Your message dated Thu, 28 May 2026 13:03:46 +0000
with message-id <[email protected]>
and subject line Bug#1137507: fixed in roundcube 1.6.5+dfsg-1+deb12u9
has caused the Debian Bug report #1137507,
regarding roundcube: CVE-2026-4884[2-9]: Multiple security vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137507: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137507
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: roundcube
Version: 1.6.15+dfsg-1
Control: found -1 1.6.15+dfsg-0+deb13u1
Control: found -1 1.6.5+dfsg-1+deb12u8
Control: found -1 1.4.15+dfsg.1-1+deb11u8
Severity: grave
Justification: user security hole
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>
Roundcube webmail upstream has recently released 1.6.16 [0] which fixes
the following security vulnerabilities:
1. Stored XSS/HTML/CSS injection in subject field of the draft restore
dialog.
2. CSS injection bypass in HTML sanitizer via SVG <animate
attributeName="style">.
3. Pre-auth SQL injection in virtuser_query plugin via preg_replace
backslash escape bypass.
4. SSRF bypass via specific local address URLs.
5. Local/private URL fetch bypass when remote resources were not
allowed.
6. Bypass of remote image blocking via CSS var().
7. Pre-auth arbitrary file delete via redis/memcache session poisoning
bypass.
8. Code injection vulnerability via code evaluation support in LDAP
autovalues option. Code evaluation support has now been removed.
AFAIK no CVE-ID have been published for these issues. I'll requested
some later today unless someone beats me to it.
--
Guilhem.
[0] https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 1.6.5+dfsg-1+deb12u9
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 26 May 2026 01:08:43 +0200
Source: roundcube
Architecture: source
Version: 1.6.5+dfsg-1+deb12u9
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Roundcube Maintainers
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1137507
Changes:
roundcube (1.6.5+dfsg-1+deb12u9) bookworm-security; urgency=high
.
* Cherry pick upstream security fixes from v1.6.16 (closes: #1137507).
+ Fix CVE-2026-48842: pre-auth SQL injection in `virtuser_query` plugin
via `preg_replace()` backslash escape bypass.
+ Fix CVE-2026-48843: SSRF bypass via specific local address URLs. Add
support non quad-dotted IPs and non-decimal fields to
d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch in order to
match the new upstream behavior.
+ Fix CVE-2026-48844: Code injection vulnerability via code evaluation
support in LDAP autovalues option. Code evaluation support has now been
removed.
+ Fix CVE-2026-48845: Local/private URL fetch bypass when remote resources
were not allowed.
+ Fix CVE-2026-48846: Bypass of remote image blocking via CSS `var()`.
+ Fix CVE-2026-48847: Pre-auth arbitrary file delete via redis/memcache
session poisoning bypass.
+ Fix CVE-2026-48848: CSS injection bypass in HTML sanitizer via SVG
<animate attributeName="style">.
+ Fix CVE-2026-48849: Stored XSS/HTML/CSS injection in subject field of
the draft restore dialog.
Checksums-Sha1:
7acc95933e8736b7d6b43bddfab968cc2caf3137 3833
roundcube_1.6.5+dfsg-1+deb12u9.dsc
4f207980ea7b88a97f6cf35be9981f4dcb70e93b 135936
roundcube_1.6.5+dfsg-1+deb12u9.debian.tar.xz
a814b7fe1d5ad70c7af1ca117068f9012a1eff88 6213
roundcube_1.6.5+dfsg-1+deb12u9_source.buildinfo
Checksums-Sha256:
fb351499dd0090142be2e52f74b13fb06cbafc7d8fb06182ae50a6ef3d35e555 3833
roundcube_1.6.5+dfsg-1+deb12u9.dsc
e01d78a17b10c6b23f494ae25e1180803b30bb56414107fdf2ba45f6f72fe5a0 135936
roundcube_1.6.5+dfsg-1+deb12u9.debian.tar.xz
792c2aa25b49b1971c90ea0f3221812eb721beea9e086e9ed9dab99a5ff1940b 6213
roundcube_1.6.5+dfsg-1+deb12u9_source.buildinfo
Files:
9624bca0541d7b274830e34a311eb22d 3833 web optional
roundcube_1.6.5+dfsg-1+deb12u9.dsc
2b0e1895c688c8eacb2d9679a78d5a8e 135936 web optional
roundcube_1.6.5+dfsg-1+deb12u9.debian.tar.xz
7e0b0e7078bc8e42638f718e2765298c 6213 web optional
roundcube_1.6.5+dfsg-1+deb12u9_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmoWuR0ACgkQ05pJnDwh
pVJbMQ//Sw9z10svHsr9ityx3bpVytowJV97vf28qDiF5knWYPfk2WzlNvpooZZV
1q9tHCzRo+7pVnx1TzLKk0iJfQV8mdTCPawqkisUiQthOSfvpj9+wvH3ijf1sbIB
W0OGCYff2Oww2ivJAuRjgYcIHyAyreOyS8ZZUPQXkppV7FHTzniDCTPwmY55YXJT
Yfxhp5SCg4koR6Oc+Y6JOEv9J+EVarqe80efVui5MOCw5weg58bsMMWavZWuzDKo
NdTWSguF9hdzRYSgM39Iw/py5WclYZWWYlUUr0LOO6+8av8kF2RX5TtGMbzioMBv
8VxnrewTb68B9i3zyH5yhN5IGbjy1eNpTTsNdr9lX+VoI0hHc6igjAwmM6TgsmGI
wruxoko9viibjHOEnhVg36kq+rHSGqre5CKXasY72dxusc7PquNI/FncJ2uj0b+P
RBW4diMUa0EqW05qLSgQL5FBMI5DKWAqPKbdq6czMD93iK4niHD1D+5hj+krNsEo
hTIwZqA53HE3wYH3I1B0dj3s0Y/o7MA8HbfUXSxGFQQlCiDdzZpfovL4Apu1Vgsy
/qdYwCGPkEMZrf0WDLFF6RGRhL8tdQzx1+0cBt59b2KTiqB9mtPXMtxvwgjGHtZ1
rPmD2JvwHdSfdbsV7YB5FwXTpGAsyFcFXqbTyX4huKci1TGiK1Y=
=c3RL
-----END PGP SIGNATURE-----
pgpl9atQhNroV.pgp
Description: PGP signature
--- End Message ---
