[Pkg-roundcube-maintainers] Bug#1131182: roundcube: Multiple security vulnerabilities
Guilhem Moulin
guilhem at debian.org
Fri Mar 20 17:49:29 GMT 2026
On Wed, 18 Mar 2026 at 17:19:35 +0100, Guilhem Moulin wrote:
> 8. SSRF + Information Disclosure via stylesheet links to a local
> network hosts, reported by Georgios Tsimpidas.
> https://github.com/roundcube/roundcubemail/commit/579b68eff90650a5c782e153debd66c765648942
>
> Upstream's solution for the last issue adds a new runtime dependency mlocati/ip-lib ≥1.22
> which unfortunately is not in Debian yet. I can upload it to sid as
> part of the PEAR team, but older suites will need another solution.
On second thought there is some value in having the workaround in sid
too, at least for now (in case there would be regressions). Here is the
PHP-native alternative I came up with:
https://salsa.debian.org/roundcube-team/roundcube/-/blob/debian/latest/debian/patches/Avoid-dependency-on-new-package-mlocati-ip-lib.patch
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20260320/dfbacdb8/attachment-0001.sig>
More information about the Pkg-roundcube-maintainers
mailing list