Your message dated Sat, 20 Dec 2025 11:33:56 +0000
with message-id <[email protected]>
and subject line Bug#1122899: fixed in roundcube 1.6.12+dfsg-0+deb13u1
has caused the Debian Bug report #1122899,
regarding roundcube: XSS (CVE-2025-68461) and information disclosure
(CVE-2025-68460)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1122899: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122899
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: roundcube
Version: 1.6.11+dfsg-1
Severity: important
Control: found -1 1.6.5+dfsg-1+deb12u5
Control: found -1 1.4.15+dfsg.1-1+deb11u5
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>
Roundcube webmail upstream has recently released 1.6.12 [0] which fixes
the following vulnerabilities:
* Cross-Site-Scripting vulnerability via SVG's animate tag (reported by
Valentin T., CrowdStrike).
https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb
* Information Disclosure vulnerability in the HTML style sanitizer
(reported by somerandomdev).
https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571
AFAICT no CVE-ID have been published for these issues. Will request
them shortly if no one beats me to it.
--
Guilhem.
[0] https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 1.6.12+dfsg-0+deb13u1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 14 Dec 2025 11:51:43 +0100
Source: roundcube
Architecture: source
Version: 1.6.12+dfsg-0+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Roundcube Maintainers
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1122899
Changes:
roundcube (1.6.12+dfsg-0+deb13u1) trixie-security; urgency=high
.
* New upstream security and bugfix release (closes: #1122899).
+ Fix CVE-2025-68461: Cross-Site-Scripting vulnerability via SVG's animate
tag.
+ Fix CVE-2025-68460: Information Disclosure vulnerability in the HTML
style sanitizer.
* Refresh d/patches.
* d/gbp.conf: Set debian-branch=debian/trixie.
* Salsa CI: Set RELEASE=trixie, disable reprotest and lintian jobs.
Checksums-Sha1:
962d6cb43f1c85fbeec88b303ac8cf35eee7209a 3860
roundcube_1.6.12+dfsg-0+deb13u1.dsc
b6102dd4c719acb400298aa6e1d8627ff194597f 126900
roundcube_1.6.12+dfsg.orig-tinymce-langs.tar.xz
70ab9651d5bf0cc002731e762ed811b1c9b96211 1928404
roundcube_1.6.12+dfsg.orig-tinymce.tar.xz
003ff398e115137a54217df58bde53f42ef4479b 2791204
roundcube_1.6.12+dfsg.orig.tar.xz
671611d82b09f579d5d44c550707135901a75e7d 153696
roundcube_1.6.12+dfsg-0+deb13u1.debian.tar.xz
30e59687139d87ffca0fde0c1c388b3561200223 6280
roundcube_1.6.12+dfsg-0+deb13u1_source.buildinfo
Checksums-Sha256:
02670576c9a9e0603e399da567efb7530855d11fbc899b23c2f08bcf9b8099fb 3860
roundcube_1.6.12+dfsg-0+deb13u1.dsc
488276066b6044d9aa7fed66559bed399cbcb9fac6a4d2ea63e0a7858ca9c46e 126900
roundcube_1.6.12+dfsg.orig-tinymce-langs.tar.xz
9c9a759800812e9e658760c382707f04dab5f9d047bd77e693693e8a840eab7d 1928404
roundcube_1.6.12+dfsg.orig-tinymce.tar.xz
6ca741ee8b98f643b2038ac5415daa5836013d92c874b0bfcf81efa2f3229ca4 2791204
roundcube_1.6.12+dfsg.orig.tar.xz
8b80553ca84af38a40f79ed7bab52d94ded9ac4fc81414e8e871c06cd7f53a24 153696
roundcube_1.6.12+dfsg-0+deb13u1.debian.tar.xz
3ae02f6170728232661aef4c9b90ab7b63c2860190e688b63926265e2c90ed56 6280
roundcube_1.6.12+dfsg-0+deb13u1_source.buildinfo
Files:
24cac6cc1a548fc087fb7a5459ec20f5 3860 web optional
roundcube_1.6.12+dfsg-0+deb13u1.dsc
66af8f1d0cbfa3b7e16e7d9350a964c5 126900 web optional
roundcube_1.6.12+dfsg.orig-tinymce-langs.tar.xz
50a2e20e6d8ec1abda11aa7d575e1f95 1928404 web optional
roundcube_1.6.12+dfsg.orig-tinymce.tar.xz
8b305f7c4db83506df9deec4705866dd 2791204 web optional
roundcube_1.6.12+dfsg.orig.tar.xz
92383ae09b109d8e88c33e701319747d 153696 web optional
roundcube_1.6.12+dfsg-0+deb13u1.debian.tar.xz
0767ff9744bb094738d10b37c43fc624 6280 web optional
roundcube_1.6.12+dfsg-0+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmlD6WYACgkQ05pJnDwh
pVJ/zhAAq/JIXvvUIA5LAeyrvep/KNdJO//6rA0pQCCdcyHAmeqNxQVD+ALbzVyT
bqZUv4XcdGhyZ190dg26bwCTGnZ8GQ9rYVWgBpy13PbZK8PEFIyt4LyzUH9/tDgC
3eiDwZ0e0IJV42ImhMkKmTMo+VZKJXf485K61/ekEyYCARAyjvQ4Ql8jXvjfa6tg
bC06HcZgV8jcWiRqFsdubktiHBwJfaVu0SP770O0T46pBvJcHbpaniEad3uyTUQr
pgpU8d489gnXP8rC5lZ5y8WonjW2hV7Ai1rIkHyg/KShXEv7mO++vaKx7ASwzJbQ
zU2XLXqe7Vb3l6On06MkD70ARl17mzfXFcsg08+tG37POPot5F1zFnc3RaOBrmlu
dCX7uBCf6ePxF2hOvFaUx+UJFRR0VNsIrhbxmQEjbmyde0g7RRB0Op2VBcP1CCIg
dLRXgjnbP6pcpx3qgR1dNCVEVnGZzLJ65tcbROUg6P5/4+0ANy+ymY3b7ERZ9pQA
a8Wbhug/q1SvrfHOWP6qMYwG0yVMfL0i2ajIzJx5ObuhIZJICsoP2f3nbV25uqmV
fKFlSH8slD/fyMN6B09MRNPo+Q0Y5A3H8ZdCm2kAPJghsHuuprBlTDj/+PlKSK8k
xfQ7cnPLvFwZg4FEJ3cuMkJOkVCDT1FeGm6MPPiYe1EEnHRD7wA=
=iOtA
-----END PGP SIGNATURE-----
pgpMtB_Ifz_qb.pgp
Description: PGP signature
--- End Message ---
