[Pkg-roundcube-maintainers] roundcube_1.6.16+dfsg-0+deb13u1_source.changes ACCEPTED into proposed-updates

Debian FTP Masters ftpmaster at ftp-master.debian.org
Thu May 28 14:03:14 BST 2026 

Thank you for your contribution to Debian.



Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 25 May 2026 23:06:33 +0200
Source: roundcube
Architecture: source
Version: 1.6.16+dfsg-0+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers at alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem at debian.org>
Closes: 1137507
Changes:
 roundcube (1.6.16+dfsg-0+deb13u1) trixie-security; urgency=high
 .
   * New upstream security and bugfix release (closes: #1137507).
     + Fix CVE-2026-48842: pre-auth SQL injection in `virtuser_query plugin`
       via `preg_replace()` backslash escape bypass.
     + Fix CVE-2026-48843: SSRF bypass via specific local address URLs.  Add
       support non quad-dotted IPs and non-decimal fields to
       d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch in order to
       match the new upstream behavior.
     + Fix CVE-2026-48844: Code injection vulnerability via code evaluation
       support in LDAP autovalues option.  Code evaluation support has now been
       removed.
     + Fix CVE-2026-48845: Local/private URL fetch bypass when remote resources
       were not allowed.
     + Fix CVE-2026-48846: Bypass of remote image blocking via CSS `var()`.
     + Fix CVE-2026-48847: Pre-auth arbitrary file delete via redis/memcache
       session poisoning bypass.
     + Fix CVE-2026-48848: CSS injection bypass in HTML sanitizer via SVG
       <animate attributeName="style">.
     + Fix CVE-2026-48849: Stored XSS/HTML/CSS injection in subject field of
       the draft restore dialog.
     + Fix PHP8 warnings.
     + Fix potential too long value in IMAP ID command.
   * Refresh d/patches.
Checksums-Sha1:
 00d6e7760f0149a4e429615c69f0b7d3c97babbd 3860 roundcube_1.6.16+dfsg-0+deb13u1.dsc
 1a3cd9678dcb0a130681a4fbe1eca68052d00d5b 126884 roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
 38c2baef9e85c0d497c31715eeba89ba8dd4d8b3 1928780 roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
 f18404da6e008cd6b488bcdfde8feee9244b7c93 2793532 roundcube_1.6.16+dfsg.orig.tar.xz
 d0d3461b6c8f50c6a3cc250cd88dd837786c11f0 157428 roundcube_1.6.16+dfsg-0+deb13u1.debian.tar.xz
 ad316f2e1c5436536f487af67ce207eb7de19b6d 6217 roundcube_1.6.16+dfsg-0+deb13u1_source.buildinfo
Checksums-Sha256:
 9082145d643bec4d14537a673f5dee4e4cff8b821fdc4c615a0aff8f0982dc75 3860 roundcube_1.6.16+dfsg-0+deb13u1.dsc
 04a78e28c9e7cf2f0d67d989954ebeb2693db7c25b511e37b1be851ab00ec0e4 126884 roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
 2f9513c4c9f4b4f486a2a10614a9215acb41e94374ec453d656ea420d8e4e168 1928780 roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
 491d92dee757bc22672181d42fb09334d83826cace9d4f7ea0b2ac0fc0355a77 2793532 roundcube_1.6.16+dfsg.orig.tar.xz
 738145af51966bc48d47e3e973e8885b53281dc15990f3c95b0cd530436a426f 157428 roundcube_1.6.16+dfsg-0+deb13u1.debian.tar.xz
 dce71d86bfec88b2b48ff45b44aaba5e18ed871dc999ae4b4ac31a4e9b9810c9 6217 roundcube_1.6.16+dfsg-0+deb13u1_source.buildinfo
Files:
 1bf13b8900082211ea096c21b4669b58 3860 web optional roundcube_1.6.16+dfsg-0+deb13u1.dsc
 f2adaee4ceaeb18948b7c3fcd3b76dca 126884 web optional roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
 543ea8ab031d4a17869930bc16287e9c 1928780 web optional roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
 7fd70691566a18ddd6e74a13a5a677d0 2793532 web optional roundcube_1.6.16+dfsg.orig.tar.xz
 95eede9c07b26d16c3f56484ab896d9d 157428 web optional roundcube_1.6.16+dfsg-0+deb13u1.debian.tar.xz
 c6cf238252a4ed71d303e3e9377293e5 6217 web optional roundcube_1.6.16+dfsg-0+deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmoUu6MACgkQ05pJnDwh
pVI3WQ/+PNRHSvUy5JYlbDDng7n7Vu9/fl9T0LQ9GnxVQ3D978whmXuMG5g24URn
JDY1+iHE6ech4ZDsG5/MjZaHgnZMY6RAt6I+b7mvy+I4+BePpDV/8BYv/0pxrrUo
M/qn1yoIPxQB12F73ujxYeoBT9puubqjFzceJsQdcb0czJpOXLXxBa6DDOqOb/iT
Jykp6VxYtDGsAOC6PBCdDIS55RRn8oocB/XgbrjtumJQGLQIFR0e5TC3xyvzEPEa
WckuNFI98Zhq4p3hd9cixPEB3Xy6orGIJobBjfFO6sFiIayTw351U3lrW+Zy92oY
oNYbrf3V480Cu0STVvgO54ieRtKXxO1qTZm6QgmMX69qNhZj1Y1i/wzqkHsghYkD
Q/crXbyEwk3Uw90t8ytsT7CBuoKGd6mc6ewzPGG+OFg4cEpu24YS9eTbO2VVp8EY
C5yfhnp3JS48DlNLbd3DMrQDv01TMgjeo5lTm+iNWBKEm7kGB1e0+UGXwePeQYLw
KRMad9zwMdAqEz9xz6gVCHMDQAKZl+5gLLntVPEiDE12pU2qajvkNlThQ73jVXp/
PZucf/Md9sJ94n+VR+rstBO3cpO+idKP5sXiMcUpxhIQjgzDcpTFa2Dt0ksTsxPa
D5PcrQe4BhOM8s6HWQb+lPSkmjaFlweVbfOjGYZ3Y7xzTqS2RXo=
=fFDb
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20260528/4f666fb4/attachment-0001.sig>

More information about the Pkg-roundcube-maintainers mailing list