[Pkg-roundcube-maintainers] roundcube_1.6.16+dfsg-1_source.changes ACCEPTED into unstable

Debian FTP Masters ftpmaster at ftp-master.debian.org
Mon May 25 00:33:41 BST 2026 

Thank you for your contribution to Debian.



Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 25 May 2026 00:30:41 +0200
Source: roundcube
Architecture: source
Version: 1.6.16+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers at alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem at debian.org>
Closes: 1137507
Changes:
 roundcube (1.6.16+dfsg-1) unstable; urgency=medium
 .
   * New upstream security and bugfix release (closes: #1137507).
     + Fix stored XSS/HTML/CSS injection in subject field of the draft restore
       dialog.
     + Fix CSS injection bypass in HTML sanitizer via SVG <animate
       attributeName="style">.
     + Fix pre-auth SQL injection in `virtuser_query plugin` via
       `preg_replace()` backslash escape bypass.
     + Fix SSRF bypass via specific local address URLs.
     + Fix local/private URL fetch bypass when remote resources were not
       allowed.
     + Fix bypass of remote image blocking via CSS `var()`.
     + Fix pre-auth arbitrary file delete via redis/memcache session poisoning
       bypass.
     + Code injection vulnerability via code evaluation support in LDAP
       autovalues option.  Code evaluation support has been removed.
   * Refresh d/patches.
   * d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch: Add support for
     non quad-dotted IPs and non-decimal fields to match the upstream behavior.
   * Update Standards-Version to 4.7.4 (no changes necessary).
Checksums-Sha1:
 9d7e3296d2acee9157f03a830dc8f31016c8ae34 3845 roundcube_1.6.16+dfsg-1.dsc
 1a3cd9678dcb0a130681a4fbe1eca68052d00d5b 126884 roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
 38c2baef9e85c0d497c31715eeba89ba8dd4d8b3 1928780 roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
 f18404da6e008cd6b488bcdfde8feee9244b7c93 2793532 roundcube_1.6.16+dfsg.orig.tar.xz
 e2115633782fb8a1a0483e8605e4c2665c946539 158648 roundcube_1.6.16+dfsg-1.debian.tar.xz
 3072b588f4427d28852d1df4af312b3785547322 6185 roundcube_1.6.16+dfsg-1_source.buildinfo
Checksums-Sha256:
 cbb894b82f90ab086b1fb5ea764667bfa83fff6f86b0a822e9c932e6714fc58d 3845 roundcube_1.6.16+dfsg-1.dsc
 04a78e28c9e7cf2f0d67d989954ebeb2693db7c25b511e37b1be851ab00ec0e4 126884 roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
 2f9513c4c9f4b4f486a2a10614a9215acb41e94374ec453d656ea420d8e4e168 1928780 roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
 491d92dee757bc22672181d42fb09334d83826cace9d4f7ea0b2ac0fc0355a77 2793532 roundcube_1.6.16+dfsg.orig.tar.xz
 a33b00bca2f9d23cedfba49e7a6e6b5889a38a730703097de3403a7f80fb79cf 158648 roundcube_1.6.16+dfsg-1.debian.tar.xz
 e1ff92ecae989bb52eef93e40e0ec24bb7f45e5a5fc58068dda007fb832aadb4 6185 roundcube_1.6.16+dfsg-1_source.buildinfo
Files:
 e06c2588e866b4f8b9d5295216ed0f4f 3845 web optional roundcube_1.6.16+dfsg-1.dsc
 f2adaee4ceaeb18948b7c3fcd3b76dca 126884 web optional roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
 543ea8ab031d4a17869930bc16287e9c 1928780 web optional roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
 7fd70691566a18ddd6e74a13a5a677d0 2793532 web optional roundcube_1.6.16+dfsg.orig.tar.xz
 032a53fcda2058d64011db7e8c15281a 158648 web optional roundcube_1.6.16+dfsg-1.debian.tar.xz
 c1264abc59c7aee2c205bf441b3d9896 6185 web optional roundcube_1.6.16+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmoTf+kACgkQ05pJnDwh
pVJASw//eVs+ZUBR5XOdtnmi9VoX+z2QRE3C94XDdMBxwYlgzwbVZ5HBKQGGhhel
FDXRu/6fmbXZZIJAVlRV+4gDwBdU42mlZ8kaqH08fqWa+2k4zWgjoJFZ6yFi2i2/
BCMZQz2ohMDeNmqZLrAQdR4w2jP8vELJ/H0SDRVkUF1IgB+6BlZdOBq7JlYq3VOG
b5b+z6OlV2fx8r6u8nHIHXJc4O6kr2/HiF4N+TZgikCVE4bxvsFjo4xu1X7drFGu
435pZGIsaBhlAwYq9EV4qCReeV8NYZVLkCkAHjj/ZiiTn8je7E59nLctGHKLJYz1
UKkTmJ2Ux2z+A8QHA8v2Mgx0mJIqcmRQnlsVpwGRGNk6P8ittzcCmO1r7cguZhZS
UoPS+rvQZp7gr6MeGoYVzZ9pYuw2p9w+ztEimWX7MfZsn2GjUwXiI303BmqtZy1O
xukTuVfg3IKDFSq8/XoYRZjy9d8guyYYu80Fzd1PW+FMZYbZXgHRkXl5RCTf86h6
SWxdxpToKgaXrdrx9ARW/9774NcsFLdxpQv1Qqlcmaj94u4xft/cTfjf+IU1cT7K
EOxyFjgm93/uNQP7P8ZQPbiol2DGFxD27Ypy6dfmlCDoFv0N7tuP4jllU0ruoW/Z
9AQm26tssCVr3XVsqLnUT+mhayzMP4sZKuyAvTXbNCvqNvI0CVc=
=yWIg
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20260524/0cf9faef/attachment.sig>

More information about the Pkg-roundcube-maintainers mailing list