[Pkg-roundcube-maintainers] Bug#1107073: roundcube: Post-Auth RCE via PHP Object Deserialization
Guilhem Moulin
guilhem at debian.org
Sun Jun 1 10:10:05 BST 2025
Source: roundcube
Version: 1.6.10+dfsg-2
Severity: grave
Control: found -1 1.6.5+dfsg-1+deb12u4
Control: found -1 1.4.15+dfsg.1-1+deb11u4
Tags: security upstream
Justification: user security hole
Roundcube webmail upstream has recently released 1.6.10 [0] which fixes
the following vulnerability:
* Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.
https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d
AFAICT no CVE-ID has been published for this issue. Will request one
tomorrow if no one beats me to it.
--
Guilhem.
[0] https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20250601/d51d806c/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list