Source: roundcube
Version: 1.6.16+dfsg-1
Control: found -1 1.6.16+dfsg-0+deb13u1
Control: found -1 1.6.5+dfsg-1+deb12u9
Control: found -1 1.4.15+dfsg.1-1+deb11u9
Severity: important
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>

Roundcube webmail upstream has recently released 1.6.17 [0] which fixes
the following security vulnerabilities:

  1. Infinite loop in TNEF (winmail.dat) decoder
     
https://github.com/roundcube/roundcubemail/commit/a007321346380136b3de2bd75b486b04f63c0d38
     
https://github.com/roundcube/roundcubemail/commit/132ac8dd5a55c8466be12de1daf84355697ffa89
  2. Various vulnerabilities in the password plugin using
     session-injected username
     
https://github.com/roundcube/roundcubemail/commit/83150ce04d689a70f92d511bcae40adba8d55476
     
https://github.com/roundcube/roundcubemail/commit/5cdc6a48b40beabff7f0bf5d9035f4491e877e4c
  3. CVE-2026-54432: Stored XSS via unescaped attachment MIME type on
     the attachment-validation warning page
     
https://github.com/roundcube/roundcubemail/commit/a3a4482cc9bd5569107e4393d32abb157cb2a568
  4. SSRF bypass via specific local address URLs
     
https://github.com/roundcube/roundcubemail/commit/294c7da6e7284166f040cef8607b677d459e0786
  5. CVE-2026-54433: Zero-click stored XSS in plain-text rendering
     
https://github.com/roundcube/roundcubemail/commit/63e42e233c6e8b5100e2e61a4d13addcd1a45bd5
  6. DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file
     
https://github.com/roundcube/roundcubemail/commit/bf253c72d4293c93fda511b8464fe9cb34b522c1

AFAIK no CVE-ID have been published for issues 1, 2, 4 and 6.  I'll
request some tomorrow unless someone beats me to it.
-- 
Guilhem.

[0] https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2

Attachment: signature.asc
Description: PGP signature

Reply via email to