[Git][security-tracker-team/security-tracker][master] Merge CVE assignments from Roundcube 1.7-rc5, 1.6.14 and 1.5.14 release

Salvatore Bonaccorso (@carnil) carnil at debian.org
Fri Apr 3 08:47:45 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7726ebf9 by Salvatore Bonaccorso at 2026-04-03T09:47:21+02:00
Merge CVE assignments from Roundcube 1.7-rc5, 1.6.14 and 1.5.14 release

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -16,22 +16,6 @@ CVE-2026-5420 (A security flaw has been discovered in Shinrays Games Goods Tripl
 	NOT-FOR-US: Shinrays Games Goods Triple App
 CVE-2026-35549 (An issue was discovered in MariaDB Server before 11.4.10, 11.5.x throu ...)
 	TODO: check
-CVE-2026-35544 (An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. ...)
-	TODO: check
-CVE-2026-35543 (An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. ...)
-	TODO: check
-CVE-2026-35542 (An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. ...)
-	TODO: check
-CVE-2026-35541 (An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. ...)
-	TODO: check
-CVE-2026-35540 (An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insu ...)
-	TODO: check
-CVE-2026-35539 (An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. ...)
-	TODO: check
-CVE-2026-35538 (An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. ...)
-	TODO: check
-CVE-2026-35537 (An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. ...)
-	TODO: check
 CVE-2026-35508 (Shynet before 0.14.0 allows XSS in urldisplay and iconify template fil ...)
 	TODO: check
 CVE-2026-35507 (Shynet before 0.14.0 allows Host header injection in the password rese ...)
@@ -2201,6 +2185,7 @@ CVE-2018-25226 (FTPShell Server 6.83 contains a buffer overflow vulnerability th
 CVE-2026-4981
 	NOT-FOR-US: Red Hat Advanced Cluster Security
 CVE-2026-35545 [SVG Animate FUNCIRI Attribute Bypass]
+	{DLA-4517-1}
 	- roundcube 1.6.15+dfsg-1 (bug #1132268)
 	NOTE: https://roundcube.net/news/2026/03/29/security-updates-1.7-rc6-1.6.15-1.5.15
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/7ad62de184368bf42c0f522d1aacc030f5ddcc46 (1.7-rc6)
@@ -9056,52 +9041,69 @@ CVE-2026-2046
 	NOTE: https://gitlab.gnome.org/GNOME/gimp/-/commit/b4d41182dde4a1f98431b4d5b749a5a18bed0ab3 (GIMP_3_2_0)
 	NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/15289
 	NOTE: Building of optional Plug-In for Amiga IFF/ILBM not enabled.
-CVE-2026-XXXX [SSRF + Information Disclosure via stylesheet links to a local network hosts]
+CVE-2026-35540 [SSRF + Information Disclosure via stylesheet links to a local network hosts]
+	{DLA-4517-1}
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
-	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: https://i0.rs/blog/turning-a-roundcube-link-tag-into-a-zero-day-ssrf-and-data-exfiltration/
-	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/579b68eff90650a5c782e153debd66c765648942
-CVE-2026-XXXX [XSS issue in a HTML attachment preview]
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/579b68eff90650a5c782e153debd66c765648942 (1.7-rc5)
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/27ec6cc9cb25e1ef8b4d4ef39ce76d619caa6870 (1.6.14)
+CVE-2026-35539 [XSS issue in a HTML attachment preview]
+	{DLA-4517-1}
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
-	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
-	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/1b30edf5369668c92fe91dae3d52e477c808aa4f
-CVE-2026-XXXX [Fixed position mitigation bypass via use of `!important`]
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/1b30edf5369668c92fe91dae3d52e477c808aa4f (1.7-rc5)
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/10a6d1fa8acac85c727b0a6ae4a6642bfa27bea1 (1.6.14)
+	NOTE: fixed by: https://github.com/roundcube/roundcubemail/commit/d742954ccbcdee7020f8f2e7c49ce0fca5a0efab (1.5.14)
+CVE-2026-35544 [Fixed position mitigation bypass via use of `!important`]
+	{DLA-4517-1}
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
-	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: https://nullcathedral.com/posts/2026-03-18-roundcube-round-two-three-more-sanitizer-bypasses/#css-position-fixed-important
-	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/226811a1c974271dbedca72672923abaff8191c0
-CVE-2026-XXXX [Remote image blocking bypass via a crafted body background attribute]
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/226811a1c974271dbedca72672923abaff8191c0 (1.7-rc5)
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/099009b9c8e1d3c636fb9a5af72f7c2596018662 (1.6.14)
+	NOTE: fixed by: https://github.com/roundcube/roundcubemail/commit/57dec0c127b98e0c8e3b9c26c80049b9c4bcaea7 (1.5.14)
+CVE-2026-35542 [Remote image blocking bypass via a crafted body background attribute]
+	{DLA-4517-1}
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
-	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: https://nullcathedral.com/posts/2026-03-18-roundcube-round-two-three-more-sanitizer-bypasses/#body-backgrounds-unquoted-url
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/fd0e98178db5c73eaa93d005b561874923f9b0f0 (1.7-rc5)
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/fde14d01adc9f37893cd82b635883e516ed453f8 (1.6.14)
 	NOTE: Regression fix: https://github.com/roundcube/roundcubemail/commit/5aba847cb8d5e00a52405e5cd1becb7ec0dcbe4b (1.6.15)
-CVE-2026-XXXX [Remote image blocking bypass via various SVG animate attributes]
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/e052328e3dc75f13adc2e314eaa4096ac21084ad (1.5.14)
+	NOTE: Regression fix: https://github.com/roundcube/roundcubemail/commit/d8799ed7e869f5cfda54fb35692be3aca1bdd924 (1.5.15)
+CVE-2026-35543 [Remote image blocking bypass via various SVG animate attributes]
+	{DLA-4517-1}
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
-	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: https://nullcathedral.com/posts/2026-03-18-roundcube-round-two-three-more-sanitizer-bypasses/#smil-animations-values-and-by
-	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f0957a66377cd
-CVE-2026-XXXX [IMAP Injection + CSRF bypass in mail search]
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f0957a66377cd (1.7-rc5)
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/39471343ee081ce1d31696c456a2c163462daae3 (1.6.14)
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/1a63e01542bff42aaa71c00c4c279a09ef31f20c (1.5.14)
+CVE-2026-35538 [IMAP Injection + CSRF bypass in mail search]
+	{DLA-4517-1}
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
-	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e18deebf8a15 (1.7-rc5)
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952c (1.6.14)
-	NOTE: Regression fix: https://github.com/roundcube/roundcubemail/commit/6b137adda9b042c3742b0f968692e95ed367d3d1
-CVE-2026-XXXX [Bug where a password could get changed without providing the old password]
+	NOTE: Regression fix: https://github.com/roundcube/roundcubemail/commit/6b137adda9b042c3742b0f968692e95ed367d3d1 (1.6.15)
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/7daf5aa9c190ccc75bb31672d8fee9938877fd64 (1.5.14)
+	NOTE: Regression fix: https://github.com/roundcube/roundcubemail/commit/c360f32adc8754aea91dcc347edcf394108ca110 (1.5.15)
+CVE-2026-35541 [Bug where a password could get changed without providing the old password]
+	{DLA-4517-1}
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
-	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
-	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4
-CVE-2026-XXXX [pre-auth arbitrary file write via unsafe deserialization in edis/memcache session handler]
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4 (1.7-rc5)
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/6fa2bddc59b9c9fd31cad4a9e2954a208d793dce (1.6.14)
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/2e6a99b2a38110907ea8d3be8e59ec3d5802c394 (1.5.14)
+CVE-2026-35537 [pre-auth arbitrary file write via unsafe deserialization in edis/memcache session handler]
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
 	[bullseye] - roundcube <not-affected> (Vulnerable code introduced later, 1.4.x doesn't use Guzzle)
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
-	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/6d586cfa4d8a31f7957f7a445aaedd52592a0e74
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/6d586cfa4d8a31f7957f7a445aaedd52592a0e74 (1.7-rc5)
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/a4ead994d2f0ea92e4a1603196a197e0d5df1620 (1.6.14)
+	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/618c5428edc69fb088e7ac6c89e506dd39df3fc2 (1.5.14)
 CVE-2026-23248 (In the Linux kernel, the following vulnerability has been resolved:  p ...)
 	- linux 6.19.8-1
 	[trixie] - linux <not-affected> (Vulnerable code not present)


=====================================
data/DLA/list
=====================================
@@ -11,7 +11,7 @@
 	{CVE-2023-52892 CVE-2026-32935}
 	[bullseye] - phpseclib 1.0.19-3+deb11u3
 [30 Mar 2026] DLA-4517-1 roundcube - security update
-	{CVE-2026-35545}
+	{CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35543 CVE-2026-35544 CVE-2026-35545}
 	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 [30 Mar 2026] DLA-4516-1 gst-plugins-ugly1.0 - security update
 	{CVE-2026-2920 CVE-2026-2922}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7726ebf94e710dd9bf2bde869939ea1870b55990

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7726ebf94e710dd9bf2bde869939ea1870b55990
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260403/96f826ab/attachment.htm>

More information about the debian-security-tracker-commits mailing list