[Pkg-roundcube-maintainers] roundcube_1.6.15+dfsg-0+deb13u1_source.changes ACCEPTED into proposed-updates->stable-new

Debian FTP Masters ftpmaster at ftp-master.debian.org
Sat Apr 4 21:33:53 BST 2026 

Thank you for your contribution to Debian.

Mapping stable-security to proposed-updates.

Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Mar 2026 13:40:22 +0200
Source: roundcube
Architecture: source
Version: 1.6.15+dfsg-0+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers at alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem at debian.org>
Closes: 1131182 1132268
Changes:
 roundcube (1.6.15+dfsg-0+deb13u1) trixie-security; urgency=high
 .
   * New upstream security and bugfix release (closes: #1131182, #1132268).
     + Fix CVE-2026-35537: Pre-auth arbitrary file write via unsafe
       deserialization in redis/memcache session handler.
     + Fix CVE-2026-35538: IMAP Injection + CSRF bypass in mail search.
     + Fix CVE-2026-35539: XSS vulnerability in HTML attachment preview.
     + Fix CVE-2026-35540: SSRF and information disclosure vulnerability via
       stylesheet links pointing to a local network hosts.
     + Fix CVE-2026-35541: A password could get changed without providing the
       old password in some situations.
     + Fix CVE-2026-35542: Remote image blocking bypass via a crafted <body>
       background attribute.
     + Fix CVE-2026-35543: Remote image blocking bypass via various SVG animate
       attributes.
     + Fix CVE-2026-35544: Fixed position mitigation bypass via use of
       `!important`.
     + Fix CVE-2026-35545: SVG animate FUNCIRI attribute bypass (remote image
       loading via fill/filter/stroke).
   * Refresh d/patches.
   * Add custom patch to avoid runtime dependency on mlocati/ip-lib which is
     not present in trixie.
Checksums-Sha1:
 0a900997286378c2c456da611f2099ee50e64cda 3860 roundcube_1.6.15+dfsg-0+deb13u1.dsc
 0cffaaa8522bb9496ff3ec1aad1b9d17f1e7edd7 126856 roundcube_1.6.15+dfsg.orig-tinymce-langs.tar.xz
 7c3866251bfef08a39b1459b05fb2e99b177a786 1928608 roundcube_1.6.15+dfsg.orig-tinymce.tar.xz
 ed576296b8b4da4e49f384344934fb2c6ed4a5dd 2793028 roundcube_1.6.15+dfsg.orig.tar.xz
 ee4dbb450455f4c2e846eb49616715718a22bb03 155332 roundcube_1.6.15+dfsg-0+deb13u1.debian.tar.xz
 d559d32bbef7dc805ebf9908ad2b80bb60bb0b6e 6242 roundcube_1.6.15+dfsg-0+deb13u1_source.buildinfo
Checksums-Sha256:
 dabd0480dc852a33b7d560a1c439250b272f079f8867316037fb7dc15a2c2279 3860 roundcube_1.6.15+dfsg-0+deb13u1.dsc
 f3d8c7e7137dad314b7acff2b80649ea036c4532f3b1194bd39c163d6884416c 126856 roundcube_1.6.15+dfsg.orig-tinymce-langs.tar.xz
 3040064c9e504486506dc597f3eeec0a79a31278e06d0d15b7c0568938124b0c 1928608 roundcube_1.6.15+dfsg.orig-tinymce.tar.xz
 b23845f78b4bf5460821d1449f22f2069fa53ccbcc9ed918068549bbc1b651fb 2793028 roundcube_1.6.15+dfsg.orig.tar.xz
 574efce6ce318d43cd3fd831d4f68d1347c7c04a29f84a28590663c0dbedb150 155332 roundcube_1.6.15+dfsg-0+deb13u1.debian.tar.xz
 0362af1a6695fb66df0d9b6526e9f4a74b42dea99abf56e7403a71b567c45c5e 6242 roundcube_1.6.15+dfsg-0+deb13u1_source.buildinfo
Files:
 6a4ee3fed544c1163b9e705ed704ebff 3860 web optional roundcube_1.6.15+dfsg-0+deb13u1.dsc
 916486a39ee15f3bd2d10c9472af340c 126856 web optional roundcube_1.6.15+dfsg.orig-tinymce-langs.tar.xz
 9b7a65d3a402cfbad01a3144b59da634 1928608 web optional roundcube_1.6.15+dfsg.orig-tinymce.tar.xz
 1eca96bad2b14b928e4e62390fd7d3f9 2793028 web optional roundcube_1.6.15+dfsg.orig.tar.xz
 9fbb65d67b96ad0786d2d538fb0ec86d 155332 web optional roundcube_1.6.15+dfsg-0+deb13u1.debian.tar.xz
 274be445cb05a5d3d7649a86a0e61ada 6242 web optional roundcube_1.6.15+dfsg-0+deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmnPY+AACgkQ05pJnDwh
pVJKJQ//RUTIIO6yTz8Mj9PrZHWyUJcknyYUbr/RdAxswF5+ckQNzOXzub2o3P7X
GlEsvNgY+8W+Px4pCTTqpY56NgS8EdiJdYEJ2hSujHzq++iFfCOeWg7X7R15ucYB
e9P9DKZIi5+pYFEHkyxVj/Ug2a+L3ObSCX5h5SJfFTmpzr5RhPZ/wwzb+Ef0l5hY
5Q1nN3TqKPnOkqXRbedD+z8BQq4UsvkPm09NtAKBXm9pgm0giCan/LUii2Ahc5/M
EZZJby3YP2XNzf3GpCEqNdi2Hq4Hh4ltRQoN9DSw2lMm0ojEkGc5vDXRhArKFRff
2jwQdtgW0+G2WFtWleWstgaiIKMXdX3KIZ4U/TqSr8ZD8vymcpG2BVam590wRwwn
vzR2fyKXW8Xs3ALgc0uHymL9XRegNcBAxXGqe/cjeihfWG7ryhN97OEyOqXUT+3q
Xbke83sjqhelUePuAUSim9Ehi3+qds7LhhPcl/4TssXOHn5JolkfOdAjq6ZlgvnY
Guj5QXTcCkeg6GwL5sk64hpoiw0vWI+EhxhnDqxoUyeUPYKddXa1ZQFpJsgVo+Hw
Uuxiqildbvr2tNrmMc0qdun0bm+0cqIq8Jrg66y0Ja5YpY3ZKYc6GnFo9dsE8Df/
vKkPhi8U3g6tSnd+wYy1rov0LVU4tf4n49LIpUpMWQq0A89ioXY=
=TCC8
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20260404/5acb9d93/attachment.sig>

More information about the Pkg-roundcube-maintainers mailing list