[Git][security-tracker-team/security-tracker][master] 2 commits: #1131182/Roundcube: Update release post URL

Guilhem Moulin (@guilhem) guilhem at debian.org
Fri Mar 20 15:44:12 GMT 2026 


Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker


Commits:
425b3921 by Guilhem Moulin at 2026-03-20T16:38:29+01:00
#1131182/Roundcube: Update release post URL

Upstream fixed the the post's title which appears to have invalidated the previous URL

- - - - -
a8e628ea by Guilhem Moulin at 2026-03-20T16:43:47+01:00
#1131182/Roundcube: Add links to the reporter's sites for 4 issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1193,35 +1193,39 @@ CVE-2026-2046
 	NOTE: Building of optional Plug-In for Amiga IFF/ILBM not enabled.
 CVE-2026-XXXX [SSRF + Information Disclosure via stylesheet links to a local network hosts]
 	- roundcube <unfixed> (bug #1131182)
-	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.16
+	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
+	NOTE: https://i0.rs/blog/turning-a-roundcube-link-tag-into-a-zero-day-ssrf-and-data-exfiltration/
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/579b68eff90650a5c782e153debd66c765648942
 CVE-2026-XXXX [XSS issue in a HTML attachment preview]
 	- roundcube <unfixed> (bug #1131182)
-	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.16
+	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/1b30edf5369668c92fe91dae3d52e477c808aa4f
 CVE-2026-XXXX [Fixed position mitigation bypass via use of `!important`]
 	- roundcube <unfixed> (bug #1131182)
-	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.16
+	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
+	NOTE: https://nullcathedral.com/posts/2026-03-18-roundcube-round-two-three-more-sanitizer-bypasses/#css-position-fixed-important
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/226811a1c974271dbedca72672923abaff8191c0
 CVE-2026-XXXX [Remote image blocking bypass via a crafted body background attribute]
 	- roundcube <unfixed> (bug #1131182)
-	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.16
+	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
+	NOTE: https://nullcathedral.com/posts/2026-03-18-roundcube-round-two-three-more-sanitizer-bypasses/#body-backgrounds-unquoted-url
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/fd0e98178db5c73eaa93d005b561874923f9b0f0
 CVE-2026-XXXX [Remote image blocking bypass via various SVG animate attributes]
 	- roundcube <unfixed> (bug #1131182)
-	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.16
+	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
+	NOTE: https://nullcathedral.com/posts/2026-03-18-roundcube-round-two-three-more-sanitizer-bypasses/#smil-animations-values-and-by
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f0957a66377cd
 CVE-2026-XXXX [IMAP Injection + CSRF bypass in mail search]
 	- roundcube <unfixed> (bug #1131182)
-	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.16
+	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e18deebf8a15
 CVE-2026-XXXX [Bug where a password could get changed without providing the old password]
 	- roundcube <unfixed> (bug #1131182)
-	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.16
+	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4
 CVE-2026-XXXX [pre-auth arbitrary file write via unsafe deserialization in edis/memcache session handler]
 	- roundcube <unfixed> (bug #1131182)
-	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.16
+	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/6d586cfa4d8a31f7957f7a445aaedd52592a0e74
 CVE-2026-23248 (In the Linux kernel, the following vulnerability has been resolved:  p ...)
 	- linux 6.19.8-1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4b8b64524e5d7eba22b528fd155c30105fb1f597...a8e628ea31b68cc21acc77103c4625c318faa7cf

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4b8b64524e5d7eba22b528fd155c30105fb1f597...a8e628ea31b68cc21acc77103c4625c318faa7cf
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260320/e39e15d9/attachment.htm>

More information about the debian-security-tracker-commits mailing list