[From nobody Mon May 25 00:35:07 2026 Received: (at 1137507-close) by bugs.debian.org; 24 May 2026 23:33:45 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-113.0 required=4.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,FVGT_m_MULTI_ODD, HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE,RCVD_IN_DNSWL_MED, SPF_HELO_PASS,SPF_PASS,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 112; hammy, 150; neutral, 217; spammy, 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK, 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--HX-DAK:process-upload, 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo. Return-path: <envelope@ftp-master.debian.org> Received: from mitropoulos.debian.org ([2001:648:2ffc:deb:216:61ff:fe9d:958d]:55396) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wRIKG-003biA-24 for 1137507-close@bugs.debian.org; Sun, 24 May 2026 23:33:45 +0000 Received: via submission from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified) by mitropoulos.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wRIKE-001Wgx-2D for 1137507-close@bugs.debian.org; Sun, 24 May 2026 23:33:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type: Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:In-Reply-To:References; bh=vopmu5Tbjc1GHGI89RO1MFyrIK1t/VcV22l1Xpo9vl0=; b=p6lhdRmFRvsnURb47q7v/UmWmS eliXumOa/gfQnpuVswlnJv271P/nKfTaAW8fSj+XJUJFrnYSvROltB6+dYA+mcJxOKwGQVLrXVRtT uvrXtbKafW4IQR7+145tDAMETTRi+JgrOWEv9ho73FXotCDvjNVtmr7Sb8cTs1wHomIsIB7CSsFK0 oJw7CzNBZq/eJtQDLo4WLTX/odzQ9/ReHbElZ9OH9n+aHzkipx566d+mgjXDEHA6+4xDEwpLtQyR+ o46gCnmna13s+Vkea3Mj7+IEdpjqjXDMCLLSMFckuoUvRUh4vbQhX2T4P0SY5jMspQdWjRkyZcciq jDfnZE/w==; Received: from dak by fasolo.debian.org with local (Exim 4.98.2) (envelope-from <envelope@ftp-master.debian.org>) id 1wRIKD-00000000hsQ-29Uq; Sun, 24 May 2026 23:33:41 +0000 From: Debian FTP Masters <ftpmaster@ftp-master.debian.org> Reply-To: Guilhem Moulin <guilhem@debian.org> To: 1137507-close@bugs.debian.org X-DAK: dak process-upload X-Debian: DAK X-Debian-Package: roundcube Debian: DAK Debian-Changes: roundcube_1.6.16+dfsg-1_source.changes Debian-Source: roundcube Debian-Version: 1.6.16+dfsg-1 Debian-Architecture: source Debian-Suite: unstable Debian-Archive-Action: accept MIME-Version: 1.0 Subject: Bug#1137507: fixed in roundcube 1.6.16+dfsg-1 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="===============5019629624604311031==" Message-Id: <E1wRIKD-00000000hsQ-29Uq@fasolo.debian.org> Date: Sun, 24 May 2026 23:33:41 +0000 --===============5019629624604311031== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Source: roundcube Source-Version: 1.6.16+dfsg-1 Done: Guilhem Moulin <guilhem@debian.org> We believe that the bug you reported is fixed in the latest version of roundcube, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1137507@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 25 May 2026 00:30:41 +0200 Source: roundcube Architecture: source Version: 1.6.16+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-li= sts.debian.net> Changed-By: Guilhem Moulin <guilhem@debian.org> Closes: 1137507 Changes: roundcube (1.6.16+dfsg-1) unstable; urgency=3Dmedium . * New upstream security and bugfix release (closes: #1137507). + Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog. + Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName=3D"style">. + Fix pre-auth SQL injection in `virtuser_query plugin` via `preg_replace()` backslash escape bypass. + Fix SSRF bypass via specific local address URLs. + Fix local/private URL fetch bypass when remote resources were not allowed. + Fix bypass of remote image blocking via CSS `var()`. + Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass. + Code injection vulnerability via code evaluation support in LDAP autovalues option. Code evaluation support has been removed. * Refresh d/patches. * d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch: Add support for non quad-dotted IPs and non-decimal fields to match the upstream behavio= r. * Update Standards-Version to 4.7.4 (no changes necessary). Checksums-Sha1: 9d7e3296d2acee9157f03a830dc8f31016c8ae34 3845 roundcube_1.6.16+dfsg-1.dsc 1a3cd9678dcb0a130681a4fbe1eca68052d00d5b 126884 roundcube_1.6.16+dfsg.orig-t= inymce-langs.tar.xz 38c2baef9e85c0d497c31715eeba89ba8dd4d8b3 1928780 roundcube_1.6.16+dfsg.orig-= tinymce.tar.xz f18404da6e008cd6b488bcdfde8feee9244b7c93 2793532 roundcube_1.6.16+dfsg.orig.= tar.xz e2115633782fb8a1a0483e8605e4c2665c946539 158648 roundcube_1.6.16+dfsg-1.debi= an.tar.xz 3072b588f4427d28852d1df4af312b3785547322 6185 roundcube_1.6.16+dfsg-1_source= .buildinfo Checksums-Sha256: cbb894b82f90ab086b1fb5ea764667bfa83fff6f86b0a822e9c932e6714fc58d 3845 roundc= ube_1.6.16+dfsg-1.dsc 04a78e28c9e7cf2f0d67d989954ebeb2693db7c25b511e37b1be851ab00ec0e4 126884 roun= dcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz 2f9513c4c9f4b4f486a2a10614a9215acb41e94374ec453d656ea420d8e4e168 1928780 rou= ndcube_1.6.16+dfsg.orig-tinymce.tar.xz 491d92dee757bc22672181d42fb09334d83826cace9d4f7ea0b2ac0fc0355a77 2793532 rou= ndcube_1.6.16+dfsg.orig.tar.xz a33b00bca2f9d23cedfba49e7a6e6b5889a38a730703097de3403a7f80fb79cf 158648 roun= dcube_1.6.16+dfsg-1.debian.tar.xz e1ff92ecae989bb52eef93e40e0ec24bb7f45e5a5fc58068dda007fb832aadb4 6185 roundc= ube_1.6.16+dfsg-1_source.buildinfo Files: e06c2588e866b4f8b9d5295216ed0f4f 3845 web optional roundcube_1.6.16+dfsg-1.d= sc f2adaee4ceaeb18948b7c3fcd3b76dca 126884 web optional roundcube_1.6.16+dfsg.o= rig-tinymce-langs.tar.xz 543ea8ab031d4a17869930bc16287e9c 1928780 web optional roundcube_1.6.16+dfsg.= orig-tinymce.tar.xz 7fd70691566a18ddd6e74a13a5a677d0 2793532 web optional roundcube_1.6.16+dfsg.= orig.tar.xz 032a53fcda2058d64011db7e8c15281a 158648 web optional roundcube_1.6.16+dfsg-1= .debian.tar.xz c1264abc59c7aee2c205bf441b3d9896 6185 web optional roundcube_1.6.16+dfsg-1_s= ource.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmoTf+kACgkQ05pJnDwh pVJASw//eVs+ZUBR5XOdtnmi9VoX+z2QRE3C94XDdMBxwYlgzwbVZ5HBKQGGhhel FDXRu/6fmbXZZIJAVlRV+4gDwBdU42mlZ8kaqH08fqWa+2k4zWgjoJFZ6yFi2i2/ BCMZQz2ohMDeNmqZLrAQdR4w2jP8vELJ/H0SDRVkUF1IgB+6BlZdOBq7JlYq3VOG b5b+z6OlV2fx8r6u8nHIHXJc4O6kr2/HiF4N+TZgikCVE4bxvsFjo4xu1X7drFGu 435pZGIsaBhlAwYq9EV4qCReeV8NYZVLkCkAHjj/ZiiTn8je7E59nLctGHKLJYz1 UKkTmJ2Ux2z+A8QHA8v2Mgx0mJIqcmRQnlsVpwGRGNk6P8ittzcCmO1r7cguZhZS UoPS+rvQZp7gr6MeGoYVzZ9pYuw2p9w+ztEimWX7MfZsn2GjUwXiI303BmqtZy1O xukTuVfg3IKDFSq8/XoYRZjy9d8guyYYu80Fzd1PW+FMZYbZXgHRkXl5RCTf86h6 SWxdxpToKgaXrdrx9ARW/9774NcsFLdxpQv1Qqlcmaj94u4xft/cTfjf+IU1cT7K EOxyFjgm93/uNQP7P8ZQPbiol2DGFxD27Ypy6dfmlCDoFv0N7tuP4jllU0ruoW/Z 9AQm26tssCVr3XVsqLnUT+mhayzMP4sZKuyAvTXbNCvqNvI0CVc=3D =3DyWIg -----END PGP SIGNATURE----- --===============5019629624604311031== Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCahOK1QAKCRCb9qggYcy5 IWNnAP0U66xqOMUIrN8C6pXm75SWpSMfYBED4S6nW+hdN473FwD/Y0MUVkqtoKMk lErM/xQXTHpxzGgyhPUaCReDa4j/fgs= =3z8L -----END PGP SIGNATURE----- --===============5019629624604311031==-- ]