Your message dated Sat, 20 Dec 2025 11:37:09 +0000
with message-id <[email protected]>
and subject line Bug#1122899: fixed in roundcube 1.6.5+dfsg-1+deb12u6
has caused the Debian Bug report #1122899,
regarding roundcube: XSS (CVE-2025-68461) and information disclosure
(CVE-2025-68460)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1122899: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122899
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: roundcube
Version: 1.6.11+dfsg-1
Severity: important
Control: found -1 1.6.5+dfsg-1+deb12u5
Control: found -1 1.4.15+dfsg.1-1+deb11u5
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>
Roundcube webmail upstream has recently released 1.6.12 [0] which fixes
the following vulnerabilities:
* Cross-Site-Scripting vulnerability via SVG's animate tag (reported by
Valentin T., CrowdStrike).
https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb
* Information Disclosure vulnerability in the HTML style sanitizer
(reported by somerandomdev).
https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571
AFAICT no CVE-ID have been published for these issues. Will request
them shortly if no one beats me to it.
--
Guilhem.
[0] https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 1.6.5+dfsg-1+deb12u6
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Dec 2025 09:10:17 +0100
Source: roundcube
Architecture: source
Version: 1.6.5+dfsg-1+deb12u6
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Roundcube Maintainers
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1122899
Changes:
roundcube (1.6.5+dfsg-1+deb12u6) bookworm-security; urgency=high
.
* Cherry pick upstream security fixes from v1.6.12 (closes: #1122899):
+ Fix CVE-2025-68461: Cross-Site-Scripting vulnerability via SVG's animate
tag.
+ Fix CVE-2025-68460: Information Disclosure vulnerability in the HTML
style sanitizer.
Checksums-Sha1:
7f9334c0d8343928c6bef5cf9c9b577c8baa38d3 3833
roundcube_1.6.5+dfsg-1+deb12u6.dsc
c5d5753d0b56acc070690e4a3faa8dad4cfd2895 122908
roundcube_1.6.5+dfsg-1+deb12u6.debian.tar.xz
2db009416e3d9da8040c4d2cf7c45af5dee4625f 6276
roundcube_1.6.5+dfsg-1+deb12u6_source.buildinfo
Checksums-Sha256:
defc01295b8f8ddce4d4991106b822f6feec092a3d8e09acb984ea27c42f6c6f 3833
roundcube_1.6.5+dfsg-1+deb12u6.dsc
b2bfb2b954e7a96a1df08582374d0a5f6229161c73fad7dcbeb0fccdcf8d674f 122908
roundcube_1.6.5+dfsg-1+deb12u6.debian.tar.xz
b00095ce407d281f6aa429ddf9ecbe9fc405bc79df5e89056ef95ab5cbf08e68 6276
roundcube_1.6.5+dfsg-1+deb12u6_source.buildinfo
Files:
cd28e6c26a21bbed14ca848a782f0caa 3833 web optional
roundcube_1.6.5+dfsg-1+deb12u6.dsc
ffd59e03844d04e1c02c6a4e2a7b767f 122908 web optional
roundcube_1.6.5+dfsg-1+deb12u6.debian.tar.xz
8c06c00ae109272ce4e783929381eda8 6276 web optional
roundcube_1.6.5+dfsg-1+deb12u6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmlD830ACgkQ05pJnDwh
pVIjhA/9F5q5Rwe5qL32jmW03xQvvklMbFk5uqhiiXK1TtpfFfiQKDtInFkFUU7y
zq3ZpBAjiEXzcd8axztsrwUawddCwqBbs46joffL/nwITHrJd+1LJ/PszXXHLw4I
m19ykMyqDHzAHd8Fm7EBVypqXtPLVdQRRcKAkwY/OeVUM5vnrhd7p3brP6pRf0Th
j5/bU7EvJaOMtaKfGd0Ng9tQmF+P4XNZSKSIlb/nNSbseYg7P3nNXF1poiAlFUlS
lwgOHLpV1uEubVYIoiZ0uG4COjJX4VaywZIOEdXtrP6qcBvNTSRv8EH8EpOZ9Dx3
HjxwWpVRw9b5wVIszCHpjixgkgj81J8HCDHLzw3EYuZG5yeKYz4PYXPzUlWZQg5m
8Y9JfdQeb3R+umOqt12wSMrKzo2b4YWcb+mNuPxOUt8milwwutYZrVeAnIdi9PuO
eDckHeQnV18uzGDC+jfGT2/v7bEj3VuXfQX/bxAeFnjBnS8wPpngiKyo1fKDf89V
ez4+NlLh8x8QR1U/g5zOyqU0dbb5BnkFfde7I7AYOVvcgH0MqC1P8j28aNidboIC
/QyU6wWBtj0skYcjjXIFFwAfxmXAfy+t2WlmwtRxRvS2u+7+4MYXiSHal1AxSvqj
QaGoUXX8DU7i00mqXfGzaRVsXsUHD37LVGOQ5V7pFa+jHmWHZ30=
=YiDB
-----END PGP SIGNATURE-----
pgpj3Ikhiy53q.pgp
Description: PGP signature
--- End Message ---
