[Pkg-roundcube-maintainers] Bug#1131182: roundcube: Multiple security vulnerabilities

Guilhem Moulin guilhem at debian.org
Wed Mar 18 16:19:35 GMT 2026 

Source: roundcube
Version: 1.6.13+dfsg-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>

Control: found -1 1.6.13+dfsg-0+deb13u1
Control: found -1 1.6.5+dfsg-1+deb12u7
Control: found -1 1.4.15+dfsg.1-1+deb11u7
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>

Roundcube webmail upstream has recently released 1.6.14 [0] which fixes
the following security vulnerabilities:

  1. Pre-auth arbitrary file write via unsafe deserialization in
     redis/memcache session handler, reported by y0us.
     https://github.com/roundcube/roundcubemail/commit/6d586cfa4d8a31f7957f7a445aaedd52592a0e74

  2. Bug where a password could get changed without providing the old
     password, reported by flydragon777.
     https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4

  3. IMAP Injection + CSRF bypass in mail search, reported by Martila
     Security Research Team.
     https://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e18deebf8a15

  4. Remote image blocking bypass via various SVG animate attributes,
     reported by nullcathedral.
     https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f0957a66377cd

  5. Remote image blocking bypass via a crafted body background
     attribute, reported by nullcathedral.
     https://github.com/roundcube/roundcubemail/commit/fd0e98178db5c73eaa93d005b561874923f9b0f0

  6. Fixed position mitigation bypass via use of `!important`, reported
     by nullcathedral.
     https://github.com/roundcube/roundcubemail/commit/226811a1c974271dbedca72672923abaff8191c0

  7. XSS issue in a HTML attachment preview, reported by aikido_security.
     https://github.com/roundcube/roundcubemail/commit/1b30edf5369668c92fe91dae3d52e477c808aa4f

  8. SSRF + Information Disclosure via stylesheet links to a local
     network hosts, reported by Georgios Tsimpidas.
     https://github.com/roundcube/roundcubemail/commit/579b68eff90650a5c782e153debd66c765648942

Upstream's solution for the last issue adds a new runtime dependency mlocati/ip-lib ≥1.22
which unfortunately is not in Debian yet.  I can upload it to sid as
part of the PEAR team, but older suites will need another solution.

AFAIK no CVE-ID have been published for these issues.  I just requested some.
-- 
Guilhem.

[0] https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.16

More information about the Pkg-roundcube-maintainers mailing list