 5 insertions(+)
 
 diff --git a/extensions/gdata/pom.xml b/extensions/gdata/pom.xml
-index 4fc64e5..ce9b906 100644
+index ed8b740..e310e8c 100644
 --- a/extensions/gdata/pom.xml
 +++ b/extensions/gdata/pom.xml
 @@ -97,6 +97,11 @@
diff -Nru openrefine-3.6.2/debian/patches/log4j-api.patch openrefine-3.6.2/debian/patches/log4j-api.patch
--- openrefine-3.6.2/debian/patches/log4j-api.patch	2023-10-04 13:02:45.000000000 +0000
+++ openrefine-3.6.2/debian/patches/log4j-api.patch	2025-09-27 22:52:50.000000000 +0000
@@ -7,7 +7,7 @@
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/server/pom.xml b/server/pom.xml
-index 8bb528a..89dd5ab 100644
+index 2408c76..e168085 100644
 --- a/server/pom.xml
 +++ b/server/pom.xml
 @@ -180,7 +180,7 @@
diff -Nru openrefine-3.6.2/debian/patches/no-java-files.patch openrefine-3.6.2/debian/patches/no-java-files.patch
--- openrefine-3.6.2/debian/patches/no-java-files.patch	2023-10-04 13:02:45.000000000 +0000
+++ openrefine-3.6.2/debian/patches/no-java-files.patch	2025-09-27 22:52:50.000000000 +0000
@@ -8,7 +8,7 @@
  2 files changed, 10 deletions(-)
 
 diff --git a/main/pom.xml b/main/pom.xml
-index 27f789d..0ef3eab 100644
+index 4b61428..8ea4ef6 100644
 --- a/main/pom.xml
 +++ b/main/pom.xml
 @@ -27,11 +27,6 @@
@@ -24,7 +24,7 @@
      <testResources>
        <testResource>
 diff --git a/server/pom.xml b/server/pom.xml
-index 89dd5ab..94fda4c 100644
+index e168085..f2955e4 100644
 --- a/server/pom.xml
 +++ b/server/pom.xml
 @@ -28,11 +28,6 @@
diff -Nru openrefine-3.6.2/debian/patches/series openrefine-3.6.2/debian/patches/series
--- openrefine-3.6.2/debian/patches/series	2023-10-04 13:02:45.000000000 +0000
+++ openrefine-3.6.2/debian/patches/series	2025-09-27 22:52:50.000000000 +0000
@@ -6,3 +6,9 @@
 gdata-extension.patch
 CVE-2023-37476.patch
 CVE-2023-41887-and-CVE-2023-41886.patch
+CVE-2024-23833.patch
+CVE-2024-47878.patch
+CVE-2024-47880.patch
+CVE-2024-47881.patch
+CVE-2024-47882.patch
+CVE-2024-49760.patch