-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 20 Mar 2026 19:52:47 +0100 Source: roundcube Architecture: source Version: 1.4.15+dfsg.1-1+deb11u8 Distribution: bullseye-security Urgency: high Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net> Changed-By: Guilhem Moulin <guilhem@debian.org> Closes: 1131182 1132268 Changes: roundcube (1.4.15+dfsg.1-1+deb11u8) bullseye-security; urgency=high . * Backport upstream security fixes from v1.5.14 and v1.5.15 (closes: #1131182, #1132268): + Fix bug where a password could get changed without providing the old password. + Fix IMAP Injection + CSRF bypass in mail search. + Fix remote image blocking bypass via various SVG animate attributes. + Fix remote image blocking bypass via a crafted <body> background attribute. + Fix fixed position mitigation bypass via use of `!important`. + Fix XSS vulnerability in HTML attachment preview. + Fix SSRF and information disclosure vulnerability via stylesheet links pointing to a local network hosts. + Fix SVG animate FUNCIRI attribute bypass (remote image loading via fill/filter/stroke). * Add custom patch to avoid runtime dependency on mlocati/ip-lib which is not present in bullseye. Checksums-Sha1: 28ccfbab5711109598a1a7505a66c7d8ee4dc521 3276 roundcube_1.4.15+dfsg.1-1+deb11u8.dsc fb0b5deacca5863d37a0b10c3771f27c91d4545e 128840 roundcube_1.4.15+dfsg.1.orig-tinymce-langs.tar.xz a53c61b8ec041aa5a15be0da438a990a34acc072 889052 roundcube_1.4.15+dfsg.1.orig-tinymce.tar.xz a3591df13cae970b04c53651221f316ba521c473 2976560 roundcube_1.4.15+dfsg.1.orig.tar.xz 0b4900f9c57f042c5ceadf2a76bd254a50b914c0 121072 roundcube_1.4.15+dfsg.1-1+deb11u8.debian.tar.xz 5b36a5f46149800bd1c6f1f44a0fc7e41dc07e64 5910 roundcube_1.4.15+dfsg.1-1+deb11u8_source.buildinfo Checksums-Sha256: 64aaf30c8d6eff5baf2bfafdfa283e1d69d6ed6efb234c8e2bfa3019b9c47339 3276 roundcube_1.4.15+dfsg.1-1+deb11u8.dsc d1806e62b75b5e2c8bbbce987abd3eae874f205dd560ad8f6f02a2171c8cf23a 128840 roundcube_1.4.15+dfsg.1.orig-tinymce-langs.tar.xz b61678512254fc2af25a42ac689ac6df69bdf6d15d7aea6e9001c8868653ee74 889052 roundcube_1.4.15+dfsg.1.orig-tinymce.tar.xz f56e664cddb698cf0eeefb1a34dd495ce0e6d29643b2e2ec0ae5cb9c6342882f 2976560 roundcube_1.4.15+dfsg.1.orig.tar.xz 2de4e26ea4c1dec95c4b610baf7419abcee28afbe3ded588324b7d7c01020492 121072 roundcube_1.4.15+dfsg.1-1+deb11u8.debian.tar.xz 58d758af8dfd7be3998433461e2916c5971733ecaabe1ed65a2b97c988603da3 5910 roundcube_1.4.15+dfsg.1-1+deb11u8_source.buildinfo Files: 3a4595caa91bfd56626215155b25d363 3276 web optional roundcube_1.4.15+dfsg.1-1+deb11u8.dsc 450c693c68d2642b15356d06255a0d4c 128840 web optional roundcube_1.4.15+dfsg.1.orig-tinymce-langs.tar.xz 5b440fff53353d7c0ad73292c1cfe6e2 889052 web optional roundcube_1.4.15+dfsg.1.orig-tinymce.tar.xz e98d3d252094ea231c3b02a3ff39471a 2976560 web optional roundcube_1.4.15+dfsg.1.orig.tar.xz de695c93d322983dacee4eaf4b6121c6 121072 web optional roundcube_1.4.15+dfsg.1-1+deb11u8.debian.tar.xz 1dba5579101a66342dd555aa52660a9c 5910 web optional roundcube_1.4.15+dfsg.1-1+deb11u8_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmnKg50ACgkQ05pJnDwh pVLQ+hAAolRc7Ipb05RfeRk3dgTlD36uv3RW54VKG9SoXwK1YZeRcTCAP6SePNrb mFk1PfjifeVAIUWs3Rcb2DsGlbbrMjhLFHO49bpYYi1QSYk5VrG7c1rp7o9/94pr Lmb5HpRxKXA4M3NgWBYXYwCUWFIvPwzM6bBwxyVxIrKDOLWvwlABO8wZd6z87IRz b7sqibuCYNbdtzO5mSVIFLEIvuPaPc+7LK7kBrzhzRDFA52hC/98dljkSOcbCJH1 ra5VZnqkSxgH06lZTZUDvp6p4hCOhmf7kpIn7FYA9h7mn5Y3eyFohq+lq5ybS7Zt Eas/HCC+/nU2c/74nh0NPRBUf0ufvQfOV1RdQRb/l0zqeWLOTUDuuSpkGJpb0dIi QxxnYMtw/AUkKBp72hy1B5ZLcBzcVEMwPlaFj8bimUfqSviWQASkHLbKShMP79Nv Gmx37+/DNqwxNCf39HeDbyofGsNkG7ZBh+D/86ksb8PcVXv/lKOtK8mJ7YjWtLW+ r4BF+jew+FfvvF+M20+8cMLTRcZrLSKBEazJKM74e8RN8iYSLgjpKEkpj700k+n9 v+6mDo7hYLiOk9o4qQdoMmKz9nQ+qURaX1qSSNwuzUUivkxTUYLDFr1/t/LLSFze XigvaePZxoVA0RKPD6hXMZ8kFdL0jUvA4d9kDWWqfecy5MXhM9M= =GQ7r -----END PGP SIGNATURE-----
