Control: retitle -1 DSA 6301-1 breaks roundcube on PHP <8 Control: severity -1 normal Control: tag -1 pending
Hi, On Thu, 28 May 2026 at 11:32:06 +0200, Vladislav Kurz wrote: >> Hello, I noticed that the problem is in the PHP version. >> We were running PHP 7.4. Problem was gone after switching to PHP 8.2. > > According to > https://github.com/roundcube/roundcubemail/wiki/Version-History > > Version 1.6 has PHP support: >=7.3 <=8.3 The upstream PHP compatibility is mostly irrelevant for Debian. Trixie has PHP 8.4 and Bookworm 8.2, so that's the PHP versions against which the packages are tested and AFAIK everything else is unsupported. Not a reason to break compatibility with older PHP versions in a -security (or -pu) update if it can be avoided, of course. > So this is probably an upstream bug introduced in 1.6.16 and backported to > debian 12 in DSA 6301-1 No, that's an issue I introduced in the custom (Debian-specific) fix for CVE-2026-48843. (The upstream fix introduces a new dependency which is not in Debian, so we need a custom native solution for older suites.) Noticed the issue as I was working on backport for Bullseye LTS, but unfortunately not in time for DSA 6301-1. It's already fixed in the repository at https://salsa.debian.org/roundcube-team/roundcube/-/commit/ce0683b27c29f6f8470744a8d01dd352f6065250 so it'll be fixed in th enext upload. Compatibility with PHP ≥7.3 to <8 can be trivially restored by removing the union type annotation in /usr/share/roundcube/program/lib/Roundcube/rcube_utils.php:inet_pton2() . I don't think it warrants a regression update given supported systems are not affected, but I'm CC'ing the Security Team in case they have a different assessment (I can prepare the debdiffs in that case). -- Guilhem.
signature.asc
Description: PGP signature
