[Pkg-roundcube-maintainers] roundcube_1.6.5+dfsg-1+deb12u8_source.changes ACCEPTED into oldstable-proposed-updates->oldstable-new

[Debian FTP Masters]

Thank you for your contribution to Debian.

Mapping oldstable-security to oldstable-proposed-updates.

Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 20 Mar 2026 19:15:19 +0100
Source: roundcube
Architecture: source
Version: 1.6.5+dfsg-1+deb12u8
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers at alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem at debian.org>
Closes: 1131182 1132268
Changes:
 roundcube (1.6.5+dfsg-1+deb12u8) bookworm-security; urgency=high
 .
   * Cherry pick upstream security fixes from v1.6.14 and v1.6.15 (closes:
     #1131182, #1132268):
     + Fix CVE-2026-35537: Pre-auth arbitrary file write via unsafe
       deserialization in redis/memcache session handler.
     + Fix CVE-2026-35538: IMAP Injection + CSRF bypass in mail search.
     + Fix CVE-2026-35539: XSS vulnerability in HTML attachment preview.
     + Fix CVE-2026-35540: SSRF and information disclosure vulnerability via
       stylesheet links pointing to a local network hosts.
     + Fix CVE-2026-35541: A password could get changed without providing the
       old password in some situations.
     + Fix CVE-2026-35542: Remote image blocking bypass via a crafted <body>
       background attribute.
     + Fix CVE-2026-35543: Remote image blocking bypass via various SVG animate
       attributes.
     + Fix CVE-2026-35544: Fixed position mitigation bypass via use of
       `!important`.
     + Fix CVE-2026-35545: SVG animate FUNCIRI attribute bypass (remote image
       loading via fill/filter/stroke).
   * Add custom patch to avoid runtime dependency on mlocati/ip-lib which is
     not present in bookworm.
Checksums-Sha1:
 a95c6a9aaf4667b202da4cddfd8972f13e0e0b51 3833 roundcube_1.6.5+dfsg-1+deb12u8.dsc
 75e8f83121324fcf70adecf57378e2e42210d29a 130548 roundcube_1.6.5+dfsg-1+deb12u8.debian.tar.xz
 78e4665c4a53ec24e82a59ef862bcffacec8e211 6238 roundcube_1.6.5+dfsg-1+deb12u8_source.buildinfo
Checksums-Sha256:
 d04503b681969d1541aaf9523a7a565bdaf4789b72923e7615376423f8b41cad 3833 roundcube_1.6.5+dfsg-1+deb12u8.dsc
 489d5acb099250123e0a5e058202299400ac57492e941f555055e13b477805b0 130548 roundcube_1.6.5+dfsg-1+deb12u8.debian.tar.xz
 48f77db6f2d21add8b342ab57c05d7c93057cb42b399898e86ddcaa3850a661d 6238 roundcube_1.6.5+dfsg-1+deb12u8_source.buildinfo
Files:
 bffef305afbe28b922814c1692687734 3833 web optional roundcube_1.6.5+dfsg-1+deb12u8.dsc
 ac9ac632a4e422f52c0022b5278365c8 130548 web optional roundcube_1.6.5+dfsg-1+deb12u8.debian.tar.xz
 b5e0596543fee232be22cb56597c742c 6238 web optional roundcube_1.6.5+dfsg-1+deb12u8_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmnPahoACgkQ05pJnDwh
pVL5MxAAlsg+6JLU+WOtuEDFQDeumMIw5FJlBHKoXbVcS6Vx96lQs37OJ81W2bzp
+GZUKi9mO+QPViFjC727oCvXvHtp2qXAjwEZX9AF2znnurqQWACl+pimJHvIbmVC
kYQaDDkgjFxuD7Zy2U2ve8PEazkbbegoB4CutaDX87VbFZwwBrcN5qFaUO7OnWSZ
0+Tfoi9cMKCjFCIEk7ZLMImxlmnC5LkUwveEalv95E3Qjjy32Lb2E65YkrfHjeZx
DkzHHb46K2OCAXIspmN0KlFApD88INqOLdaZmidOa1JNBmX4Dt9pFhyWMpkso7++
LXB4ngXnimZiZEPS164zriORUzkZk2fkoHVm+pxCJEZ2aqfkBD+935lxm5tb4Z18
+A7oZm+oXP8Ay2GhggiqwAj2LmcxY6YYrt4XlELpJ+bKTgT4outS2mu6BYji8j3Q
XQH+nYPkKXOW62yysxfdNo29WLt+CQV8dHDN/utLSPrGs2WQW7WxjCLjfgiWuaHO
2wrfxKufH+U0VJJsAdI5vM1sLKMKdSyk3f7rNgboC2SzYmhmTSqTzLfIP5KVvgX7
2Q40YHpyrhP62KtnCo0H4YlPsEfQnW5MkiL6JOcyuz4+PFicdXbAZSh2DwrN9Wdx
zaSAHT5Wrdhjm4rKUAyIsmCiEaIBPdgJ3gTW4P/x593R+6BdFmI=
=qGOR
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20260404/2c07d597/attachment.sig>