[From nobody Mon May 25 00:35:07 2026
Received: (at submit) by bugs.debian.org; 24 May 2026 11:12:29 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-111.5 required=4.0 tests=ALL_TRUSTED,BAYES_00,
 DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
 FOURLA,FROMDEVELOPER,PGPSIGNATURE,SPF_HELO_NONE,SPF_PASS,
 USER_IN_DKIM_WELCOMELIST,WEBMAIL autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 10; hammy, 150; neutral, 81; spammy,
 0. spammytokens:
 hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin,
 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311,
 0.000-+--H*RT:311, 0.000-+--H*RT:108
Return-path: &lt;guilhem@debian.org&gt;
Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:49050)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;guilhem@debian.org&gt;) id 1wR6kv-002K92-0c
 for submit@bugs.debian.org; Sun, 24 May 2026 11:12:29 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; 
 s=smtpauto.stravinsky;
 h=X-Debian-User:Content-Type:MIME-Version:Message-ID:
 Subject:To:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
 Content-Description:In-Reply-To:References;
 bh=8Ov0OcIYw2uY3FJjERcoZASoiarz9t00gx1ApdBmqrU=; b=S7FpG3ko1s5UjZBXUGTY0gnxU6
 cE8ELcBNqPa31pETCaRlBIs/IfEiyTLtGlJF+q1ktGiAG3NKdEMwFubCPsKofA8iZqso0Xn99bGMz
 JPbxMPyHGsRlA8MdReIjLZ31PziWVqihOWXC0oB06w5DNvsGQSehnOxOFpT9UYwvKlINAdXzGMnce
 CmQnTHC1Hda7EIm3bGl81sc8Nd2cqeZKm4bfcWMWGmb1/n/4LVa6K+kh7z/5TCkfCvZb4UJ+0mwXo
 Pi+aoB8IpDv67tMZdtQiNimkSJYIz5qI1lKeLZLeILb9SDsvQeJq5xbOB/pTKptFtR699asBb2Rf4
 3Nj5iBCg==;
Received: from authenticated-user by stravinsky.debian.org with esmtpsa
 (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;guilhem@debian.org&gt;) id 1wR6kt-000l17-1H;
 Sun, 24 May 2026 11:12:28 +0000
Received: by localhost.localdomain (Postfix, from userid 1000)
 id 6FA7242028C; Sun, 24 May 2026 13:12:24 +0200 (CEST)
Date: Sun, 24 May 2026 13:12:24 +0200
From: Guilhem Moulin &lt;guilhem@debian.org&gt;
To: Debian Bug Tracking System &lt;submit@bugs.debian.org&gt;
Subject: roundcube: Multiple security vulnerabilities
Message-ID: &lt;ahLdGI1nKnSouxVi@debian.org&gt;
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol=&quot;application/pgp-signature&quot;; boundary=&quot;D7PSv38BBM3ZWNoF&quot;
Content-Disposition: inline
X-Reportbug-Version: 13.2.0
X-Debian-User: guilhem
Delivered-To: submit@bugs.debian.org


--D7PSv38BBM3ZWNoF
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Source: roundcube
Version: 1.6.15+dfsg-1
Control: found -1 1.6.15+dfsg-0+deb13u1
Control: found -1 1.6.5+dfsg-1+deb12u8
Control: found -1 1.4.15+dfsg.1-1+deb11u8
Severity: grave
Justification: user security hole
Tags: security upstream
X-Debbugs-Cc: Debian Security Team &lt;team@security.debian.org&gt;

Roundcube webmail upstream has recently released 1.6.16 [0] which fixes
the following security vulnerabilities:

  1. Stored XSS/HTML/CSS injection in subject field of the draft restore
     dialog.
  2. CSS injection bypass in HTML sanitizer via SVG &lt;animate
     attributeName=3D&quot;style&quot;&gt;.
  3. Pre-auth SQL injection in virtuser_query plugin via preg_replace
     backslash escape bypass.
  4. SSRF bypass via specific local address URLs.
  5. Local/private URL fetch bypass when remote resources were not
     allowed.
  6. Bypass of remote image blocking via CSS var().
  7. Pre-auth arbitrary file delete via redis/memcache session poisoning
     bypass.
  8. Code injection vulnerability via code evaluation support in LDAP
     autovalues option.  Code evaluation support has now been removed.

AFAIK no CVE-ID have been published for these issues.  I'll requested
some later today unless someone beats me to it.
--=20
Guilhem.

[0] https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1

--D7PSv38BBM3ZWNoF
Content-Type: application/pgp-signature; name=&quot;signature.asc&quot;

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmoS3RIACgkQ05pJnDwh
pVI0wA//WEuUrCdwgR5tIS/rUdGlTvlLuReIRIMKxsGgS8PMU2LfQ8QanqDvEy37
1BA0Q4BDh1Scw2qVxPlsHXBK/tUelfAUQtPwxekqCFxaX4VCc9X9lHCvEpOZ/CZ4
IhiU729XrHpLXajs9sCucY6576/0krXgBgD1Rqhn3pUOmtOpl7G3SYNg3KT23TkZ
T43CfeJI47lKA5fyVSDdi2Rlrm4HOm0lL7QaAFp1rrVn4LgwGh7hIG6aFtfeh2Qd
mhNr215jZgMwhKBIZkAWkeE8vvbZ4yb1vjeXzEdN/pCNtABX/+1lGt+8nFMSY09X
tbm8zykZG1lh9FRUCmsBrC4RgKPnypOXgK77fz96RLb/kLGsYWlfImCthv6fZNIZ
tS2Z5pS75fxj8Nat5Abt82ooV5Dpfn4PncT5VZv52kxe+0y45gDqPI6+IV+rUZn2
O465kgLUo9pfhCLND3LVKt7eM2M8Or/lLi2+swFWuk/wyaFaFTnr3+WNwn1Q/0nS
DY2mOEjF3wMc/nrAao3kg8BYmr8idMVnmje76xOsidaH77BSrWU4y2SElBmrDDAs
r4eNep6a33X21H0/1jp+b1L6HCtMR1rf4uW0e4Oe7nbE0fLO2vVG5ik9fAOGD/ON
n5/dwaH2K3PCJvv338hSc/272QPrHdyWHn1Q6BkZQbQ25Y5mpTs=
=bunX
-----END PGP SIGNATURE-----

--D7PSv38BBM3ZWNoF--
]