Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package roundcubemail for openSUSE:Factory checked in at 2026-05-27 16:31:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/roundcubemail (Old) and /work/SRC/openSUSE:Factory/.roundcubemail.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "roundcubemail" Wed May 27 16:31:26 2026 rev:95 rq:1355387 version:1.6.16 Changes: -------- --- /work/SRC/openSUSE:Factory/roundcubemail/roundcubemail.changes 2026-05-25 21:59:23.151338362 +0200 +++ /work/SRC/openSUSE:Factory/.roundcubemail.new.1937/roundcubemail.changes 2026-05-27 16:31:29.920618438 +0200 @@ -2 +2 @@ -Mon May 25 08:35:59 UTC 2026 - Aeneas Jaißle <[email protected]> +Mon May 25 08:35:59 UTC 2026 - Aeneas Jaißle <[email protected]> - 1.6.16 @@ -22,8 +22,8 @@ - + Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog - + Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style"> - + Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass - + Security: Fix SSRF bypass via specific local address URLs - + Security: Fix bypass of remote image blocking via CSS var() - + Security: Fix local/private URL fetch bypass when remote resources were not allowed - + Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass - + Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option + + Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog [CVE-2026-48849] [bsc#1266337] + + Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style"> [CVE-2026-48848] [bsc#1266336] + + Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass [CVE-2026-48842] [bsc#1266329] + + Security: Fix SSRF bypass via specific local address URLs [CVE-2026-48843] [bsc#1266331] + + Security: Fix bypass of remote image blocking via CSS var() [CVE-2026-48846] [bsc#1266334] + + Security: Fix local/private URL fetch bypass when remote resources were not allowed [CVE-2026-48845] [bsc#1266333] + + Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass [CVE-2026-48847] [bsc#1266335] + + Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option [CVE-2026-48844] [bsc#1266332] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------
