[From nobody Sun Jul  5 17:07:07 2026
Received: (at submit) by bugs.debian.org; 5 Jul 2026 15:04:11 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-112.5 required=4.0 tests=ALL_TRUSTED,BAYES_00,
 DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
 FOURLA,FROMDEVELOPER,MD5_SHA1_SUM,PGPSIGNATURE,SPF_HELO_NONE,SPF_PASS,
 USER_IN_DKIM_WELCOMELIST,WEBMAIL autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 45; hammy, 150; neutral, 55; spammy,
 0. spammytokens:
 hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin,
 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311,
 0.000-+--H*RT:311, 0.000-+--H*RT:108
Return-path: &lt;guilhem@debian.org&gt;
Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:56878)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;guilhem@debian.org&gt;) id 1wgOOA-003SKj-33
 for submit@bugs.debian.org; Sun, 05 Jul 2026 15:04:11 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; 
 s=smtpauto.stravinsky;
 h=X-Debian-User:Content-Type:MIME-Version:Message-ID:
 Subject:To:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
 Content-Description:In-Reply-To:References;
 bh=5PPCfOt3fz1RcBBA0Ta42c4CENuCMoDjssBp5HcJrfo=; b=NHqDNfwBGaPLKYfXACneJWbcTm
 PLRhmnXnCxil+LuyhcAsO7mJ9Pi0Ktbky7b2ADjrEMjZF79NUgEdeYXskkxFqUs/J0b/qu9R8JXVl
 MzNTL6YhWTqOkRymmJizkAC01QkOB7wK6LGWy5P629kEJUlr1rMlnsYIV3PwcvtSZ/ahR1mOq/ZXZ
 jgfmuV3v0317j/w2j0/XziEEb0xrybQJLegF0tRM6llb6xw7rhlhUAy2BUVoXu5ywAepv4vFVn3CE
 Ad3JG+I4WZWZHXuhNcjJ6ZBT+X1f5T8dWoWoSmwQbB3kULRJZvdr9mnCbY08Kuc6NTje3akMVVSal
 6xX8ybeQ==;
Received: from authenticated-user by stravinsky.debian.org with esmtpsa
 (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;guilhem@debian.org&gt;) id 1wgOO8-000izp-1i;
 Sun, 05 Jul 2026 15:04:09 +0000
Received: by localhost.localdomain (Postfix, from userid 1000)
 id 6CC94420576; Sun, 05 Jul 2026 17:04:05 +0200 (CEST)
Date: Sun, 5 Jul 2026 17:04:05 +0200
From: Guilhem Moulin &lt;guilhem@debian.org&gt;
To: Debian Bug Tracking System &lt;submit@bugs.debian.org&gt;
Subject: roundcube: Multiple security vulnerabilities
Message-ID: &lt;akpyX4G61pnsQWax@debian.org&gt;
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol=&quot;application/pgp-signature&quot;; boundary=&quot;HphbkrA51DyM31RO&quot;
Content-Disposition: inline
X-Reportbug-Version: 13.2.0+nmu1
X-Debian-User: guilhem
Delivered-To: submit@bugs.debian.org

--HphbkrA51DyM31RO
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Source: roundcube
Version: 1.6.16+dfsg-1
Control: found -1 1.6.16+dfsg-0+deb13u1
Control: found -1 1.6.5+dfsg-1+deb12u9
Control: found -1 1.4.15+dfsg.1-1+deb11u9
Severity: important
Tags: security upstream
X-Debbugs-Cc: Debian Security Team &lt;team@security.debian.org&gt;

Roundcube webmail upstream has recently released 1.6.17 [0] which fixes
the following security vulnerabilities:

  1. Infinite loop in TNEF (winmail.dat) decoder
     https://github.com/roundcube/roundcubemail/commit/a007321346380136b3de=
2bd75b486b04f63c0d38
     https://github.com/roundcube/roundcubemail/commit/132ac8dd5a55c8466be1=
2de1daf84355697ffa89
  2. Various vulnerabilities in the password plugin using
     session-injected username
     https://github.com/roundcube/roundcubemail/commit/83150ce04d689a70f92d=
511bcae40adba8d55476
     https://github.com/roundcube/roundcubemail/commit/5cdc6a48b40beabff7f0=
bf5d9035f4491e877e4c
  3. CVE-2026-54432: Stored XSS via unescaped attachment MIME type on
     the attachment-validation warning page
     https://github.com/roundcube/roundcubemail/commit/a3a4482cc9bd5569107e=
4393d32abb157cb2a568
  4. SSRF bypass via specific local address URLs
     https://github.com/roundcube/roundcubemail/commit/294c7da6e7284166f040=
cef8607b677d459e0786
  5. CVE-2026-54433: Zero-click stored XSS in plain-text rendering
     https://github.com/roundcube/roundcubemail/commit/63e42e233c6e8b5100e2=
e61a4d13addcd1a45bd5
  6. DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file
     https://github.com/roundcube/roundcubemail/commit/bf253c72d4293c93fda5=
11b8464fe9cb34b522c1

AFAIK no CVE-ID have been published for issues 1, 2, 4 and 6.  I'll
request some tomorrow unless someone beats me to it.
--=20
Guilhem.

[0] https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2

--HphbkrA51DyM31RO
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmpKcl8ACgkQ05pJnDwh
pVIxjxAArhzkkCDULYUXxD6XjTYQ4czUHRMhwrnZg/nZcaBZE6cTYLUnbRLbX5qN
7TBDyeWV8xaQaw3rnEta/bTjltDZ5MwDMLMyYU7yP35ziYst9HZw42WCZJc36s+B
bAiFBq91Rar2EYTdHzkQSjhwzW5PFHHrvAhjEuy/4dYCyy9B/mwUUJZxbsz1kidm
pMIcuw0sIlxn3f/axHkHMB5B2MY++J8aP7qWKxEN0JkESNFwIdd0ObcH6PsBpchN
jM6oUiK8bPeAVwfAhOHd9zb7QFj5FMNCflRjGojak/CfzYf9h8QdlGq7cimkpbUG
EsEx/JEhqAfD+YBRJ51FqcbfZ+wr0Wc6dRxH+zrRFPPGeYB4hQzvprWURSALjTaJ
Q5O9De9D5HAI9XCOJEU9I8bxt/C1XyT5RbaqCVrJGqeRTOOQju5zyaecf8M2knIX
HokpB7ImgUZCTEPeukrHKbq1295bVT0ZONlKzgTdHNw4AFhl+mdqcBG3O3VNsoO2
GePUKXGHnatvXrlTOSWVAiWQoOknBeLtdUw+xmUuJLswJtKWKkgzkD2QPsJs48vc
pW1dGPqkcyCoeNDsss5SXxgXvT1RMehhNsVKxqMN7p3i17xyGgqmv50eTSsAOmW2
enYqeWBa5C5mj2GXsZslENBCP6qNDCJzeiMmq6pz4RRzlViCvE8=
=Qbkl
-----END PGP SIGNATURE-----

--HphbkrA51DyM31RO--
]