-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 20 Mar 2026 17:52:47 +0100 Source: roundcube Architecture: source Version: 1.6.14+dfsg-1 Distribution: unstable Urgency: high Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net> Changed-By: Guilhem Moulin <guilhem@debian.org> Closes: 1131182 Changes: roundcube (1.6.14+dfsg-1) unstable; urgency=high . * New upstream security and bugfix release (closes: #1131182). + Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler. + Fix bug where a password could get changed without providing the old password. + Fix IMAP Injection + CSRF bypass in mail search. + Fix remote image blocking bypass via various SVG animate attributes. + Fix remote image blocking bypass via a crafted <body> background attribute. + Fix fixed position mitigation bypass via use of `!important`. + Fix XSS vulnerability in HTML attachment preview. + Fix SSRF and information disclosure vulnerability via stylesheet links pointing to a local network hosts. * Refresh d/patches. * Cherry-pick upstream changes from 1.7 to fix PHP 8.2 deprecation warning on utf8_{encode,decode}() uses. * Cherry-pick upstream change from 1.7 to fix PHP 8.4 deprecation warning on str_getcsv() use. * Cherry-pick upstream regression fix where mail search would fail on non-ascii search criteria. * Add custom patch to avoid dependency on mlocati/ip-lib, which as of today is not present in Debian. * phpunit: Pass `--display-deprecations` and `--display-phpunit-deprecations` flags. Checksums-Sha1: 73fc8de367dbdf5c2e3dce38184cb36bb79a0f93 3828 roundcube_1.6.14+dfsg-1.dsc 791d4d6bbc64114597a21548002e954fa8b9c352 126920 roundcube_1.6.14+dfsg.orig-tinymce-langs.tar.xz d41712b4ec93a52c4b2a4b8dfc3c6c00ce086121 1928376 roundcube_1.6.14+dfsg.orig-tinymce.tar.xz 420013f6b17241c0c4e62d8ba96320cd881a4e3f 2792884 roundcube_1.6.14+dfsg.orig.tar.xz 4de48cd39b1623bf1788cf62f0de3a403f7723f2 156728 roundcube_1.6.14+dfsg-1.debian.tar.xz daf1b3670fd725c205b1c808f2bda044b90696b6 6220 roundcube_1.6.14+dfsg-1_source.buildinfo Checksums-Sha256: 8ffc96b6c58747875928e6c05d9d0538f0301c128399f2d72d830a4d0df896c7 3828 roundcube_1.6.14+dfsg-1.dsc b12fbbe262fc427f500d63293da1322761807f4c298299be3fc3fc8ca0c3a72b 126920 roundcube_1.6.14+dfsg.orig-tinymce-langs.tar.xz 23e778db8008375b78ca83ace45247ad987e58b798be5eb745b02489977148df 1928376 roundcube_1.6.14+dfsg.orig-tinymce.tar.xz 690b53d2c218a0a28a2c4f289f4bca74b94b7f2bf6e28125767e5578ff3b0143 2792884 roundcube_1.6.14+dfsg.orig.tar.xz 61a9e9d70e5ed5ee262705ed0d3c47620daeeb5af83dcd6021a67807e5df6d09 156728 roundcube_1.6.14+dfsg-1.debian.tar.xz 0d1ca96328d67d548fdd9b0814fcd30fd7fddc446809e8291862d1418ff617ae 6220 roundcube_1.6.14+dfsg-1_source.buildinfo Files: 776d8bc48739e650f91fc55829024486 3828 web optional roundcube_1.6.14+dfsg-1.dsc 555fd57325d8c7e4e530860121a2295e 126920 web optional roundcube_1.6.14+dfsg.orig-tinymce-langs.tar.xz 6a9c45bead992cf7ad4e2c021447e68a 1928376 web optional roundcube_1.6.14+dfsg.orig-tinymce.tar.xz cdc810ee064f09b5bc8dd651b1d4d93e 2792884 web optional roundcube_1.6.14+dfsg.orig.tar.xz 751640ba55ce820550184cab9952a7a5 156728 web optional roundcube_1.6.14+dfsg-1.debian.tar.xz 81c753dec3aa99175e5e6bd038b4216c 6220 web optional roundcube_1.6.14+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmm9g/4ACgkQ05pJnDwh pVKxoQ//XWMoK8X9yy1czT1rMYcfKKWNhkxzQOnlyq6LfLBsctfSFbw5yffOnU9b b9G8Wm0LTD367cDrZ1dOq0+Hk48eUljeWsJ93wOS9VNbqH5U24rIRcSwJIGOtli6 s4AXXOEO9myvxWGVzOoFMWM4WRHXCec6gjF6mzp2vX+WAZkpBvcBU48MwZoDpvTn Fc6bTQDrfZ5Zjf/huwqbtFGS7SwMC784d/8LfW7qXw1ZZ4BL7LfIojz1SDkOFGY2 KVpmEbdZJhnJlWRVJc+OuJrZSk9kJY8GDfVYxqLgXSpyFt36AF+82GI5DuYZxyUu cy/QnAWotMOlKzHxUG+Dwy49Dy0kpf05mcD95JR5P/BDeqRnd1kC3/2xh16w5xPj faxgqlzoRfv0tvGPo95PmIhtIN6uy/9BpEvZ4NcHBnzxB6iSz5JSuH9AzAgJ/3yW L6Vi71Lch8GiS1j4CmhlK1MguJPla9mp/iI92VynIHqZVU78CIxSIC5PuvNfQs1P uFLIbyYtIv/Ed38NoRO2Etkf/bJ5EUhn4dCA7tH9NXHJ2cWR/N8aVvP1Z/Imoaix YMXQUcZd+ngTDYhhqxgFmUsJj4k6gzae1QFdGeNpAdKS8TtXQg/B5PkLBkgBhRNJ Z6qvGALym2FkD+lXym2uSNrUmU0L0h5VMHCJJ41P2Rq+s3nuKlI= =qR6o -----END PGP SIGNATURE-----
