Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package roundcubemail for openSUSE:Factory checked in at 2026-05-25 21:56:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/roundcubemail (Old) and /work/SRC/openSUSE:Factory/.roundcubemail.new.2084 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "roundcubemail" Mon May 25 21:56:11 2026 rev:94 rq:1355036 version:1.6.16 Changes: -------- --- /work/SRC/openSUSE:Factory/roundcubemail/roundcubemail.changes 2026-04-07 16:48:06.282545875 +0200 +++ /work/SRC/openSUSE:Factory/.roundcubemail.new.2084/roundcubemail.changes 2026-05-25 21:59:23.151338362 +0200 @@ -1,0 +2,30 @@ +Mon May 25 08:35:59 UTC 2026 - Aeneas Jaißle <[email protected]> + +- update to 1.6.16 + This is a security update to the LTS version 1.6 of Roundcube Webmail. + It provides fixes to recently reported security vulnerabilities: + + + Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog, reported by zazy + + Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">, reported by wooseokdotkim + + Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass, reported by skull + + Fix SSRF bypass via specific local address URLs + + Fix local/private URL fetch bypass when remote resources were not allowed, reported by Orange Cyberdefense Vulnerability Disclosure Team + + Fix bypass of remote image blocking via CSS var(), reported by Geame + + Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass, reported by valent1 + + Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option, reported by Glendaenri + + This version is considered stable and we recommend to update all productive + installations of Roundcube 1.6.x with it. Please do backup your data before updating! + + CHANGELOG + + Fix potential too long value in IMAP ID command (#10136) + + Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog + + Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style"> + + Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass + + Security: Fix SSRF bypass via specific local address URLs + + Security: Fix bypass of remote image blocking via CSS var() + + Security: Fix local/private URL fetch bypass when remote resources were not allowed + + Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass + + Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option + +------------------------------------------------------------------- Old: ---- roundcubemail-1.6.15-complete.tar.gz roundcubemail-1.6.15-complete.tar.gz.asc New: ---- roundcubemail-1.6.16-complete.tar.gz roundcubemail-1.6.16-complete.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ roundcubemail.spec ++++++ --- /var/tmp/diff_new_pack.JfjTCF/_old 2026-05-25 21:59:25.863449966 +0200 +++ /var/tmp/diff_new_pack.JfjTCF/_new 2026-05-25 21:59:25.879450624 +0200 @@ -20,7 +20,7 @@ %define roundcubeconfigpath %{_sysconfdir}/%{name} Name: roundcubemail -Version: 1.6.15 +Version: 1.6.16 Release: 0 Summary: A browser-based multilingual IMAP client License: BSD-3-Clause AND GPL-2.0-only AND GPL-3.0-or-later ++++++ roundcubemail-1.6.15-complete.tar.gz -> roundcubemail-1.6.16-complete.tar.gz ++++++ ++++ 3950 lines of diff (skipped)
