[SECURITY] [DLA 4604-1] roundcube security update

[Guilhem Moulin]

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4604-1                debian-...@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
May 28, 2026                                  https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : roundcube
Version        : 1.4.15+dfsg.1-1+deb11u9
CVE ID         : CVE-2026-48842 CVE-2026-48843 CVE-2026-48844 CVE-2026-48845 
                 CVE-2026-48846 CVE-2026-48847 CVE-2026-48848 CVE-2026-48849
Debian Bug     : 1132838 1137507

Multiple vulnerabilities were discovered in Roundcube, a skinnable AJAX
based webmail solution for IMAP servers, which could result in
cross-site scripting, SQL injection, server-side request forgery,
information disclosure, code injection, or deletion of arbitrary files.

CVE-2026-48842

    Pre-authentication SQL injection in `virtuser_query` plugin via
    `preg_replace()` backslash escape bypass.

CVE-2026-48843

   Server-Side Request Forgery (SSRF) vulnerability via stylesheet links
   to a specific local address URLs.  This issues stems from an
   insufficient fix for CVE-2026-35540.

CVE-2026-48844

    Code injection vulnerability via code evaluation support in LDAP's
    `autovalues` option.  Code evaluation support has been removed in
    this update.

CVE-2026-48845

    Local/private URL fetch bypass when remote resources were not
    allowed.  This allows attackers to bypass remote image blocking to
    potentially bypass access control.

CVE-2026-48846

    Bypass of remote image blocking via CSS `var()`.  This allows
    attackers to bypass remote image blocking to track email open action
    or potentially bypass access control.

CVE-2026-48847

    Pre-authentication arbitrary file delete via redis/memcache session
    poisoning bypass.

CVE-2026-48848

    CSS injection bypass in HTML sanitizer via SVG `<animate
    attributeName="style">`.

CVE-2026-48849

    Stored XSS/HTML/CSS injection in subject field of the draft restore
    dialog.

For Debian 11 bullseye, these problems have been fixed in version
1.4.15+dfsg.1-1+deb11u9.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

signature.asc
Description: PGP signature