[From nobody Thu May 28 14:05:10 2026 Received: (at 1137507-close) by bugs.debian.org; 28 May 2026 13:03:47 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-114.1 required=4.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA, FVGT_m_MULTI_ODD,HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE, USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 70; hammy, 150; neutral, 244; spammy, 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK, 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo., 0.000-+--H*MI:fasolo Return-path: <envelope@ftp-master.debian.org> Received: from muffat.debian.org ([2607:f8f0:614:1::1274:33]:57318) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wSaOp-00Cqoa-0z for 1137507-close@bugs.debian.org; Thu, 28 May 2026 13:03:47 +0000 Received: via submission from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified) by muffat.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wSaOq-005UME-10 for 1137507-close@bugs.debian.org; Thu, 28 May 2026 13:03:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type: Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:In-Reply-To:References; bh=P7+dufR0Q36aCsUyfNAdEvRmwAGUDlbSXtH9rMnepPw=; b=c1tsExS3686eMHmwu7uI3+TJYp XjTVMgocz4PWjzeI4Eu9espHSyLtY6SnTlG84/pk0sSfQzgC34qK0TpNuOrhjAOzg+OsQCc7rsSff DpRiH+ucwEVTH7762s5DcbLN455KUU3ap+iSFXAXCr7g20IVSUc+fFlfrYBg2/9KcayPJMDLkr4h9 hnx99YCtbxducRJU53ETH2yTvXgfNW2QIEqofCnpsUWMJpAYkcaoZPMjK0LTmS0hQfFr8CB8TfCb5 KrDx+TM4SaYrWSd/4EjmI1qqTPS/gFoL/jZBSlwdjKsiiQicVSEgfx0GQfWX7mhPuRW3RIqwPxQZX Mwx5LSEg==; Received: from dak by fasolo.debian.org with local (Exim 4.98.2) (envelope-from <envelope@ftp-master.debian.org>) id 1wSaOo-0000000HIAS-3yuX; Thu, 28 May 2026 13:03:46 +0000 From: Debian FTP Masters <ftpmaster@ftp-master.debian.org> Reply-To: Guilhem Moulin <guilhem@debian.org> To: 1137507-close@bugs.debian.org X-DAK: dak process-policy X-Debian: DAK X-Debian-Package: roundcube Debian: DAK Debian-Changes: roundcube_1.6.5+dfsg-1+deb12u9_source.changes Debian-Source: roundcube Debian-Version: 1.6.5+dfsg-1+deb12u9 Debian-Architecture: source Debian-Suite: oldstable-proposed-updates Debian-Archive-Action: accept MIME-Version: 1.0 Subject: Bug#1137507: fixed in roundcube 1.6.5+dfsg-1+deb12u9 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="===============5920437700296447592==" Message-Id: <E1wSaOo-0000000HIAS-3yuX@fasolo.debian.org> Date: Thu, 28 May 2026 13:03:46 +0000 --===============5920437700296447592== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Source: roundcube Source-Version: 1.6.5+dfsg-1+deb12u9 Done: Guilhem Moulin <guilhem@debian.org> We believe that the bug you reported is fixed in the latest version of roundcube, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1137507@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 26 May 2026 01:08:43 +0200 Source: roundcube Architecture: source Version: 1.6.5+dfsg-1+deb12u9 Distribution: bookworm-security Urgency: high Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-li= sts.debian.net> Changed-By: Guilhem Moulin <guilhem@debian.org> Closes: 1137507 Changes: roundcube (1.6.5+dfsg-1+deb12u9) bookworm-security; urgency=3Dhigh . * Cherry pick upstream security fixes from v1.6.16 (closes: #1137507). + Fix CVE-2026-48842: pre-auth SQL injection in `virtuser_query` plugin via `preg_replace()` backslash escape bypass. + Fix CVE-2026-48843: SSRF bypass via specific local address URLs. Add support non quad-dotted IPs and non-decimal fields to d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch in order to match the new upstream behavior. + Fix CVE-2026-48844: Code injection vulnerability via code evaluation support in LDAP autovalues option. Code evaluation support has now be= en removed. + Fix CVE-2026-48845: Local/private URL fetch bypass when remote resourc= es were not allowed. + Fix CVE-2026-48846: Bypass of remote image blocking via CSS `var()`. + Fix CVE-2026-48847: Pre-auth arbitrary file delete via redis/memcache session poisoning bypass. + Fix CVE-2026-48848: CSS injection bypass in HTML sanitizer via SVG <animate attributeName=3D"style">. + Fix CVE-2026-48849: Stored XSS/HTML/CSS injection in subject field of the draft restore dialog. Checksums-Sha1: 7acc95933e8736b7d6b43bddfab968cc2caf3137 3833 roundcube_1.6.5+dfsg-1+deb12u9= .dsc 4f207980ea7b88a97f6cf35be9981f4dcb70e93b 135936 roundcube_1.6.5+dfsg-1+deb12= u9.debian.tar.xz a814b7fe1d5ad70c7af1ca117068f9012a1eff88 6213 roundcube_1.6.5+dfsg-1+deb12u9= _source.buildinfo Checksums-Sha256: fb351499dd0090142be2e52f74b13fb06cbafc7d8fb06182ae50a6ef3d35e555 3833 roundc= ube_1.6.5+dfsg-1+deb12u9.dsc e01d78a17b10c6b23f494ae25e1180803b30bb56414107fdf2ba45f6f72fe5a0 135936 roun= dcube_1.6.5+dfsg-1+deb12u9.debian.tar.xz 792c2aa25b49b1971c90ea0f3221812eb721beea9e086e9ed9dab99a5ff1940b 6213 roundc= ube_1.6.5+dfsg-1+deb12u9_source.buildinfo Files: 9624bca0541d7b274830e34a311eb22d 3833 web optional roundcube_1.6.5+dfsg-1+de= b12u9.dsc 2b0e1895c688c8eacb2d9679a78d5a8e 135936 web optional roundcube_1.6.5+dfsg-1+= deb12u9.debian.tar.xz 7e0b0e7078bc8e42638f718e2765298c 6213 web optional roundcube_1.6.5+dfsg-1+de= b12u9_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmoWuR0ACgkQ05pJnDwh pVJbMQ//Sw9z10svHsr9ityx3bpVytowJV97vf28qDiF5knWYPfk2WzlNvpooZZV 1q9tHCzRo+7pVnx1TzLKk0iJfQV8mdTCPawqkisUiQthOSfvpj9+wvH3ijf1sbIB W0OGCYff2Oww2ivJAuRjgYcIHyAyreOyS8ZZUPQXkppV7FHTzniDCTPwmY55YXJT Yfxhp5SCg4koR6Oc+Y6JOEv9J+EVarqe80efVui5MOCw5weg58bsMMWavZWuzDKo NdTWSguF9hdzRYSgM39Iw/py5WclYZWWYlUUr0LOO6+8av8kF2RX5TtGMbzioMBv 8VxnrewTb68B9i3zyH5yhN5IGbjy1eNpTTsNdr9lX+VoI0hHc6igjAwmM6TgsmGI wruxoko9viibjHOEnhVg36kq+rHSGqre5CKXasY72dxusc7PquNI/FncJ2uj0b+P RBW4diMUa0EqW05qLSgQL5FBMI5DKWAqPKbdq6czMD93iK4niHD1D+5hj+krNsEo hTIwZqA53HE3wYH3I1B0dj3s0Y/o7MA8HbfUXSxGFQQlCiDdzZpfovL4Apu1Vgsy /qdYwCGPkEMZrf0WDLFF6RGRhL8tdQzx1+0cBt59b2KTiqB9mtPXMtxvwgjGHtZ1 rPmD2JvwHdSfdbsV7YB5FwXTpGAsyFcFXqbTyX4huKci1TGiK1Y=3D =3Dc3RL -----END PGP SIGNATURE----- --===============5920437700296447592== Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCahg9MgAKCRCb9qggYcy5 IXm9AQCBbvNWvsa54EtS4WgB578oLa/i/M4PaviWxcVcoGuhAwD/ZeROECyvKpsR kh3+nbgZe83pOXD2B9zNduWiLKZw2AY= =nNF5 -----END PGP SIGNATURE----- --===============5920437700296447592==-- ]