Your message dated Thu, 19 Feb 2026 23:04:57 +0000
with message-id <[email protected]>
and subject line Bug#1127447: fixed in roundcube 1.6.13+dfsg-0+deb13u1
has caused the Debian Bug report #1127447,
regarding roundcube: [CVE-2026-26079] CSS injection vulnerability and
[CVE-2026-25916] remote image blocking bypass
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127447: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127447
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: roundcube
Version: 1.6.12+dfsg-1
Severity: important
Control: found -1 1.6.12+dfsg-0+deb13u1
Control: found -1 1.6.5+dfsg-1+deb12u6
Control: found -1 1.4.15+dfsg.1-1+deb11u6
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>
Roundcube webmail upstream has recently released 1.6.13 [0] which fixes
the following vulnerabilities:
* CSS injection vulnerability reported by CERT Polska.
https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816
https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447
(regression)
https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01
(regression)
* Remote image blocking bypass via SVG content reported by nullcathedral.
https://github.com/roundcube/roundcubemail/commit/036e851b683333205813f70acda2dc047b4891c8
AFAICT no CVE-ID have been published for these issues. I just requested
some.
--
Guilhem.
[0] https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 1.6.13+dfsg-0+deb13u1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 11 Feb 2026 10:55:46 +0100
Source: roundcube
Architecture: source
Version: 1.6.13+dfsg-0+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Roundcube Maintainers
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1127447
Changes:
roundcube (1.6.13+dfsg-0+deb13u1) trixie-security; urgency=high
.
* New upstream security and bugfix release (closes: #1127447).
+ Fix CVE-2026-26079: CSS injection vulnerability.
+ Fix CVE-2026-25916: Remote image blocking bypass via SVG content.
* Refresh d/patches.
Checksums-Sha1:
c348b2e7bf4efe548605f1d67f813270b58db63f 3860
roundcube_1.6.13+dfsg-0+deb13u1.dsc
9cffccd7409097cd951c6a301230e712ca30b5ac 126848
roundcube_1.6.13+dfsg.orig-tinymce-langs.tar.xz
c841bd314674c7f069eba9d4515046045648f9ac 1928572
roundcube_1.6.13+dfsg.orig-tinymce.tar.xz
6a98b0e3c3015e0e442ef43212f9b51ff43dd0fc 2791584
roundcube_1.6.13+dfsg.orig.tar.xz
1be6ef5be71184dd2be0260e8ede8586c89f08dc 153832
roundcube_1.6.13+dfsg-0+deb13u1.debian.tar.xz
90acbf510745f924e0dd3fa71b74e208c5947b87 6218
roundcube_1.6.13+dfsg-0+deb13u1_source.buildinfo
Checksums-Sha256:
7c169487882e1ffaedd726c82501f2202373241e7df3718241a3e400e4bd79cf 3860
roundcube_1.6.13+dfsg-0+deb13u1.dsc
1750888d9f093edf8768a39596d972a05b6486c482d9e8373ddbe4f33478768f 126848
roundcube_1.6.13+dfsg.orig-tinymce-langs.tar.xz
114a0e70e70eeee5ddfa6107b0e510775cf9a8c25da1ff7a7cd6b1937321ea2d 1928572
roundcube_1.6.13+dfsg.orig-tinymce.tar.xz
47ea183831490f041f1a78e8ebd38c6ef81bc960e56bba6e7b052c8844138c27 2791584
roundcube_1.6.13+dfsg.orig.tar.xz
28b2e476cbcd70f78aed03a35701eece151505b4d0dd2ce7025e71f1b1341e1a 153832
roundcube_1.6.13+dfsg-0+deb13u1.debian.tar.xz
dfffe37effdcd76748bd9eb65673bb44cd5f4828a525769283a202eb5147c9ec 6218
roundcube_1.6.13+dfsg-0+deb13u1_source.buildinfo
Files:
fe568a5395b610448cab3af925faf886 3860 web optional
roundcube_1.6.13+dfsg-0+deb13u1.dsc
faeb01ac97252b3d512f14588360c105 126848 web optional
roundcube_1.6.13+dfsg.orig-tinymce-langs.tar.xz
e01238c32739e21c1395696853cef58d 1928572 web optional
roundcube_1.6.13+dfsg.orig-tinymce.tar.xz
94ea1990732667ee07a8760bcf73e26c 2791584 web optional
roundcube_1.6.13+dfsg.orig.tar.xz
2b746a6841b73b7bb4b23ab6055a2ee2 153832 web optional
roundcube_1.6.13+dfsg-0+deb13u1.debian.tar.xz
0ffbb695c368fcff4993dd216c57bed9 6218 web optional
roundcube_1.6.13+dfsg-0+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmmMU40ACgkQ05pJnDwh
pVIkmQ/7BG10vc50VlSfXxuMMHR9Yh6MHC0HsHqvRkeUkq4EQ2EhjLDqPBDIs+Ay
96A0G1nF49bdogiiXDMUqJ+r0i48ZlrWe19tslNLR2JE8u0XlcFHpi6OfHKwGhGW
K5by48BYffbr2PK4nf2cPsA5lirtotYMSh70iErbNTNzXVJAm5Gh6c99eqWdWD+0
mJaBIGLLCMV4GyRjXqPZGCSqTIa9YUQBhnBanlDtqSNXnhD66c2sloX555EXrwS9
TRAPEg2t0nkdhiBTsegSs60dLqVQuFmX8WlPPimxEQ/qZ0uw92mDKLKaIC9bDp5B
dDPXiy3jzmMwX1YJgeT1Bj3LXIduS+kVPYReWxAt9eAiS7VHJqLyDjZ1HHYU5D/F
t6zDe6WW7bHDXnBvxRBJhmDlbVO3v3wAJSiOyWrgIoBBoRDYtxO6lUR48hnczGXr
9G2kZBCSNFxoZhp3NBtAIxl+6GvLPc/5hn0JWTsRssGKRbqhpC6HFfjtg9NsDaWl
s+bnR1TG1V+E+iba6uYf158NHCQ4QzZnsz6WEC86R+YrEk53l/hu3AoTDXvzhAOm
TI4WAOqxQxi/H/gbxDYgonPZLMIkkS3IAqBaUUCydYYG92Qt2yAa1jCORW4VGu9Q
2FxOkXMIPkl0Jp5fLW9BGvt1/aQXK9GydboV8x4GQto26gp/ip8=
=Cuj0
-----END PGP SIGNATURE-----
pgpQIv07BuvU4.pgp
Description: PGP signature
--- End Message ---
