[Pkg-roundcube-maintainers] roundcube_1.6.14+dfsg-1_source.changes ACCEPTED into unstable

Debian FTP Masters ftpmaster at ftp-master.debian.org
Fri Mar 20 17:48:48 GMT 2026 

Thank you for your contribution to Debian.



Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 20 Mar 2026 17:52:47 +0100
Source: roundcube
Architecture: source
Version: 1.6.14+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers at alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem at debian.org>
Closes: 1131182
Changes:
 roundcube (1.6.14+dfsg-1) unstable; urgency=high
 .
   * New upstream security and bugfix release (closes: #1131182).
     + Fix pre-auth arbitrary file write via unsafe deserialization in
       redis/memcache session handler.
     + Fix bug where a password could get changed without providing the old
       password.
     + Fix IMAP Injection + CSRF bypass in mail search.
     + Fix remote image blocking bypass via various SVG animate attributes.
     + Fix remote image blocking bypass via a crafted <body> background
       attribute.
     + Fix fixed position mitigation bypass via use of `!important`.
     + Fix XSS vulnerability in HTML attachment preview.
     + Fix SSRF and information disclosure vulnerability via stylesheet links
       pointing to a local network hosts.
   * Refresh d/patches.
   * Cherry-pick upstream changes from 1.7 to fix PHP 8.2 deprecation warning on
     utf8_{encode,decode}() uses.
   * Cherry-pick upstream change from 1.7 to fix PHP 8.4 deprecation warning on
     str_getcsv() use.
   * Cherry-pick upstream regression fix where mail search would fail on
     non-ascii search criteria.
   * Add custom patch to avoid dependency on mlocati/ip-lib, which as of today
     is not present in Debian.
   * phpunit: Pass `--display-deprecations` and `--display-phpunit-deprecations`
     flags.
Checksums-Sha1:
 73fc8de367dbdf5c2e3dce38184cb36bb79a0f93 3828 roundcube_1.6.14+dfsg-1.dsc
 791d4d6bbc64114597a21548002e954fa8b9c352 126920 roundcube_1.6.14+dfsg.orig-tinymce-langs.tar.xz
 d41712b4ec93a52c4b2a4b8dfc3c6c00ce086121 1928376 roundcube_1.6.14+dfsg.orig-tinymce.tar.xz
 420013f6b17241c0c4e62d8ba96320cd881a4e3f 2792884 roundcube_1.6.14+dfsg.orig.tar.xz
 4de48cd39b1623bf1788cf62f0de3a403f7723f2 156728 roundcube_1.6.14+dfsg-1.debian.tar.xz
 daf1b3670fd725c205b1c808f2bda044b90696b6 6220 roundcube_1.6.14+dfsg-1_source.buildinfo
Checksums-Sha256:
 8ffc96b6c58747875928e6c05d9d0538f0301c128399f2d72d830a4d0df896c7 3828 roundcube_1.6.14+dfsg-1.dsc
 b12fbbe262fc427f500d63293da1322761807f4c298299be3fc3fc8ca0c3a72b 126920 roundcube_1.6.14+dfsg.orig-tinymce-langs.tar.xz
 23e778db8008375b78ca83ace45247ad987e58b798be5eb745b02489977148df 1928376 roundcube_1.6.14+dfsg.orig-tinymce.tar.xz
 690b53d2c218a0a28a2c4f289f4bca74b94b7f2bf6e28125767e5578ff3b0143 2792884 roundcube_1.6.14+dfsg.orig.tar.xz
 61a9e9d70e5ed5ee262705ed0d3c47620daeeb5af83dcd6021a67807e5df6d09 156728 roundcube_1.6.14+dfsg-1.debian.tar.xz
 0d1ca96328d67d548fdd9b0814fcd30fd7fddc446809e8291862d1418ff617ae 6220 roundcube_1.6.14+dfsg-1_source.buildinfo
Files:
 776d8bc48739e650f91fc55829024486 3828 web optional roundcube_1.6.14+dfsg-1.dsc
 555fd57325d8c7e4e530860121a2295e 126920 web optional roundcube_1.6.14+dfsg.orig-tinymce-langs.tar.xz
 6a9c45bead992cf7ad4e2c021447e68a 1928376 web optional roundcube_1.6.14+dfsg.orig-tinymce.tar.xz
 cdc810ee064f09b5bc8dd651b1d4d93e 2792884 web optional roundcube_1.6.14+dfsg.orig.tar.xz
 751640ba55ce820550184cab9952a7a5 156728 web optional roundcube_1.6.14+dfsg-1.debian.tar.xz
 81c753dec3aa99175e5e6bd038b4216c 6220 web optional roundcube_1.6.14+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmm9g/4ACgkQ05pJnDwh
pVKxoQ//XWMoK8X9yy1czT1rMYcfKKWNhkxzQOnlyq6LfLBsctfSFbw5yffOnU9b
b9G8Wm0LTD367cDrZ1dOq0+Hk48eUljeWsJ93wOS9VNbqH5U24rIRcSwJIGOtli6
s4AXXOEO9myvxWGVzOoFMWM4WRHXCec6gjF6mzp2vX+WAZkpBvcBU48MwZoDpvTn
Fc6bTQDrfZ5Zjf/huwqbtFGS7SwMC784d/8LfW7qXw1ZZ4BL7LfIojz1SDkOFGY2
KVpmEbdZJhnJlWRVJc+OuJrZSk9kJY8GDfVYxqLgXSpyFt36AF+82GI5DuYZxyUu
cy/QnAWotMOlKzHxUG+Dwy49Dy0kpf05mcD95JR5P/BDeqRnd1kC3/2xh16w5xPj
faxgqlzoRfv0tvGPo95PmIhtIN6uy/9BpEvZ4NcHBnzxB6iSz5JSuH9AzAgJ/3yW
L6Vi71Lch8GiS1j4CmhlK1MguJPla9mp/iI92VynIHqZVU78CIxSIC5PuvNfQs1P
uFLIbyYtIv/Ed38NoRO2Etkf/bJ5EUhn4dCA7tH9NXHJ2cWR/N8aVvP1Z/Imoaix
YMXQUcZd+ngTDYhhqxgFmUsJj4k6gzae1QFdGeNpAdKS8TtXQg/B5PkLBkgBhRNJ
Z6qvGALym2FkD+lXym2uSNrUmU0L0h5VMHCJJ41P2Rq+s3nuKlI=
=qR6o
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20260320/b7e92d5d/attachment.sig>

More information about the Pkg-roundcube-maintainers mailing list