Source: roundcube Version: 1.6.16+dfsg-1 Control: found -1 1.6.16+dfsg-0+deb13u1 Control: found -1 1.6.5+dfsg-1+deb12u9 Control: found -1 1.4.15+dfsg.1-1+deb11u9 Severity: important Tags: security upstream X-Debbugs-Cc: Debian Security Team <[email protected]>
Roundcube webmail upstream has recently released 1.6.17 [0] which fixes
the following security vulnerabilities:
1. Infinite loop in TNEF (winmail.dat) decoder
https://github.com/roundcube/roundcubemail/commit/a007321346380136b3de2bd75b486b04f63c0d38
https://github.com/roundcube/roundcubemail/commit/132ac8dd5a55c8466be12de1daf84355697ffa89
2. Various vulnerabilities in the password plugin using
session-injected username
https://github.com/roundcube/roundcubemail/commit/83150ce04d689a70f92d511bcae40adba8d55476
https://github.com/roundcube/roundcubemail/commit/5cdc6a48b40beabff7f0bf5d9035f4491e877e4c
3. CVE-2026-54432: Stored XSS via unescaped attachment MIME type on
the attachment-validation warning page
https://github.com/roundcube/roundcubemail/commit/a3a4482cc9bd5569107e4393d32abb157cb2a568
4. SSRF bypass via specific local address URLs
https://github.com/roundcube/roundcubemail/commit/294c7da6e7284166f040cef8607b677d459e0786
5. CVE-2026-54433: Zero-click stored XSS in plain-text rendering
https://github.com/roundcube/roundcubemail/commit/63e42e233c6e8b5100e2e61a4d13addcd1a45bd5
6. DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file
https://github.com/roundcube/roundcubemail/commit/bf253c72d4293c93fda511b8464fe9cb34b522c1
AFAIK no CVE-ID have been published for issues 1, 2, 4 and 6. I'll
request some tomorrow unless someone beats me to it.
--
Guilhem.
[0] https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2
signature.asc
Description: PGP signature

