Source: roundcube Version: 1.6.12+dfsg-1 Severity: important Control: found -1 1.6.12+dfsg-0+deb13u1 Control: found -1 1.6.5+dfsg-1+deb12u6 Control: found -1 1.4.15+dfsg.1-1+deb11u6 Tags: security upstream X-Debbugs-Cc: Debian Security Team <[email protected]>
Roundcube webmail upstream has recently released 1.6.13 [0] which fixes the following vulnerabilities: * CSS injection vulnerability reported by CERT Polska. https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816 https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447 (regression) https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01 (regression) * Remote image blocking bypass via SVG content reported by nullcathedral. https://github.com/roundcube/roundcubemail/commit/036e851b683333205813f70acda2dc047b4891c8 AFAICT no CVE-ID have been published for these issues. I just requested some. -- Guilhem. [0] https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13
signature.asc
Description: PGP signature
