[From nobody Mon Apr 6 16:05:07 2026 Received: (at 1132268-close) by bugs.debian.org; 6 Apr 2026 15:03:38 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-114.1 required=4.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA, FVGT_m_MULTI_ODD,HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE, USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 86; hammy, 150; neutral, 260; spammy, 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK, 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo., 0.000-+--H*MI:fasolo Return-path: <envelope@ftp-master.debian.org> Received: from muffat.debian.org ([2607:f8f0:614:1::1274:33]:37860) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1w9lUI-000hIm-0J for 1132268-close@bugs.debian.org; Mon, 06 Apr 2026 15:03:38 +0000 Received: via submission from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified) by muffat.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1w9lUH-00Cj4a-2V for 1132268-close@bugs.debian.org; Mon, 06 Apr 2026 15:03:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type: Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:In-Reply-To:References; bh=Cn5GQoI7nKf1H128oS54XGD6yOQb20rfWP9+c2hMmqM=; b=gJ9v1MsQiX3PPau3SbSLISX5Lj AmvxOEVTrPHu5c91kg+myw93r05SDflzzjF4TD2Cfa4HKvpNGOExagOH1LVk4YJBfEsZHyOpnTEoX fb3Zvue78B45TaWOve93qCwE2z4KOPP7umGHF1CZ95t3mLW+C9BgBVwu8y4ClucVwCjb1J7eNoVji B7h0Cz3iy1eFVZEfRl5xlG5Uip9mcE5keaAnLEikkmeM3ysliRW+TNaEijQ0CYZZAqbn6B6s+aXHe gxvyMENAu6QxqPcl3ogmWYg+t7F2F5gyg9gHja978OT0lony8aa9lTNc2EXHORJpiPm80aEzOc4hk XyL6HThQ==; Received: from dak by fasolo.debian.org with local (Exim 4.98.2) (envelope-from <envelope@ftp-master.debian.org>) id 1w9lUG-00000000lZG-43vh; Mon, 06 Apr 2026 15:03:36 +0000 From: Debian FTP Masters <ftpmaster@ftp-master.debian.org> Reply-To: Guilhem Moulin <guilhem@debian.org> To: 1132268-close@bugs.debian.org X-DAK: dak process-policy X-Debian: DAK X-Debian-Package: roundcube Debian: DAK Debian-Changes: roundcube_1.6.15+dfsg-0+deb13u1_source.changes Debian-Source: roundcube Debian-Version: 1.6.15+dfsg-0+deb13u1 Debian-Architecture: source Debian-Suite: proposed-updates Debian-Archive-Action: accept MIME-Version: 1.0 Subject: Bug#1132268: fixed in roundcube 1.6.15+dfsg-0+deb13u1 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="===============2664944881062527049==" Message-Id: <E1w9lUG-00000000lZG-43vh@fasolo.debian.org> Date: Mon, 06 Apr 2026 15:03:36 +0000 --===============2664944881062527049== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Source: roundcube Source-Version: 1.6.15+dfsg-0+deb13u1 Done: Guilhem Moulin <guilhem@debian.org> We believe that the bug you reported is fixed in the latest version of roundcube, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1132268@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 30 Mar 2026 13:40:22 +0200 Source: roundcube Architecture: source Version: 1.6.15+dfsg-0+deb13u1 Distribution: trixie-security Urgency: high Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-li= sts.debian.net> Changed-By: Guilhem Moulin <guilhem@debian.org> Closes: 1131182 1132268 Changes: roundcube (1.6.15+dfsg-0+deb13u1) trixie-security; urgency=3Dhigh . * New upstream security and bugfix release (closes: #1131182, #1132268). + Fix CVE-2026-35537: Pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler. + Fix CVE-2026-35538: IMAP Injection + CSRF bypass in mail search. + Fix CVE-2026-35539: XSS vulnerability in HTML attachment preview. + Fix CVE-2026-35540: SSRF and information disclosure vulnerability via stylesheet links pointing to a local network hosts. + Fix CVE-2026-35541: A password could get changed without providing the old password in some situations. + Fix CVE-2026-35542: Remote image blocking bypass via a crafted <body> background attribute. + Fix CVE-2026-35543: Remote image blocking bypass via various SVG anima= te attributes. + Fix CVE-2026-35544: Fixed position mitigation bypass via use of `!important`. + Fix CVE-2026-35545: SVG animate FUNCIRI attribute bypass (remote image loading via fill/filter/stroke). * Refresh d/patches. * Add custom patch to avoid runtime dependency on mlocati/ip-lib which is not present in trixie. Checksums-Sha1: 0a900997286378c2c456da611f2099ee50e64cda 3860 roundcube_1.6.15+dfsg-0+deb13u= 1.dsc 0cffaaa8522bb9496ff3ec1aad1b9d17f1e7edd7 126856 roundcube_1.6.15+dfsg.orig-t= inymce-langs.tar.xz 7c3866251bfef08a39b1459b05fb2e99b177a786 1928608 roundcube_1.6.15+dfsg.orig-= tinymce.tar.xz ed576296b8b4da4e49f384344934fb2c6ed4a5dd 2793028 roundcube_1.6.15+dfsg.orig.= tar.xz ee4dbb450455f4c2e846eb49616715718a22bb03 155332 roundcube_1.6.15+dfsg-0+deb1= 3u1.debian.tar.xz d559d32bbef7dc805ebf9908ad2b80bb60bb0b6e 6242 roundcube_1.6.15+dfsg-0+deb13u= 1_source.buildinfo Checksums-Sha256: dabd0480dc852a33b7d560a1c439250b272f079f8867316037fb7dc15a2c2279 3860 roundc= ube_1.6.15+dfsg-0+deb13u1.dsc f3d8c7e7137dad314b7acff2b80649ea036c4532f3b1194bd39c163d6884416c 126856 roun= dcube_1.6.15+dfsg.orig-tinymce-langs.tar.xz 3040064c9e504486506dc597f3eeec0a79a31278e06d0d15b7c0568938124b0c 1928608 rou= ndcube_1.6.15+dfsg.orig-tinymce.tar.xz b23845f78b4bf5460821d1449f22f2069fa53ccbcc9ed918068549bbc1b651fb 2793028 rou= ndcube_1.6.15+dfsg.orig.tar.xz 574efce6ce318d43cd3fd831d4f68d1347c7c04a29f84a28590663c0dbedb150 155332 roun= dcube_1.6.15+dfsg-0+deb13u1.debian.tar.xz 0362af1a6695fb66df0d9b6526e9f4a74b42dea99abf56e7403a71b567c45c5e 6242 roundc= ube_1.6.15+dfsg-0+deb13u1_source.buildinfo Files: 6a4ee3fed544c1163b9e705ed704ebff 3860 web optional roundcube_1.6.15+dfsg-0+d= eb13u1.dsc 916486a39ee15f3bd2d10c9472af340c 126856 web optional roundcube_1.6.15+dfsg.o= rig-tinymce-langs.tar.xz 9b7a65d3a402cfbad01a3144b59da634 1928608 web optional roundcube_1.6.15+dfsg.= orig-tinymce.tar.xz 1eca96bad2b14b928e4e62390fd7d3f9 2793028 web optional roundcube_1.6.15+dfsg.= orig.tar.xz 9fbb65d67b96ad0786d2d538fb0ec86d 155332 web optional roundcube_1.6.15+dfsg-0= +deb13u1.debian.tar.xz 274be445cb05a5d3d7649a86a0e61ada 6242 web optional roundcube_1.6.15+dfsg-0+d= eb13u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmnPY+AACgkQ05pJnDwh pVJKJQ//RUTIIO6yTz8Mj9PrZHWyUJcknyYUbr/RdAxswF5+ckQNzOXzub2o3P7X GlEsvNgY+8W+Px4pCTTqpY56NgS8EdiJdYEJ2hSujHzq++iFfCOeWg7X7R15ucYB e9P9DKZIi5+pYFEHkyxVj/Ug2a+L3ObSCX5h5SJfFTmpzr5RhPZ/wwzb+Ef0l5hY 5Q1nN3TqKPnOkqXRbedD+z8BQq4UsvkPm09NtAKBXm9pgm0giCan/LUii2Ahc5/M EZZJby3YP2XNzf3GpCEqNdi2Hq4Hh4ltRQoN9DSw2lMm0ojEkGc5vDXRhArKFRff 2jwQdtgW0+G2WFtWleWstgaiIKMXdX3KIZ4U/TqSr8ZD8vymcpG2BVam590wRwwn vzR2fyKXW8Xs3ALgc0uHymL9XRegNcBAxXGqe/cjeihfWG7ryhN97OEyOqXUT+3q Xbke83sjqhelUePuAUSim9Ehi3+qds7LhhPcl/4TssXOHn5JolkfOdAjq6ZlgvnY Guj5QXTcCkeg6GwL5sk64hpoiw0vWI+EhxhnDqxoUyeUPYKddXa1ZQFpJsgVo+Hw Uuxiqildbvr2tNrmMc0qdun0bm+0cqIq8Jrg66y0Ja5YpY3ZKYc6GnFo9dsE8Df/ vKkPhi8U3g6tSnd+wYy1rov0LVU4tf4n49LIpUpMWQq0A89ioXY=3D =3DTCC8 -----END PGP SIGNATURE----- --===============2664944881062527049== Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCadPLSAAKCRCb9qggYcy5 IXv4AQCp0bed9LfYRyTZUWe4EHl7k5f9b3It2VcFqQCoV9eurwD+PEa8EJ1y25A/ Kz+cHARc0zcmoTss0Ga7q8zUM+K//wA= =J9vV -----END PGP SIGNATURE----- --===============2664944881062527049==-- ]