Accepted roundcube 1.6.16+dfsg-0+deb13u1 (source) into proposed-updates

Debian FTP Masters Thu, 28 May 2026 06:03:33 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 25 May 2026 23:06:33 +0200
Source: roundcube
Architecture: source
Version: 1.6.16+dfsg-0+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Roundcube Maintainers 
<[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1137507
Changes:
 roundcube (1.6.16+dfsg-0+deb13u1) trixie-security; urgency=high
 .
   * New upstream security and bugfix release (closes: #1137507).
     + Fix CVE-2026-48842: pre-auth SQL injection in `virtuser_query plugin`
       via `preg_replace()` backslash escape bypass.
     + Fix CVE-2026-48843: SSRF bypass via specific local address URLs.  Add
       support non quad-dotted IPs and non-decimal fields to
       d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch in order to
       match the new upstream behavior.
     + Fix CVE-2026-48844: Code injection vulnerability via code evaluation
       support in LDAP autovalues option.  Code evaluation support has now been
       removed.
     + Fix CVE-2026-48845: Local/private URL fetch bypass when remote resources
       were not allowed.
     + Fix CVE-2026-48846: Bypass of remote image blocking via CSS `var()`.
     + Fix CVE-2026-48847: Pre-auth arbitrary file delete via redis/memcache
       session poisoning bypass.
     + Fix CVE-2026-48848: CSS injection bypass in HTML sanitizer via SVG
       <animate attributeName="style">.
     + Fix CVE-2026-48849: Stored XSS/HTML/CSS injection in subject field of
       the draft restore dialog.
     + Fix PHP8 warnings.
     + Fix potential too long value in IMAP ID command.
   * Refresh d/patches.
Checksums-Sha1:
 00d6e7760f0149a4e429615c69f0b7d3c97babbd 3860 
roundcube_1.6.16+dfsg-0+deb13u1.dsc
 1a3cd9678dcb0a130681a4fbe1eca68052d00d5b 126884 
roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
 38c2baef9e85c0d497c31715eeba89ba8dd4d8b3 1928780 
roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
 f18404da6e008cd6b488bcdfde8feee9244b7c93 2793532 
roundcube_1.6.16+dfsg.orig.tar.xz
 d0d3461b6c8f50c6a3cc250cd88dd837786c11f0 157428 
roundcube_1.6.16+dfsg-0+deb13u1.debian.tar.xz
 ad316f2e1c5436536f487af67ce207eb7de19b6d 6217 
roundcube_1.6.16+dfsg-0+deb13u1_source.buildinfo
Checksums-Sha256:
 9082145d643bec4d14537a673f5dee4e4cff8b821fdc4c615a0aff8f0982dc75 3860 
roundcube_1.6.16+dfsg-0+deb13u1.dsc
 04a78e28c9e7cf2f0d67d989954ebeb2693db7c25b511e37b1be851ab00ec0e4 126884 
roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
 2f9513c4c9f4b4f486a2a10614a9215acb41e94374ec453d656ea420d8e4e168 1928780 
roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
 491d92dee757bc22672181d42fb09334d83826cace9d4f7ea0b2ac0fc0355a77 2793532 
roundcube_1.6.16+dfsg.orig.tar.xz
 738145af51966bc48d47e3e973e8885b53281dc15990f3c95b0cd530436a426f 157428 
roundcube_1.6.16+dfsg-0+deb13u1.debian.tar.xz
 dce71d86bfec88b2b48ff45b44aaba5e18ed871dc999ae4b4ac31a4e9b9810c9 6217 
roundcube_1.6.16+dfsg-0+deb13u1_source.buildinfo
Files:
 1bf13b8900082211ea096c21b4669b58 3860 web optional 
roundcube_1.6.16+dfsg-0+deb13u1.dsc
 f2adaee4ceaeb18948b7c3fcd3b76dca 126884 web optional 
roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
 543ea8ab031d4a17869930bc16287e9c 1928780 web optional 
roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
 7fd70691566a18ddd6e74a13a5a677d0 2793532 web optional 
roundcube_1.6.16+dfsg.orig.tar.xz
 95eede9c07b26d16c3f56484ab896d9d 157428 web optional 
roundcube_1.6.16+dfsg-0+deb13u1.debian.tar.xz
 c6cf238252a4ed71d303e3e9377293e5 6217 web optional 
roundcube_1.6.16+dfsg-0+deb13u1_source.buildinfo
pgpmLMMP_Wq__.pgp
Description: PGP signature
Accepted roundcube 1.6.16+dfsg-0+deb13u1 (source) into proposed-updates

Reply via email to
