Bug#1127447: marked as done (roundcube: [CVE-2026-26079] CSS injection vulnerability and [CVE-2026-25916] remote image blocking bypass)

Debian Bug Tracking System Sat, 21 Feb 2026 11:51:26 -0800

Your message dated Sat, 21 Feb 2026 19:49:35 +0000
with message-id <[email protected]>
and subject line Bug#1127447: fixed in roundcube 1.6.5+dfsg-1+deb12u7
has caused the Debian Bug report #1127447,
regarding roundcube: [CVE-2026-26079] CSS injection vulnerability and 
[CVE-2026-25916] remote image blocking bypass
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1127447: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127447
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: roundcube
Version: 1.6.12+dfsg-1
Severity: important
Control: found -1 1.6.12+dfsg-0+deb13u1
Control: found -1 1.6.5+dfsg-1+deb12u6
Control: found -1 1.4.15+dfsg.1-1+deb11u6
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>

Roundcube webmail upstream has recently released 1.6.13 [0] which fixes
the following vulnerabilities:

 * CSS injection vulnerability reported by CERT Polska.
   
https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816
   
https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447
 (regression)
   
https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01
 (regression)

 * Remote image blocking bypass via SVG content reported by nullcathedral.
   
https://github.com/roundcube/roundcubemail/commit/036e851b683333205813f70acda2dc047b4891c8

AFAICT no CVE-ID have been published for these issues.  I just requested
some.
-- 
Guilhem.

[0] https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: roundcube
Source-Version: 1.6.5+dfsg-1+deb12u7
Done: Guilhem Moulin <[email protected]>

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Feb 2026 12:05:21 +0100
Source: roundcube
Architecture: source
Version: 1.6.5+dfsg-1+deb12u7
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Roundcube Maintainers 
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1127447
Changes:
 roundcube (1.6.5+dfsg-1+deb12u7) bookworm-security; urgency=high
 .
   * Cherry pick upstream security fixes from v1.6.13 (closes: #1127447):
     + Fix CVE-2026-26079: CSS injection vulnerability.
     + Fix CVE-2026-25916: Remote image blocking bypass via SVG content.
     + Improve fix for CVE-2025-68460.
Checksums-Sha1:
 baf1670e056c25f13622e99a25835baccaa048d9 3833 
roundcube_1.6.5+dfsg-1+deb12u7.dsc
 a0a8ee6c2cad60548600727e5af42a7ae48267b3 124820 
roundcube_1.6.5+dfsg-1+deb12u7.debian.tar.xz
 d8c5cdcbb82ca87dcbeb83992f27d1f3cc30ea98 6214 
roundcube_1.6.5+dfsg-1+deb12u7_source.buildinfo
Checksums-Sha256:
 1092689c9ab26784d1123819a3522c8ab7338c8fefd96d832c87ebb5ebd8303a 3833 
roundcube_1.6.5+dfsg-1+deb12u7.dsc
 30ec1f0408284f528bdf95ce23285fc4ee8b4be1a361a805d380b031a0d13927 124820 
roundcube_1.6.5+dfsg-1+deb12u7.debian.tar.xz
 a47e109b2da438095358f5f8e4dec02984ea3955f9eab1157d3515cd483a3f69 6214 
roundcube_1.6.5+dfsg-1+deb12u7_source.buildinfo
Files:
 a0df41a9ee1036846f23ea18854977a4 3833 web optional 
roundcube_1.6.5+dfsg-1+deb12u7.dsc
 ebd6ffc05d7802c3e333baa24728be47 124820 web optional 
roundcube_1.6.5+dfsg-1+deb12u7.debian.tar.xz
 15c0a916f2381938215a949d5548f42f 6214 web optional 
roundcube_1.6.5+dfsg-1+deb12u7_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmmPCrQACgkQ05pJnDwh
pVKwBg/8CGw1xBtRPF1cHtf4INqEV9PCrMtXyRNHazPXdp5M7ingxcWPikGYiSK3
xHmp83J7P/6Zals5g/w6PYuDwt6xw62jGKiQBjTO8PSPUVfhrN9pY4CQYoZ1hAkf
RvUx3DZe0YLzKgf2cOk/Bva4g4Vm4gMf4kT1WIoCwEcMuf/EEjOy5nxOSc8sOpzH
fDG57Ps5Aex5GR2RjRYqwXXZL9HrLlhSBiEnue9tKsd21A/G9IpVjcG7b7WS+uFJ
xfHRKCwzEK099Jfperh7S06pzC0EJk26GApfqCWNvLTrVo7CRym2ENeBVN0hNxL6
d4OG15rmBsKfqAVJcGO5wPaxqhISFXAFX0STYJOjQ7gMVwOdV+jcfPizVbzeI+5s
PQ8SfHd9A5N1+14AyKUWdMjolwNGrK5GkMbCZBhZUUM7LybRdGpr8ptlG0kDfvgp
XVXzpQeN55iSt5p1TzXfts3cA/4lTvyal+5wGQwuqpYld/eTgEGgjDa42m/xrbfW
uYF1Hv1oVDo+UC/zuXFvHBI67m6qBORuPfAP8dvIAwn/aeaDMv+ucFfHuWA9a6kP
pjBDs6PXSBRa3BpCe8VdSV6okCOhpMhbF48fQzC7BjVJfWTnyfa7qT6La0ukNRmj
HbFpHYZ+INyEoSYork5xD8wWlDip3cK6XV6uiK96Ik49//3UCq0=
=8GAW
-----END PGP SIGNATURE-----

pgp0ih8Cw9ypf.pgp
Description: PGP signature

--- End Message ---

Bug#1127447: marked as done (roundcube: [CVE-2026-26079] CSS injection vulnerability and [CVE-2026-25916] remote image blocking bypass)

Reply via email to