[Pkg-roundcube-maintainers] Bug#1132838: roundcube: upgrading roundcube on bullseye creates PHP error and apache 500 error accessing /roundcube

Mark Foster debian-reportbug at blakjak.net
Mon Apr 6 11:53:42 BST 2026 

On 6/04/2026 8:48 pm, Guilhem Moulin wrote:
> Control: tag -1 moreinfo
>
> On Mon, 06 Apr 2026 at 20:23:29 +1200, Mark Foster wrote:
>> Upgrade: libpng16-16:amd64 (1.6.37-3+deb11u2, 1.6.37-3+deb11u3), roundcube-core:amd64 (1.4.15+dfsg.1-1+deb11u7, 1.4.15+dfsg.1-1+deb11u8), roundcube:amd64 (1.4.15+dfsg.1-1+deb11u7, 1.4.15+dfsg.1-1+deb11u8), roundcube-mysql:amd64 (1.4.15+dfsg.1-1+deb11u7, 1.4.15+dfsg.1-1+deb11u8)
>>
>> On completion of the update attempts to access /roundcube/ logged the following in my errors file:
>>
>>    PHP Parse error: syntax error, unexpected '[' in /usr/share/roundcube/program/lib/Roundcube/rcube_utils.php on line 433,
> Is your roundcube instance running on PHP<7.1?  The syntax error at the
> array destructuring on line 433 suggest so, at least.  reportbug(1)
> output says otherwise but that code snippet has good test coverage from
> a stock Bullseye system and a syntax error would have been caught.

I suppose I should've looked into this sooner. The machine has php7.4 on 
it but still had php5 on it from a long time ago when I used to host 
some web services for some non-profits and friends and such.

I'm not presently aware of any system dependencies on php5 so i've done 
this:

 > a2dismod php5
 > a2enmod php7.4
 > systemctl restart apache2

I've removed the comments from rcube_utils.php and so far roundcube is 
working without errors.

So I guess - so long as I don't trip over a php5 requirement that i've 
missed - that i've now prompted apache2 to actually use the newer 
version of php which has been available all this time... ???

>> I'm not sure why roundcube wants knowledge of RFC1918 and 4291 and how
>> this changes the user experience, to be honest, but i'm happy to live
>> without it.
> You made yourself vulnerable to CVE-2026-35540.  See
> https://salsa.debian.org/roundcube-team/roundcube/-/commit/021968cea0fd16a16d8e1a565d183ac51237576a
> for an alternative that doesn't use array destructuring and restore
> compatibility with PHP<7.1.

I don't see any reason not to use the newer php package already present 
on the machine - but thanks for the prompt response and an explanation 
which gave me just enough clues.

Regards
Mark.

More information about the Pkg-roundcube-maintainers mailing list