Your message dated Sun, 05 Jul 2026 16:04:19 +0000
with message-id <[email protected]>
and subject line Bug#1141495: fixed in roundcube 1.6.17+dfsg-1
has caused the Debian Bug report #1141495,
regarding roundcube: Multiple security vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141495: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141495
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: roundcube
Version: 1.6.16+dfsg-1
Control: found -1 1.6.16+dfsg-0+deb13u1
Control: found -1 1.6.5+dfsg-1+deb12u9
Control: found -1 1.4.15+dfsg.1-1+deb11u9
Severity: important
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>

Roundcube webmail upstream has recently released 1.6.17 [0] which fixes
the following security vulnerabilities:

  1. Infinite loop in TNEF (winmail.dat) decoder
     
https://github.com/roundcube/roundcubemail/commit/a007321346380136b3de2bd75b486b04f63c0d38
     
https://github.com/roundcube/roundcubemail/commit/132ac8dd5a55c8466be12de1daf84355697ffa89
  2. Various vulnerabilities in the password plugin using
     session-injected username
     
https://github.com/roundcube/roundcubemail/commit/83150ce04d689a70f92d511bcae40adba8d55476
     
https://github.com/roundcube/roundcubemail/commit/5cdc6a48b40beabff7f0bf5d9035f4491e877e4c
  3. CVE-2026-54432: Stored XSS via unescaped attachment MIME type on
     the attachment-validation warning page
     
https://github.com/roundcube/roundcubemail/commit/a3a4482cc9bd5569107e4393d32abb157cb2a568
  4. SSRF bypass via specific local address URLs
     
https://github.com/roundcube/roundcubemail/commit/294c7da6e7284166f040cef8607b677d459e0786
  5. CVE-2026-54433: Zero-click stored XSS in plain-text rendering
     
https://github.com/roundcube/roundcubemail/commit/63e42e233c6e8b5100e2e61a4d13addcd1a45bd5
  6. DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file
     
https://github.com/roundcube/roundcubemail/commit/bf253c72d4293c93fda511b8464fe9cb34b522c1

AFAIK no CVE-ID have been published for issues 1, 2, 4 and 6.  I'll
request some tomorrow unless someone beats me to it.
-- 
Guilhem.

[0] https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 1.6.17+dfsg-1
Done: Guilhem Moulin <[email protected]>

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 05 Jul 2026 17:26:53 +0200
Source: roundcube
Architecture: source
Version: 1.6.17+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers 
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1138086 1141495
Changes:
 roundcube (1.6.17+dfsg-1) unstable; urgency=high
 .
   * New upstream security and bugfix release (closes: #1141495).
     + Fix infinite loop in TNEF (winmail.dat) decoder.
     + Fix various vulnerabilities in the password plugin using
       session-injected username.
     + Fix CVE-2026-54432: Stored XSS via unescaped attachment MIME type on the
       attachment-validation warning page.
     + Fix SSRF bypass via specific local address URLs.
     + Fix CVE-2026-54433: Zero-click stored XSS in plain-text rendering.
     + Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file.
     + Enigma: Add support for automatic public key lookup (import) using HKP
       v1 protocol.
     + Enigma: Add support for Kolab's Web Of Anti-Trust (WOAT) feature.
   * d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch: Improve patch
     and drop type annotations to restore compatibility with PHP<8 (closes:
     #1138086).
Checksums-Sha1:
 cc90069cc1df4a571acd39ce7d8b196b3729a2b2 3845 roundcube_1.6.17+dfsg-1.dsc
 c42a03f7b7f449f7ec9023843d775b66e2887e31 126836 
roundcube_1.6.17+dfsg.orig-tinymce-langs.tar.xz
 a14b229b6767817fb36d85c6c22b700e81fcc74a 1928888 
roundcube_1.6.17+dfsg.orig-tinymce.tar.xz
 1f753251c7e378540cea602af4a7f5db415764fa 2906816 
roundcube_1.6.17+dfsg.orig.tar.xz
 3e31aaa811424ffebdd43e601f014e46a56d6b6c 159116 
roundcube_1.6.17+dfsg-1.debian.tar.xz
 cc5c4a419d387e71bd5a5047ed7b18e3f518ce0d 6227 
roundcube_1.6.17+dfsg-1_source.buildinfo
Checksums-Sha256:
 5ddbaa4318bc081ac0b28d46522d702fb3a89220ca26038c7e20e4588ee4a65b 3845 
roundcube_1.6.17+dfsg-1.dsc
 a9e0dcf588cdfd398b1ffacb63d3cc6cf2132785adcf98b9bc3cb7b23f9f1f6e 126836 
roundcube_1.6.17+dfsg.orig-tinymce-langs.tar.xz
 870c74fc7fe5f66929a8f45b7340be3d542d94ef5786d92393bfbf687c57b1fa 1928888 
roundcube_1.6.17+dfsg.orig-tinymce.tar.xz
 c32cae39892d8936f1b07712e0cda3f435d311cd095e6d949d8e62c473ae1426 2906816 
roundcube_1.6.17+dfsg.orig.tar.xz
 d4a4cfd1cc4c48007af7e059cb201ba800b92ec1185f7f3d2f0c5429e25e9367 159116 
roundcube_1.6.17+dfsg-1.debian.tar.xz
 87e264d6e5a915851d22b91aeaab2652671903f08c8f57690fb931aaa0edceef 6227 
roundcube_1.6.17+dfsg-1_source.buildinfo
Files:
 b9a10be22b02a0bf26798952f2d58b30 3845 web optional roundcube_1.6.17+dfsg-1.dsc
 14e66bb6839218d4add3e1fbea68952d 126836 web optional 
roundcube_1.6.17+dfsg.orig-tinymce-langs.tar.xz
 d1198f417f0ae874dedee8a12e7c8713 1928888 web optional 
roundcube_1.6.17+dfsg.orig-tinymce.tar.xz
 dc32d01c80607b6c6ab3a206e354e584 2906816 web optional 
roundcube_1.6.17+dfsg.orig.tar.xz
 66ef61fd6e2c2ba68d5731a617f3c9d1 159116 web optional 
roundcube_1.6.17+dfsg-1.debian.tar.xz
 fa5e7976140601b140b3b19a0214fb9d 6227 web optional 
roundcube_1.6.17+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmpKebwACgkQ05pJnDwh
pVKMjQ/9FASx8Pq8QeLmityAdMYXFizs6anN2uBThC1gIvWtRrL6bogVQTbUILWM
ISZKtGsxgSn6MA4vKU2ILbJdidb1mN+Hc+7TdOaWqxQEcX+tsFzuV4oJbAhyurzM
rm+uPytsTEekBfTBjYTbNaLsj4WE+0qHTLnGjUgHGk3DK9w48tvIBoJnxWYIuq1D
/7n2OP8sPEsXlmuey47wBF7xhvgj2krBOpDOPjAoROuNK0foc3zcFmSvDDx/2Ldv
ooE0DUkq/iQPcJw/1a+UrxqyIYNoD40qq7avTF4uF6vRgta2mNOyOBHwMcioPqlq
RvUYLlMp18vy9TtkK9HFcnN9PEAuiNpGPbS5tNhxXXfT9uZpZTgHqBgIPd0UfAM4
Oe61c06IRA9XYHayR8zpabguRsNn2GdJxJO74HXzI9Q5gxy1WW8lAL9KR9IuUsEV
eZNHvUtELqth2O/c1xWuLurYxZAiFjCtzK7Xg4mLT18CEXduR24WrQU5mFZN4ApQ
c+tQNdSY3XiQ+JcQY9klPdjb0PborZH2PShLUOAYUTR9R2XZlMvuzRIogaxnel2v
YPO8HA6QrVZNCmvfVTkkwJBRiywXfCqKPSmjHJiEaSTQVdqJ8F1o2vLI+3h0ECyw
h/wLup2HG2YhezdBw9g8xwZCtL4OAP2In3HCNd6cnJaLdLjSFGo=
=dyWy
-----END PGP SIGNATURE-----

Attachment: pgpaSgSJvmDUg.pgp
Description: PGP signature


--- End Message ---

Reply via email to