Your message dated Mon, 30 Mar 2026 11:37:09 +0000
with message-id <[email protected]>
and subject line Bug#1132268: fixed in roundcube 1.6.15+dfsg-1
has caused the Debian Bug report #1132268,
regarding roundcube: SVG Animate FUNCIRI Attribute Bypass
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132268: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132268
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: roundcube
Version: 1.6.14+dfsg-1
Severity: important
Control: found -1 1.6.13+dfsg-0+deb13u1
Control: found -1 1.6.5+dfsg-1+deb12u7
Control: found -1 1.4.15+dfsg.1-1+deb11u7
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>
Roundcube webmail upstream has recently released 1.6.15 [0] which fixes
the following security vulnerability:
* SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via
fill/filter/stroke, reported by class_nzm.
https://github.com/roundcube/roundcubemail/commit/9d18d524f3cc211003fc99e2e54eed09a2f3da88
AFAIK no CVE ID has been assigned for this issues. I just requested one.
--
Guilhem.
[0] https://roundcube.net/news/2026/03/29/security-updates-1.7-rc6-1.6.15-1.5.15
https://github.com/roundcube/roundcubemail/releases/tag/1.6.15
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 1.6.15+dfsg-1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 30 Mar 2026 09:54:58 +0200
Source: roundcube
Architecture: source
Version: 1.6.15+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1132268
Changes:
roundcube (1.6.15+dfsg-1) unstable; urgency=high
.
* New upstream security and bugfix release (closes: #1132268).
+ Fix SVG animate FUNCIRI attribute bypass (remote image loading via
fill/filter/stroke).
+ Fix regression where mail search would fail on non-ascii search
criteria.
+ Fix regression where some data url images could get ignored/lost.
* Refresh d/patches and remove those applied upstream.
* d/control: Add Build-Depends: node-source-map.
* Improve custom patch to avoid dependency on mlocati/ip-lib:
+ Trim leading zeros from the decimal representation of IPv4 octets to
match GuzzleHTTP's mangling of invalid IP addresses.
+ Treat IPv4-mapped and IPv4-compatible addresses as belonging to the
local range when the v4 address is also local.
Checksums-Sha1:
89812af8bf73f73b312dcd83fdaff7fb9f70e22d 3845 roundcube_1.6.15+dfsg-1.dsc
0cffaaa8522bb9496ff3ec1aad1b9d17f1e7edd7 126856
roundcube_1.6.15+dfsg.orig-tinymce-langs.tar.xz
7c3866251bfef08a39b1459b05fb2e99b177a786 1928608
roundcube_1.6.15+dfsg.orig-tinymce.tar.xz
ed576296b8b4da4e49f384344934fb2c6ed4a5dd 2793028
roundcube_1.6.15+dfsg.orig.tar.xz
5619fcdfb5b17aa6e07d6ca6ba60bee728bce909 156808
roundcube_1.6.15+dfsg-1.debian.tar.xz
ee561d53e8c92a78f7d43179cf7eab4eb3542f65 6222
roundcube_1.6.15+dfsg-1_source.buildinfo
Checksums-Sha256:
b750836f8f47d33313343d5618e2da1158bbc2c78c640db91b2649214a20ad6f 3845
roundcube_1.6.15+dfsg-1.dsc
f3d8c7e7137dad314b7acff2b80649ea036c4532f3b1194bd39c163d6884416c 126856
roundcube_1.6.15+dfsg.orig-tinymce-langs.tar.xz
3040064c9e504486506dc597f3eeec0a79a31278e06d0d15b7c0568938124b0c 1928608
roundcube_1.6.15+dfsg.orig-tinymce.tar.xz
b23845f78b4bf5460821d1449f22f2069fa53ccbcc9ed918068549bbc1b651fb 2793028
roundcube_1.6.15+dfsg.orig.tar.xz
d52399e01df9f832c3c665889e7af4dfc5bb021a88d93d464484b22c3475fbb5 156808
roundcube_1.6.15+dfsg-1.debian.tar.xz
4137f4bec050a1fb6efea12175482c27a2e412b548339b535417e24145b2afa5 6222
roundcube_1.6.15+dfsg-1_source.buildinfo
Files:
d619cf1c80cb906246a99a3c916fb932 3845 web optional roundcube_1.6.15+dfsg-1.dsc
916486a39ee15f3bd2d10c9472af340c 126856 web optional
roundcube_1.6.15+dfsg.orig-tinymce-langs.tar.xz
9b7a65d3a402cfbad01a3144b59da634 1928608 web optional
roundcube_1.6.15+dfsg.orig-tinymce.tar.xz
1eca96bad2b14b928e4e62390fd7d3f9 2793028 web optional
roundcube_1.6.15+dfsg.orig.tar.xz
f24e472bcdf30b191189aaf9ea9e6cd1 156808 web optional
roundcube_1.6.15+dfsg-1.debian.tar.xz
8aba2564793ad94b677ac3d138e116ea 6222 web optional
roundcube_1.6.15+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmnKW5gACgkQ05pJnDwh
pVIGixAAh0tgLfzJwlhmkpDG65lvgaGKsmiijXRT5aW7CxWiCse6GMpu4JxjfVtB
6qmpO5oePV5Q6elCInq0LaZSR7aZyQLaH7tzEUv6TCUDRQi2dWj1mlGqMgsFCOxY
ERSio8rS/8Iyb0TrEMYiFH59OB8BYvsrYcJE8pk/4SV8YdWSpm1VNNTqe/lA5veP
js9RhIGcuBhTqO1sxLpXVnrMGaqFqojZJvpoHfhHPb9lw1NuZ4qyv0WuZ3N/5xNZ
0+dAp/EQySTrhrtnsJnN9AHKWoXFd3kbWtHXD3rNFmHkuI+4eaBeqF7oHLacJr71
ugV8Lvoj3fkfHYlxITIa+NBCoNAfqvn7E3fXGkMb33ahPcHQZVFxRQAlLkMvZVWk
+eHxvc2Tb7hemqH4gIeu4zE+s4cA55cogObiN0o64nOKT3RtWKtjzs4fwkIhqYnW
hLImfH8L1hvnErlWLfAcW30E7DvmGmseXYCpa8DgXGq/wPaMtRUHM6+IXkz684Om
OYLKiRw4OAclfAeGh1kS7TDWRU7jce5gIJh+WHRHEG99Ze3dGvDQv7GNtTX5Q3Uk
M2zQuhlts908abwKOxCro2UotrBSEGf+UQiDee414T3z1PDI3ercdZdfT9zBvPup
I3zxSUqm3J8qNcGQ8m/cryFeMluauhfp/HIwwm02DDsTYCXDeVs=
=eoLB
-----END PGP SIGNATURE-----
pgpljEwPHJGJI.pgp
Description: PGP signature
--- End Message ---
