[Git][security-tracker-team/security-tracker][master] Track fixed version for roundcube issues via unstable upload

Salvatore Bonaccorso (@carnil) carnil at debian.org
Fri Mar 20 17:58:47 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fd1f5621 by Salvatore Bonaccorso at 2026-03-20T18:57:54+01:00
Track fixed version for roundcube issues via unstable upload

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1193,40 +1193,40 @@ CVE-2026-2046
 	NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/15289
 	NOTE: Building of optional Plug-In for Amiga IFF/ILBM not enabled.
 CVE-2026-XXXX [SSRF + Information Disclosure via stylesheet links to a local network hosts]
-	- roundcube <unfixed> (bug #1131182)
+	- roundcube 1.6.14+dfsg-1 (bug #1131182)
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: https://i0.rs/blog/turning-a-roundcube-link-tag-into-a-zero-day-ssrf-and-data-exfiltration/
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/579b68eff90650a5c782e153debd66c765648942
 CVE-2026-XXXX [XSS issue in a HTML attachment preview]
-	- roundcube <unfixed> (bug #1131182)
+	- roundcube 1.6.14+dfsg-1 (bug #1131182)
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/1b30edf5369668c92fe91dae3d52e477c808aa4f
 CVE-2026-XXXX [Fixed position mitigation bypass via use of `!important`]
-	- roundcube <unfixed> (bug #1131182)
+	- roundcube 1.6.14+dfsg-1 (bug #1131182)
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: https://nullcathedral.com/posts/2026-03-18-roundcube-round-two-three-more-sanitizer-bypasses/#css-position-fixed-important
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/226811a1c974271dbedca72672923abaff8191c0
 CVE-2026-XXXX [Remote image blocking bypass via a crafted body background attribute]
-	- roundcube <unfixed> (bug #1131182)
+	- roundcube 1.6.14+dfsg-1 (bug #1131182)
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: https://nullcathedral.com/posts/2026-03-18-roundcube-round-two-three-more-sanitizer-bypasses/#body-backgrounds-unquoted-url
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/fd0e98178db5c73eaa93d005b561874923f9b0f0
 CVE-2026-XXXX [Remote image blocking bypass via various SVG animate attributes]
-	- roundcube <unfixed> (bug #1131182)
+	- roundcube 1.6.14+dfsg-1 (bug #1131182)
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: https://nullcathedral.com/posts/2026-03-18-roundcube-round-two-three-more-sanitizer-bypasses/#smil-animations-values-and-by
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f0957a66377cd
 CVE-2026-XXXX [IMAP Injection + CSRF bypass in mail search]
-	- roundcube <unfixed> (bug #1131182)
+	- roundcube 1.6.14+dfsg-1 (bug #1131182)
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952c (1.6.14)
 	NOTE: Regression fix: https://github.com/roundcube/roundcubemail/commit/6b137adda9b042c3742b0f968692e95ed367d3d1
 CVE-2026-XXXX [Bug where a password could get changed without providing the old password]
-	- roundcube <unfixed> (bug #1131182)
+	- roundcube 1.6.14+dfsg-1 (bug #1131182)
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4
 CVE-2026-XXXX [pre-auth arbitrary file write via unsafe deserialization in edis/memcache session handler]
-	- roundcube <unfixed> (bug #1131182)
+	- roundcube 1.6.14+dfsg-1 (bug #1131182)
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/6d586cfa4d8a31f7957f7a445aaedd52592a0e74
 CVE-2026-23248 (In the Linux kernel, the following vulnerability has been resolved:  p ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd1f56217ecab68ebc6c9d4e286cc2d5af746812

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd1f56217ecab68ebc6c9d4e286cc2d5af746812
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260320/3c25e1b1/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list