Your message dated Sun, 24 May 2026 23:33:41 +0000
with message-id <[email protected]>
and subject line Bug#1137507: fixed in roundcube 1.6.16+dfsg-1
has caused the Debian Bug report #1137507,
regarding roundcube: Multiple security vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137507: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137507
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: roundcube
Version: 1.6.15+dfsg-1
Control: found -1 1.6.15+dfsg-0+deb13u1
Control: found -1 1.6.5+dfsg-1+deb12u8
Control: found -1 1.4.15+dfsg.1-1+deb11u8
Severity: grave
Justification: user security hole
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>
Roundcube webmail upstream has recently released 1.6.16 [0] which fixes
the following security vulnerabilities:
1. Stored XSS/HTML/CSS injection in subject field of the draft restore
dialog.
2. CSS injection bypass in HTML sanitizer via SVG <animate
attributeName="style">.
3. Pre-auth SQL injection in virtuser_query plugin via preg_replace
backslash escape bypass.
4. SSRF bypass via specific local address URLs.
5. Local/private URL fetch bypass when remote resources were not
allowed.
6. Bypass of remote image blocking via CSS var().
7. Pre-auth arbitrary file delete via redis/memcache session poisoning
bypass.
8. Code injection vulnerability via code evaluation support in LDAP
autovalues option. Code evaluation support has now been removed.
AFAIK no CVE-ID have been published for these issues. I'll requested
some later today unless someone beats me to it.
--
Guilhem.
[0] https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 1.6.16+dfsg-1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 25 May 2026 00:30:41 +0200
Source: roundcube
Architecture: source
Version: 1.6.16+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Roundcube Maintainers
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1137507
Changes:
roundcube (1.6.16+dfsg-1) unstable; urgency=medium
.
* New upstream security and bugfix release (closes: #1137507).
+ Fix stored XSS/HTML/CSS injection in subject field of the draft restore
dialog.
+ Fix CSS injection bypass in HTML sanitizer via SVG <animate
attributeName="style">.
+ Fix pre-auth SQL injection in `virtuser_query plugin` via
`preg_replace()` backslash escape bypass.
+ Fix SSRF bypass via specific local address URLs.
+ Fix local/private URL fetch bypass when remote resources were not
allowed.
+ Fix bypass of remote image blocking via CSS `var()`.
+ Fix pre-auth arbitrary file delete via redis/memcache session poisoning
bypass.
+ Code injection vulnerability via code evaluation support in LDAP
autovalues option. Code evaluation support has been removed.
* Refresh d/patches.
* d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch: Add support for
non quad-dotted IPs and non-decimal fields to match the upstream behavior.
* Update Standards-Version to 4.7.4 (no changes necessary).
Checksums-Sha1:
9d7e3296d2acee9157f03a830dc8f31016c8ae34 3845 roundcube_1.6.16+dfsg-1.dsc
1a3cd9678dcb0a130681a4fbe1eca68052d00d5b 126884
roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
38c2baef9e85c0d497c31715eeba89ba8dd4d8b3 1928780
roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
f18404da6e008cd6b488bcdfde8feee9244b7c93 2793532
roundcube_1.6.16+dfsg.orig.tar.xz
e2115633782fb8a1a0483e8605e4c2665c946539 158648
roundcube_1.6.16+dfsg-1.debian.tar.xz
3072b588f4427d28852d1df4af312b3785547322 6185
roundcube_1.6.16+dfsg-1_source.buildinfo
Checksums-Sha256:
cbb894b82f90ab086b1fb5ea764667bfa83fff6f86b0a822e9c932e6714fc58d 3845
roundcube_1.6.16+dfsg-1.dsc
04a78e28c9e7cf2f0d67d989954ebeb2693db7c25b511e37b1be851ab00ec0e4 126884
roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
2f9513c4c9f4b4f486a2a10614a9215acb41e94374ec453d656ea420d8e4e168 1928780
roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
491d92dee757bc22672181d42fb09334d83826cace9d4f7ea0b2ac0fc0355a77 2793532
roundcube_1.6.16+dfsg.orig.tar.xz
a33b00bca2f9d23cedfba49e7a6e6b5889a38a730703097de3403a7f80fb79cf 158648
roundcube_1.6.16+dfsg-1.debian.tar.xz
e1ff92ecae989bb52eef93e40e0ec24bb7f45e5a5fc58068dda007fb832aadb4 6185
roundcube_1.6.16+dfsg-1_source.buildinfo
Files:
e06c2588e866b4f8b9d5295216ed0f4f 3845 web optional roundcube_1.6.16+dfsg-1.dsc
f2adaee4ceaeb18948b7c3fcd3b76dca 126884 web optional
roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
543ea8ab031d4a17869930bc16287e9c 1928780 web optional
roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
7fd70691566a18ddd6e74a13a5a677d0 2793532 web optional
roundcube_1.6.16+dfsg.orig.tar.xz
032a53fcda2058d64011db7e8c15281a 158648 web optional
roundcube_1.6.16+dfsg-1.debian.tar.xz
c1264abc59c7aee2c205bf441b3d9896 6185 web optional
roundcube_1.6.16+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmoTf+kACgkQ05pJnDwh
pVJASw//eVs+ZUBR5XOdtnmi9VoX+z2QRE3C94XDdMBxwYlgzwbVZ5HBKQGGhhel
FDXRu/6fmbXZZIJAVlRV+4gDwBdU42mlZ8kaqH08fqWa+2k4zWgjoJFZ6yFi2i2/
BCMZQz2ohMDeNmqZLrAQdR4w2jP8vELJ/H0SDRVkUF1IgB+6BlZdOBq7JlYq3VOG
b5b+z6OlV2fx8r6u8nHIHXJc4O6kr2/HiF4N+TZgikCVE4bxvsFjo4xu1X7drFGu
435pZGIsaBhlAwYq9EV4qCReeV8NYZVLkCkAHjj/ZiiTn8je7E59nLctGHKLJYz1
UKkTmJ2Ux2z+A8QHA8v2Mgx0mJIqcmRQnlsVpwGRGNk6P8ittzcCmO1r7cguZhZS
UoPS+rvQZp7gr6MeGoYVzZ9pYuw2p9w+ztEimWX7MfZsn2GjUwXiI303BmqtZy1O
xukTuVfg3IKDFSq8/XoYRZjy9d8guyYYu80Fzd1PW+FMZYbZXgHRkXl5RCTf86h6
SWxdxpToKgaXrdrx9ARW/9774NcsFLdxpQv1Qqlcmaj94u4xft/cTfjf+IU1cT7K
EOxyFjgm93/uNQP7P8ZQPbiol2DGFxD27Ypy6dfmlCDoFv0N7tuP4jllU0ruoW/Z
9AQm26tssCVr3XVsqLnUT+mhayzMP4sZKuyAvTXbNCvqNvI0CVc=
=yWIg
-----END PGP SIGNATURE-----
pgpgJczYDrGGO.pgp
Description: PGP signature
--- End Message ---
