[Git][security-tracker-team/security-tracker][master] Reserve DLA-4517-1 for roundcube

Guilhem Moulin (@guilhem) guilhem at debian.org
Mon Mar 30 15:46:15 BST 2026 


Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker


Commits:
86dc841d by Guilhem Moulin at 2026-03-30T16:44:40+02:00
Reserve DLA-4517-1 for roundcube

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2,6 +2,7 @@ CVE-2026-4981
 	NOT-FOR-US: Red Hat Advanced Cluster Security
 CVE-2026-XXXX [SVG Animate FUNCIRI Attribute Bypass]
 	- roundcube 1.6.15+dfsg-1 (bug #1132268)
+	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 	NOTE: https://roundcube.net/news/2026/03/29/security-updates-1.7-rc6-1.6.15-1.5.15
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/9d18d524f3cc211003fc99e2e54eed09a2f3da88
 CVE-2026-5119 (A flaw was found in libsoup. When establishing HTTPS tunnels through a ...)
@@ -6740,40 +6741,48 @@ CVE-2026-2046
 	NOTE: Building of optional Plug-In for Amiga IFF/ILBM not enabled.
 CVE-2026-XXXX [SSRF + Information Disclosure via stylesheet links to a local network hosts]
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
+	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: https://i0.rs/blog/turning-a-roundcube-link-tag-into-a-zero-day-ssrf-and-data-exfiltration/
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/579b68eff90650a5c782e153debd66c765648942
 CVE-2026-XXXX [XSS issue in a HTML attachment preview]
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
+	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/1b30edf5369668c92fe91dae3d52e477c808aa4f
 CVE-2026-XXXX [Fixed position mitigation bypass via use of `!important`]
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
+	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: https://nullcathedral.com/posts/2026-03-18-roundcube-round-two-three-more-sanitizer-bypasses/#css-position-fixed-important
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/226811a1c974271dbedca72672923abaff8191c0
 CVE-2026-XXXX [Remote image blocking bypass via a crafted body background attribute]
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
+	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: https://nullcathedral.com/posts/2026-03-18-roundcube-round-two-three-more-sanitizer-bypasses/#body-backgrounds-unquoted-url
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/fde14d01adc9f37893cd82b635883e516ed453f8 (1.6.14)
 	NOTE: Regression fix: https://github.com/roundcube/roundcubemail/commit/5aba847cb8d5e00a52405e5cd1becb7ec0dcbe4b (1.6.15)
 CVE-2026-XXXX [Remote image blocking bypass via various SVG animate attributes]
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
+	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: https://nullcathedral.com/posts/2026-03-18-roundcube-round-two-three-more-sanitizer-bypasses/#smil-animations-values-and-by
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f0957a66377cd
 CVE-2026-XXXX [IMAP Injection + CSRF bypass in mail search]
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
+	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952c (1.6.14)
 	NOTE: Regression fix: https://github.com/roundcube/roundcubemail/commit/6b137adda9b042c3742b0f968692e95ed367d3d1
 CVE-2026-XXXX [Bug where a password could get changed without providing the old password]
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
+	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4
 CVE-2026-XXXX [pre-auth arbitrary file write via unsafe deserialization in edis/memcache session handler]
 	- roundcube 1.6.14+dfsg-1 (bug #1131182)
+	[bullseye] - roundcube <not-affected> (Vulnerable code introduced later, 1.4.x doesn't use Guzzle)
 	NOTE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
 	NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/6d586cfa4d8a31f7957f7a445aaedd52592a0e74
 CVE-2026-23248 (In the Linux kernel, the following vulnerability has been resolved:  p ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,5 @@
+[30 Mar 2026] DLA-4517-1 roundcube - security update
+	[bullseye] - roundcube 1.4.15+dfsg.1-1+deb11u8
 [30 Mar 2026] DLA-4516-1 gst-plugins-ugly1.0 - security update
 	{CVE-2026-2920 CVE-2026-2922}
 	[bullseye] - gst-plugins-ugly1.0 1.18.4-2+deb11u2


=====================================
data/dla-needed.txt
=====================================
@@ -386,10 +386,6 @@ python3.9 (arnaudr)
   NOTE: 20260320: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/308 (arnaudr)
   NOTE: 20260320: I pinged andrewsh to ask if I should hand it over to him, or if I keep going (arnaudr)
 --
-roundcube (guilhem)
-  NOTE: 20260326: Added by Front-Desk (Beuc)
-  NOTE: 20260326: Upcoming DSA (Beuc/front-desk)
---
 runc
   NOTE: 20251105: Added by Front-Desk (Beuc)
   NOTE: 20251105: 3 high-severity container breakouts. Used by docker.io.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86dc841dc60ca43484cc495123da099ded392187

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86dc841dc60ca43484cc495123da099ded392187
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260330/aa23b59b/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list