From guilhem at debian.org Sun Jul 5 16:04:05 2026 From: guilhem at debian.org (Guilhem Moulin) Date: Sun, 5 Jul 2026 17:04:05 +0200 Subject: [Pkg-roundcube-maintainers] Bug#1141495: roundcube: Multiple security vulnerabilities Message-ID: Source: roundcube Version: 1.6.16+dfsg-1 Control: found -1 1.6.16+dfsg-0+deb13u1 Control: found -1 1.6.5+dfsg-1+deb12u9 Control: found -1 1.4.15+dfsg.1-1+deb11u9 Severity: important Tags: security upstream X-Debbugs-Cc: Debian Security Team Roundcube webmail upstream has recently released 1.6.17 [0] which fixes the following security vulnerabilities: 1. Infinite loop in TNEF (winmail.dat) decoder https://github.com/roundcube/roundcubemail/commit/a007321346380136b3de2bd75b486b04f63c0d38 https://github.com/roundcube/roundcubemail/commit/132ac8dd5a55c8466be12de1daf84355697ffa89 2. Various vulnerabilities in the password plugin using session-injected username https://github.com/roundcube/roundcubemail/commit/83150ce04d689a70f92d511bcae40adba8d55476 https://github.com/roundcube/roundcubemail/commit/5cdc6a48b40beabff7f0bf5d9035f4491e877e4c 3. CVE-2026-54432: Stored XSS via unescaped attachment MIME type on the attachment-validation warning page https://github.com/roundcube/roundcubemail/commit/a3a4482cc9bd5569107e4393d32abb157cb2a568 4. SSRF bypass via specific local address URLs https://github.com/roundcube/roundcubemail/commit/294c7da6e7284166f040cef8607b677d459e0786 5. CVE-2026-54433: Zero-click stored XSS in plain-text rendering https://github.com/roundcube/roundcubemail/commit/63e42e233c6e8b5100e2e61a4d13addcd1a45bd5 6. DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file https://github.com/roundcube/roundcubemail/commit/bf253c72d4293c93fda511b8464fe9cb34b522c1 AFAIK no CVE-ID have been published for issues 1, 2, 4 and 6. I'll request some tomorrow unless someone beats me to it. -- Guilhem. [0] https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From owner at bugs.debian.org Sun Jul 5 16:05:04 2026 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Sun, 05 Jul 2026 15:05:04 +0000 Subject: [Pkg-roundcube-maintainers] Processed: roundcube: Multiple security vulnerabilities References: Message-ID: Processing control commands: > found -1 1.6.16+dfsg-0+deb13u1 Bug #1141495 [src:roundcube] roundcube: Multiple security vulnerabilities Marked as found in versions roundcube/1.6.16+dfsg-0+deb13u1. > found -1 1.6.5+dfsg-1+deb12u9 Bug #1141495 [src:roundcube] roundcube: Multiple security vulnerabilities Marked as found in versions roundcube/1.6.5+dfsg-1+deb12u9. > found -1 1.4.15+dfsg.1-1+deb11u9 Bug #1141495 [src:roundcube] roundcube: Multiple security vulnerabilities The source 'roundcube' and version '1.4.15+dfsg.1-1+deb11u9' do not appear to match any binary packages Marked as found in versions roundcube/1.4.15+dfsg.1-1+deb11u9. -- 1141495: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141495 Debian Bug Tracking System Contact owner at bugs.debian.org with problems From ftpmaster at ftp-master.debian.org Sun Jul 5 16:52:58 2026 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Sun, 05 Jul 2026 15:52:58 +0000 Subject: [Pkg-roundcube-maintainers] Processing of roundcube_1.6.17+dfsg-1_source.changes Message-ID: roundcube_1.6.17+dfsg-1_source.changes uploaded successfully to localhost along with the files: roundcube_1.6.17+dfsg-1.dsc roundcube_1.6.17+dfsg.orig-tinymce-langs.tar.xz roundcube_1.6.17+dfsg.orig-tinymce.tar.xz roundcube_1.6.17+dfsg.orig.tar.xz roundcube_1.6.17+dfsg-1.debian.tar.xz roundcube_1.6.17+dfsg-1_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org) From ftpmaster at ftp-master.debian.org Sun Jul 5 17:04:19 2026 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Sun, 05 Jul 2026 16:04:19 +0000 Subject: [Pkg-roundcube-maintainers] roundcube_1.6.17+dfsg-1_source.changes ACCEPTED into unstable Message-ID: Thank you for your contribution to Debian. Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 05 Jul 2026 17:26:53 +0200 Source: roundcube Architecture: source Version: 1.6.17+dfsg-1 Distribution: unstable Urgency: high Maintainer: Debian Roundcube Maintainers Changed-By: Guilhem Moulin Closes: 1138086 1141495 Changes: roundcube (1.6.17+dfsg-1) unstable; urgency=high . * New upstream security and bugfix release (closes: #1141495). + Fix infinite loop in TNEF (winmail.dat) decoder. + Fix various vulnerabilities in the password plugin using session-injected username. + Fix CVE-2026-54432: Stored XSS via unescaped attachment MIME type on the attachment-validation warning page. + Fix SSRF bypass via specific local address URLs. + Fix CVE-2026-54433: Zero-click stored XSS in plain-text rendering. + Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file. + Enigma: Add support for automatic public key lookup (import) using HKP v1 protocol. + Enigma: Add support for Kolab's Web Of Anti-Trust (WOAT) feature. * d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch: Improve patch and drop type annotations to restore compatibility with PHP<8 (closes: #1138086). Checksums-Sha1: cc90069cc1df4a571acd39ce7d8b196b3729a2b2 3845 roundcube_1.6.17+dfsg-1.dsc c42a03f7b7f449f7ec9023843d775b66e2887e31 126836 roundcube_1.6.17+dfsg.orig-tinymce-langs.tar.xz a14b229b6767817fb36d85c6c22b700e81fcc74a 1928888 roundcube_1.6.17+dfsg.orig-tinymce.tar.xz 1f753251c7e378540cea602af4a7f5db415764fa 2906816 roundcube_1.6.17+dfsg.orig.tar.xz 3e31aaa811424ffebdd43e601f014e46a56d6b6c 159116 roundcube_1.6.17+dfsg-1.debian.tar.xz cc5c4a419d387e71bd5a5047ed7b18e3f518ce0d 6227 roundcube_1.6.17+dfsg-1_source.buildinfo Checksums-Sha256: 5ddbaa4318bc081ac0b28d46522d702fb3a89220ca26038c7e20e4588ee4a65b 3845 roundcube_1.6.17+dfsg-1.dsc a9e0dcf588cdfd398b1ffacb63d3cc6cf2132785adcf98b9bc3cb7b23f9f1f6e 126836 roundcube_1.6.17+dfsg.orig-tinymce-langs.tar.xz 870c74fc7fe5f66929a8f45b7340be3d542d94ef5786d92393bfbf687c57b1fa 1928888 roundcube_1.6.17+dfsg.orig-tinymce.tar.xz c32cae39892d8936f1b07712e0cda3f435d311cd095e6d949d8e62c473ae1426 2906816 roundcube_1.6.17+dfsg.orig.tar.xz d4a4cfd1cc4c48007af7e059cb201ba800b92ec1185f7f3d2f0c5429e25e9367 159116 roundcube_1.6.17+dfsg-1.debian.tar.xz 87e264d6e5a915851d22b91aeaab2652671903f08c8f57690fb931aaa0edceef 6227 roundcube_1.6.17+dfsg-1_source.buildinfo Files: b9a10be22b02a0bf26798952f2d58b30 3845 web optional roundcube_1.6.17+dfsg-1.dsc 14e66bb6839218d4add3e1fbea68952d 126836 web optional roundcube_1.6.17+dfsg.orig-tinymce-langs.tar.xz d1198f417f0ae874dedee8a12e7c8713 1928888 web optional roundcube_1.6.17+dfsg.orig-tinymce.tar.xz dc32d01c80607b6c6ab3a206e354e584 2906816 web optional roundcube_1.6.17+dfsg.orig.tar.xz 66ef61fd6e2c2ba68d5731a617f3c9d1 159116 web optional roundcube_1.6.17+dfsg-1.debian.tar.xz fa5e7976140601b140b3b19a0214fb9d 6227 web optional roundcube_1.6.17+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmpKebwACgkQ05pJnDwh pVKMjQ/9FASx8Pq8QeLmityAdMYXFizs6anN2uBThC1gIvWtRrL6bogVQTbUILWM ISZKtGsxgSn6MA4vKU2ILbJdidb1mN+Hc+7TdOaWqxQEcX+tsFzuV4oJbAhyurzM rm+uPytsTEekBfTBjYTbNaLsj4WE+0qHTLnGjUgHGk3DK9w48tvIBoJnxWYIuq1D /7n2OP8sPEsXlmuey47wBF7xhvgj2krBOpDOPjAoROuNK0foc3zcFmSvDDx/2Ldv ooE0DUkq/iQPcJw/1a+UrxqyIYNoD40qq7avTF4uF6vRgta2mNOyOBHwMcioPqlq RvUYLlMp18vy9TtkK9HFcnN9PEAuiNpGPbS5tNhxXXfT9uZpZTgHqBgIPd0UfAM4 Oe61c06IRA9XYHayR8zpabguRsNn2GdJxJO74HXzI9Q5gxy1WW8lAL9KR9IuUsEV eZNHvUtELqth2O/c1xWuLurYxZAiFjCtzK7Xg4mLT18CEXduR24WrQU5mFZN4ApQ c+tQNdSY3XiQ+JcQY9klPdjb0PborZH2PShLUOAYUTR9R2XZlMvuzRIogaxnel2v YPO8HA6QrVZNCmvfVTkkwJBRiywXfCqKPSmjHJiEaSTQVdqJ8F1o2vLI+3h0ECyw h/wLup2HG2YhezdBw9g8xwZCtL4OAP2In3HCNd6cnJaLdLjSFGo= =dyWy -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From owner at bugs.debian.org Sun Jul 5 17:07:02 2026 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Sun, 05 Jul 2026 16:07:02 +0000 Subject: [Pkg-roundcube-maintainers] Bug#1138086: marked as done (DSA 6301-1 breaks roundcube on PHP <8) References: <177995566786.29034.4180568629571857119.reportbug@bupu-new.mzk.cz> Message-ID: Your message dated Sun, 05 Jul 2026 16:04:19 +0000 with message-id and subject line Bug#1138086: fixed in roundcube 1.6.17+dfsg-1 has caused the Debian Bug report #1138086, regarding DSA 6301-1 breaks roundcube on PHP <8 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 1138086: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138086 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Vladislav Kurz Subject: roundcube: DSA 6301-1 breaks roundcube Date: Thu, 28 May 2026 10:07:47 +0200 Size: 7941 URL: -------------- next part -------------- An embedded message was scrubbed... From: Debian FTP Masters Subject: Bug#1138086: fixed in roundcube 1.6.17+dfsg-1 Date: Sun, 05 Jul 2026 16:04:19 +0000 Size: 8430 URL: From owner at bugs.debian.org Sun Jul 5 17:07:03 2026 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Sun, 05 Jul 2026 16:07:03 +0000 Subject: [Pkg-roundcube-maintainers] Bug#1141495: marked as done (roundcube: Multiple security vulnerabilities) References: Message-ID: Your message dated Sun, 05 Jul 2026 16:04:19 +0000 with message-id and subject line Bug#1141495: fixed in roundcube 1.6.17+dfsg-1 has caused the Debian Bug report #1141495, regarding roundcube: Multiple security vulnerabilities to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 1141495: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141495 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Guilhem Moulin Subject: roundcube: Multiple security vulnerabilities Date: Sun, 5 Jul 2026 17:04:05 +0200 Size: 5563 URL: -------------- next part -------------- An embedded message was scrubbed... From: Debian FTP Masters Subject: Bug#1141495: fixed in roundcube 1.6.17+dfsg-1 Date: Sun, 05 Jul 2026 16:04:19 +0000 Size: 8490 URL: