Your message dated Sun, 14 Dec 2025 11:24:59 +0000
with message-id <[email protected]>
and subject line Bug#1122899: fixed in roundcube 1.6.12+dfsg-1
has caused the Debian Bug report #1122899,
regarding roundcube: XSS and information disclosure vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1122899: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122899
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: roundcube
Version: 1.6.11+dfsg-1
Severity: important
Control: found -1 1.6.5+dfsg-1+deb12u5
Control: found -1 1.4.15+dfsg.1-1+deb11u5
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>
Roundcube webmail upstream has recently released 1.6.12 [0] which fixes
the following vulnerabilities:
* Cross-Site-Scripting vulnerability via SVG's animate tag (reported by
Valentin T., CrowdStrike).
https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb
* Information Disclosure vulnerability in the HTML style sanitizer
(reported by somerandomdev).
https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571
AFAICT no CVE-ID have been published for these issues. Will request
them shortly if no one beats me to it.
--
Guilhem.
[0] https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 1.6.12+dfsg-1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 14 Dec 2025 10:53:54 +0100
Source: roundcube
Architecture: source
Version: 1.6.12+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1122899
Changes:
roundcube (1.6.12+dfsg-1) unstable; urgency=high
.
* New upstream security and bugfix release (closes: #1122899).
+ Fix Cross-Site-Scripting vulnerability via SVG's animate tag.
+ Fix Information Disclosure vulnerability in the HTML style sanitizer.
* d/watch:
+ Port to Version 5.
+ Simplify [UD]version-Mangle.
+ Use @STABLE_VERSION@ not @ANY_VERSION@ as tag matching pattern.
* Refresh d/patches.
Checksums-Sha1:
7bf07da760509d21f29ec1b0cf0ea06cdb0a2554 3828 roundcube_1.6.12+dfsg-1.dsc
b6102dd4c719acb400298aa6e1d8627ff194597f 126900
roundcube_1.6.12+dfsg.orig-tinymce-langs.tar.xz
70ab9651d5bf0cc002731e762ed811b1c9b96211 1928404
roundcube_1.6.12+dfsg.orig-tinymce.tar.xz
003ff398e115137a54217df58bde53f42ef4479b 2791204
roundcube_1.6.12+dfsg.orig.tar.xz
8988b10779a2d79d75c88198e3afd2cc14b4d923 153636
roundcube_1.6.12+dfsg-1.debian.tar.xz
f8d802b9eec5ff9dfe4fa824fc98da2b45f84357 6230
roundcube_1.6.12+dfsg-1_source.buildinfo
Checksums-Sha256:
2ce2910f10d27165e09448c69eb86eb5aed3db911dcf31116cee6f7657a3cb7f 3828
roundcube_1.6.12+dfsg-1.dsc
488276066b6044d9aa7fed66559bed399cbcb9fac6a4d2ea63e0a7858ca9c46e 126900
roundcube_1.6.12+dfsg.orig-tinymce-langs.tar.xz
9c9a759800812e9e658760c382707f04dab5f9d047bd77e693693e8a840eab7d 1928404
roundcube_1.6.12+dfsg.orig-tinymce.tar.xz
6ca741ee8b98f643b2038ac5415daa5836013d92c874b0bfcf81efa2f3229ca4 2791204
roundcube_1.6.12+dfsg.orig.tar.xz
646976e268b2284cc9e57b3ded6355d63e850c4c870d59f9dce2205ca48b716e 153636
roundcube_1.6.12+dfsg-1.debian.tar.xz
cc061a9cd01dc43144a81809316bb9b98ceddd4124fd60e1a775a574593e4034 6230
roundcube_1.6.12+dfsg-1_source.buildinfo
Files:
35d3234d80e20ac29be464ccdab56e68 3828 web optional roundcube_1.6.12+dfsg-1.dsc
66af8f1d0cbfa3b7e16e7d9350a964c5 126900 web optional
roundcube_1.6.12+dfsg.orig-tinymce-langs.tar.xz
50a2e20e6d8ec1abda11aa7d575e1f95 1928404 web optional
roundcube_1.6.12+dfsg.orig-tinymce.tar.xz
8b305f7c4db83506df9deec4705866dd 2791204 web optional
roundcube_1.6.12+dfsg.orig.tar.xz
17efea0b3dfd05de0fa22dd85c1b64b4 153636 web optional
roundcube_1.6.12+dfsg-1.debian.tar.xz
07590e5be896e0d7ea723489723e3644 6230 web optional
roundcube_1.6.12+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmk+kJsACgkQ05pJnDwh
pVJszBAAlZm9DCmjG9DPzCD+IhEGE8RCUVHi1x/eI3IMvz/JedByOzJJGFFYAPiN
uA5uoOLmQ87KiiDwgbmmW82uEN8iN+I3CvJVwmJP3m2Z5Xe2bS5viUqEYcPHUfUx
4zzya5YriJhVx9nluel7A/8yuF8cdPWS2HfIPFeHHJIn/TDmo+h+onhAi+YVEmti
L+fkAlFDtuEWMsrc1MoeLIxHcDbyHST7ET7xqNFtCzbITTlIGuUkA2BtJVsx+xY6
d5EgiVdnDuEefP6IR5jHVyGjK8ITIvif+P3tWh66A69hL3H+kXI4999DBtHOmY6H
9juVCyLdmRzEjOHYlOUvGZ3NFnVwBMFoPn7cUHo3lrIosx84FMJCrpfnE8oVZaB6
c+NApYxNXd4WaE8Clgop2kEsaENZZnHG5ZAbHPfBs925MwEQ7kYb+3D2GWdQPiV/
ToREh5RgwkMrhQ69VDKIQyvEreIOsvS95tJ5FIaUIRJ5r93vSPWXU7XQOSIduL0o
oxBEd/B7//Q/hLBOiqkEhpp3RPYi6FQf2hEWj/CWbMlr+bUPopnVMCASIJOO0Qdg
dlqDExmIhF9GCnbxcauw2Je7dUTbnOzqCdxT1woxeiMPrchNmO6vZBxY2bSMbjN1
d/YaO1vExHK9Qi0nf9EbzxziiuzUYxzBIA3M628vFGpCqQw94Lg=
=9pz7
-----END PGP SIGNATURE-----
pgp5U3KYQQGdx.pgp
Description: PGP signature
--- End Message ---
