Your message dated Fri, 20 Mar 2026 17:48:48 +0000
with message-id <[email protected]>
and subject line Bug#1131182: fixed in roundcube 1.6.14+dfsg-1
has caused the Debian Bug report #1131182,
regarding roundcube: Multiple security vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131182: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131182
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: roundcube
Version: 1.6.13+dfsg-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Control: found -1 1.6.13+dfsg-0+deb13u1
Control: found -1 1.6.5+dfsg-1+deb12u7
Control: found -1 1.4.15+dfsg.1-1+deb11u7
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>
Roundcube webmail upstream has recently released 1.6.14 [0] which fixes
the following security vulnerabilities:
1. Pre-auth arbitrary file write via unsafe deserialization in
redis/memcache session handler, reported by y0us.
https://github.com/roundcube/roundcubemail/commit/6d586cfa4d8a31f7957f7a445aaedd52592a0e74
2. Bug where a password could get changed without providing the old
password, reported by flydragon777.
https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4
3. IMAP Injection + CSRF bypass in mail search, reported by Martila
Security Research Team.
https://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e18deebf8a15
4. Remote image blocking bypass via various SVG animate attributes,
reported by nullcathedral.
https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f0957a66377cd
5. Remote image blocking bypass via a crafted body background
attribute, reported by nullcathedral.
https://github.com/roundcube/roundcubemail/commit/fd0e98178db5c73eaa93d005b561874923f9b0f0
6. Fixed position mitigation bypass via use of `!important`, reported
by nullcathedral.
https://github.com/roundcube/roundcubemail/commit/226811a1c974271dbedca72672923abaff8191c0
7. XSS issue in a HTML attachment preview, reported by aikido_security.
https://github.com/roundcube/roundcubemail/commit/1b30edf5369668c92fe91dae3d52e477c808aa4f
8. SSRF + Information Disclosure via stylesheet links to a local
network hosts, reported by Georgios Tsimpidas.
https://github.com/roundcube/roundcubemail/commit/579b68eff90650a5c782e153debd66c765648942
Upstream's solution for the last issue adds a new runtime dependency
mlocati/ip-lib ≥1.22
which unfortunately is not in Debian yet. I can upload it to sid as
part of the PEAR team, but older suites will need another solution.
AFAIK no CVE-ID have been published for these issues. I just requested some.
--
Guilhem.
[0] https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.16
--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 1.6.14+dfsg-1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 20 Mar 2026 17:52:47 +0100
Source: roundcube
Architecture: source
Version: 1.6.14+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1131182
Changes:
roundcube (1.6.14+dfsg-1) unstable; urgency=high
.
* New upstream security and bugfix release (closes: #1131182).
+ Fix pre-auth arbitrary file write via unsafe deserialization in
redis/memcache session handler.
+ Fix bug where a password could get changed without providing the old
password.
+ Fix IMAP Injection + CSRF bypass in mail search.
+ Fix remote image blocking bypass via various SVG animate attributes.
+ Fix remote image blocking bypass via a crafted <body> background
attribute.
+ Fix fixed position mitigation bypass via use of `!important`.
+ Fix XSS vulnerability in HTML attachment preview.
+ Fix SSRF and information disclosure vulnerability via stylesheet links
pointing to a local network hosts.
* Refresh d/patches.
* Cherry-pick upstream changes from 1.7 to fix PHP 8.2 deprecation warning on
utf8_{encode,decode}() uses.
* Cherry-pick upstream change from 1.7 to fix PHP 8.4 deprecation warning on
str_getcsv() use.
* Cherry-pick upstream regression fix where mail search would fail on
non-ascii search criteria.
* Add custom patch to avoid dependency on mlocati/ip-lib, which as of today
is not present in Debian.
* phpunit: Pass `--display-deprecations` and `--display-phpunit-deprecations`
flags.
Checksums-Sha1:
73fc8de367dbdf5c2e3dce38184cb36bb79a0f93 3828 roundcube_1.6.14+dfsg-1.dsc
791d4d6bbc64114597a21548002e954fa8b9c352 126920
roundcube_1.6.14+dfsg.orig-tinymce-langs.tar.xz
d41712b4ec93a52c4b2a4b8dfc3c6c00ce086121 1928376
roundcube_1.6.14+dfsg.orig-tinymce.tar.xz
420013f6b17241c0c4e62d8ba96320cd881a4e3f 2792884
roundcube_1.6.14+dfsg.orig.tar.xz
4de48cd39b1623bf1788cf62f0de3a403f7723f2 156728
roundcube_1.6.14+dfsg-1.debian.tar.xz
daf1b3670fd725c205b1c808f2bda044b90696b6 6220
roundcube_1.6.14+dfsg-1_source.buildinfo
Checksums-Sha256:
8ffc96b6c58747875928e6c05d9d0538f0301c128399f2d72d830a4d0df896c7 3828
roundcube_1.6.14+dfsg-1.dsc
b12fbbe262fc427f500d63293da1322761807f4c298299be3fc3fc8ca0c3a72b 126920
roundcube_1.6.14+dfsg.orig-tinymce-langs.tar.xz
23e778db8008375b78ca83ace45247ad987e58b798be5eb745b02489977148df 1928376
roundcube_1.6.14+dfsg.orig-tinymce.tar.xz
690b53d2c218a0a28a2c4f289f4bca74b94b7f2bf6e28125767e5578ff3b0143 2792884
roundcube_1.6.14+dfsg.orig.tar.xz
61a9e9d70e5ed5ee262705ed0d3c47620daeeb5af83dcd6021a67807e5df6d09 156728
roundcube_1.6.14+dfsg-1.debian.tar.xz
0d1ca96328d67d548fdd9b0814fcd30fd7fddc446809e8291862d1418ff617ae 6220
roundcube_1.6.14+dfsg-1_source.buildinfo
Files:
776d8bc48739e650f91fc55829024486 3828 web optional roundcube_1.6.14+dfsg-1.dsc
555fd57325d8c7e4e530860121a2295e 126920 web optional
roundcube_1.6.14+dfsg.orig-tinymce-langs.tar.xz
6a9c45bead992cf7ad4e2c021447e68a 1928376 web optional
roundcube_1.6.14+dfsg.orig-tinymce.tar.xz
cdc810ee064f09b5bc8dd651b1d4d93e 2792884 web optional
roundcube_1.6.14+dfsg.orig.tar.xz
751640ba55ce820550184cab9952a7a5 156728 web optional
roundcube_1.6.14+dfsg-1.debian.tar.xz
81c753dec3aa99175e5e6bd038b4216c 6220 web optional
roundcube_1.6.14+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmm9g/4ACgkQ05pJnDwh
pVKxoQ//XWMoK8X9yy1czT1rMYcfKKWNhkxzQOnlyq6LfLBsctfSFbw5yffOnU9b
b9G8Wm0LTD367cDrZ1dOq0+Hk48eUljeWsJ93wOS9VNbqH5U24rIRcSwJIGOtli6
s4AXXOEO9myvxWGVzOoFMWM4WRHXCec6gjF6mzp2vX+WAZkpBvcBU48MwZoDpvTn
Fc6bTQDrfZ5Zjf/huwqbtFGS7SwMC784d/8LfW7qXw1ZZ4BL7LfIojz1SDkOFGY2
KVpmEbdZJhnJlWRVJc+OuJrZSk9kJY8GDfVYxqLgXSpyFt36AF+82GI5DuYZxyUu
cy/QnAWotMOlKzHxUG+Dwy49Dy0kpf05mcD95JR5P/BDeqRnd1kC3/2xh16w5xPj
faxgqlzoRfv0tvGPo95PmIhtIN6uy/9BpEvZ4NcHBnzxB6iSz5JSuH9AzAgJ/3yW
L6Vi71Lch8GiS1j4CmhlK1MguJPla9mp/iI92VynIHqZVU78CIxSIC5PuvNfQs1P
uFLIbyYtIv/Ed38NoRO2Etkf/bJ5EUhn4dCA7tH9NXHJ2cWR/N8aVvP1Z/Imoaix
YMXQUcZd+ngTDYhhqxgFmUsJj4k6gzae1QFdGeNpAdKS8TtXQg/B5PkLBkgBhRNJ
Z6qvGALym2FkD+lXym2uSNrUmU0L0h5VMHCJJ41P2Rq+s3nuKlI=
=qR6o
-----END PGP SIGNATURE-----
pgpFs2urCCfmJ.pgp
Description: PGP signature
--- End Message ---
