Your message dated Thu, 28 May 2026 13:03:14 +0000
with message-id <[email protected]>
and subject line Bug#1137507: fixed in roundcube 1.6.16+dfsg-0+deb13u1
has caused the Debian Bug report #1137507,
regarding roundcube: CVE-2026-4884[2-9]: Multiple security vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137507: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137507
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: roundcube
Version: 1.6.15+dfsg-1
Control: found -1 1.6.15+dfsg-0+deb13u1
Control: found -1 1.6.5+dfsg-1+deb12u8
Control: found -1 1.4.15+dfsg.1-1+deb11u8
Severity: grave
Justification: user security hole
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>
Roundcube webmail upstream has recently released 1.6.16 [0] which fixes
the following security vulnerabilities:
1. Stored XSS/HTML/CSS injection in subject field of the draft restore
dialog.
2. CSS injection bypass in HTML sanitizer via SVG <animate
attributeName="style">.
3. Pre-auth SQL injection in virtuser_query plugin via preg_replace
backslash escape bypass.
4. SSRF bypass via specific local address URLs.
5. Local/private URL fetch bypass when remote resources were not
allowed.
6. Bypass of remote image blocking via CSS var().
7. Pre-auth arbitrary file delete via redis/memcache session poisoning
bypass.
8. Code injection vulnerability via code evaluation support in LDAP
autovalues option. Code evaluation support has now been removed.
AFAIK no CVE-ID have been published for these issues. I'll requested
some later today unless someone beats me to it.
--
Guilhem.
[0] https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 1.6.16+dfsg-0+deb13u1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 25 May 2026 23:06:33 +0200
Source: roundcube
Architecture: source
Version: 1.6.16+dfsg-0+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Roundcube Maintainers
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1137507
Changes:
roundcube (1.6.16+dfsg-0+deb13u1) trixie-security; urgency=high
.
* New upstream security and bugfix release (closes: #1137507).
+ Fix CVE-2026-48842: pre-auth SQL injection in `virtuser_query plugin`
via `preg_replace()` backslash escape bypass.
+ Fix CVE-2026-48843: SSRF bypass via specific local address URLs. Add
support non quad-dotted IPs and non-decimal fields to
d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch in order to
match the new upstream behavior.
+ Fix CVE-2026-48844: Code injection vulnerability via code evaluation
support in LDAP autovalues option. Code evaluation support has now been
removed.
+ Fix CVE-2026-48845: Local/private URL fetch bypass when remote resources
were not allowed.
+ Fix CVE-2026-48846: Bypass of remote image blocking via CSS `var()`.
+ Fix CVE-2026-48847: Pre-auth arbitrary file delete via redis/memcache
session poisoning bypass.
+ Fix CVE-2026-48848: CSS injection bypass in HTML sanitizer via SVG
<animate attributeName="style">.
+ Fix CVE-2026-48849: Stored XSS/HTML/CSS injection in subject field of
the draft restore dialog.
+ Fix PHP8 warnings.
+ Fix potential too long value in IMAP ID command.
* Refresh d/patches.
Checksums-Sha1:
00d6e7760f0149a4e429615c69f0b7d3c97babbd 3860
roundcube_1.6.16+dfsg-0+deb13u1.dsc
1a3cd9678dcb0a130681a4fbe1eca68052d00d5b 126884
roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
38c2baef9e85c0d497c31715eeba89ba8dd4d8b3 1928780
roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
f18404da6e008cd6b488bcdfde8feee9244b7c93 2793532
roundcube_1.6.16+dfsg.orig.tar.xz
d0d3461b6c8f50c6a3cc250cd88dd837786c11f0 157428
roundcube_1.6.16+dfsg-0+deb13u1.debian.tar.xz
ad316f2e1c5436536f487af67ce207eb7de19b6d 6217
roundcube_1.6.16+dfsg-0+deb13u1_source.buildinfo
Checksums-Sha256:
9082145d643bec4d14537a673f5dee4e4cff8b821fdc4c615a0aff8f0982dc75 3860
roundcube_1.6.16+dfsg-0+deb13u1.dsc
04a78e28c9e7cf2f0d67d989954ebeb2693db7c25b511e37b1be851ab00ec0e4 126884
roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
2f9513c4c9f4b4f486a2a10614a9215acb41e94374ec453d656ea420d8e4e168 1928780
roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
491d92dee757bc22672181d42fb09334d83826cace9d4f7ea0b2ac0fc0355a77 2793532
roundcube_1.6.16+dfsg.orig.tar.xz
738145af51966bc48d47e3e973e8885b53281dc15990f3c95b0cd530436a426f 157428
roundcube_1.6.16+dfsg-0+deb13u1.debian.tar.xz
dce71d86bfec88b2b48ff45b44aaba5e18ed871dc999ae4b4ac31a4e9b9810c9 6217
roundcube_1.6.16+dfsg-0+deb13u1_source.buildinfo
Files:
1bf13b8900082211ea096c21b4669b58 3860 web optional
roundcube_1.6.16+dfsg-0+deb13u1.dsc
f2adaee4ceaeb18948b7c3fcd3b76dca 126884 web optional
roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
543ea8ab031d4a17869930bc16287e9c 1928780 web optional
roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
7fd70691566a18ddd6e74a13a5a677d0 2793532 web optional
roundcube_1.6.16+dfsg.orig.tar.xz
95eede9c07b26d16c3f56484ab896d9d 157428 web optional
roundcube_1.6.16+dfsg-0+deb13u1.debian.tar.xz
c6cf238252a4ed71d303e3e9377293e5 6217 web optional
roundcube_1.6.16+dfsg-0+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmoUu6MACgkQ05pJnDwh
pVI3WQ/+PNRHSvUy5JYlbDDng7n7Vu9/fl9T0LQ9GnxVQ3D978whmXuMG5g24URn
JDY1+iHE6ech4ZDsG5/MjZaHgnZMY6RAt6I+b7mvy+I4+BePpDV/8BYv/0pxrrUo
M/qn1yoIPxQB12F73ujxYeoBT9puubqjFzceJsQdcb0czJpOXLXxBa6DDOqOb/iT
Jykp6VxYtDGsAOC6PBCdDIS55RRn8oocB/XgbrjtumJQGLQIFR0e5TC3xyvzEPEa
WckuNFI98Zhq4p3hd9cixPEB3Xy6orGIJobBjfFO6sFiIayTw351U3lrW+Zy92oY
oNYbrf3V480Cu0STVvgO54ieRtKXxO1qTZm6QgmMX69qNhZj1Y1i/wzqkHsghYkD
Q/crXbyEwk3Uw90t8ytsT7CBuoKGd6mc6ewzPGG+OFg4cEpu24YS9eTbO2VVp8EY
C5yfhnp3JS48DlNLbd3DMrQDv01TMgjeo5lTm+iNWBKEm7kGB1e0+UGXwePeQYLw
KRMad9zwMdAqEz9xz6gVCHMDQAKZl+5gLLntVPEiDE12pU2qajvkNlThQ73jVXp/
PZucf/Md9sJ94n+VR+rstBO3cpO+idKP5sXiMcUpxhIQjgzDcpTFa2Dt0ksTsxPa
D5PcrQe4BhOM8s6HWQb+lPSkmjaFlweVbfOjGYZ3Y7xzTqS2RXo=
=fFDb
-----END PGP SIGNATURE-----
pgp0u3n0aNzkW.pgp
Description: PGP signature
--- End Message ---
