-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 25 May 2026 00:30:41 +0200 Source: roundcube Architecture: source Version: 1.6.16+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net> Changed-By: Guilhem Moulin <guilhem@debian.org> Closes: 1137507 Changes: roundcube (1.6.16+dfsg-1) unstable; urgency=medium . * New upstream security and bugfix release (closes: #1137507). + Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog. + Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">. + Fix pre-auth SQL injection in `virtuser_query plugin` via `preg_replace()` backslash escape bypass. + Fix SSRF bypass via specific local address URLs. + Fix local/private URL fetch bypass when remote resources were not allowed. + Fix bypass of remote image blocking via CSS `var()`. + Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass. + Code injection vulnerability via code evaluation support in LDAP autovalues option. Code evaluation support has been removed. * Refresh d/patches. * d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch: Add support for non quad-dotted IPs and non-decimal fields to match the upstream behavior. * Update Standards-Version to 4.7.4 (no changes necessary). Checksums-Sha1: 9d7e3296d2acee9157f03a830dc8f31016c8ae34 3845 roundcube_1.6.16+dfsg-1.dsc 1a3cd9678dcb0a130681a4fbe1eca68052d00d5b 126884 roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz 38c2baef9e85c0d497c31715eeba89ba8dd4d8b3 1928780 roundcube_1.6.16+dfsg.orig-tinymce.tar.xz f18404da6e008cd6b488bcdfde8feee9244b7c93 2793532 roundcube_1.6.16+dfsg.orig.tar.xz e2115633782fb8a1a0483e8605e4c2665c946539 158648 roundcube_1.6.16+dfsg-1.debian.tar.xz 3072b588f4427d28852d1df4af312b3785547322 6185 roundcube_1.6.16+dfsg-1_source.buildinfo Checksums-Sha256: cbb894b82f90ab086b1fb5ea764667bfa83fff6f86b0a822e9c932e6714fc58d 3845 roundcube_1.6.16+dfsg-1.dsc 04a78e28c9e7cf2f0d67d989954ebeb2693db7c25b511e37b1be851ab00ec0e4 126884 roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz 2f9513c4c9f4b4f486a2a10614a9215acb41e94374ec453d656ea420d8e4e168 1928780 roundcube_1.6.16+dfsg.orig-tinymce.tar.xz 491d92dee757bc22672181d42fb09334d83826cace9d4f7ea0b2ac0fc0355a77 2793532 roundcube_1.6.16+dfsg.orig.tar.xz a33b00bca2f9d23cedfba49e7a6e6b5889a38a730703097de3403a7f80fb79cf 158648 roundcube_1.6.16+dfsg-1.debian.tar.xz e1ff92ecae989bb52eef93e40e0ec24bb7f45e5a5fc58068dda007fb832aadb4 6185 roundcube_1.6.16+dfsg-1_source.buildinfo Files: e06c2588e866b4f8b9d5295216ed0f4f 3845 web optional roundcube_1.6.16+dfsg-1.dsc f2adaee4ceaeb18948b7c3fcd3b76dca 126884 web optional roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz 543ea8ab031d4a17869930bc16287e9c 1928780 web optional roundcube_1.6.16+dfsg.orig-tinymce.tar.xz 7fd70691566a18ddd6e74a13a5a677d0 2793532 web optional roundcube_1.6.16+dfsg.orig.tar.xz 032a53fcda2058d64011db7e8c15281a 158648 web optional roundcube_1.6.16+dfsg-1.debian.tar.xz c1264abc59c7aee2c205bf441b3d9896 6185 web optional roundcube_1.6.16+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmoTf+kACgkQ05pJnDwh pVJASw//eVs+ZUBR5XOdtnmi9VoX+z2QRE3C94XDdMBxwYlgzwbVZ5HBKQGGhhel FDXRu/6fmbXZZIJAVlRV+4gDwBdU42mlZ8kaqH08fqWa+2k4zWgjoJFZ6yFi2i2/ BCMZQz2ohMDeNmqZLrAQdR4w2jP8vELJ/H0SDRVkUF1IgB+6BlZdOBq7JlYq3VOG b5b+z6OlV2fx8r6u8nHIHXJc4O6kr2/HiF4N+TZgikCVE4bxvsFjo4xu1X7drFGu 435pZGIsaBhlAwYq9EV4qCReeV8NYZVLkCkAHjj/ZiiTn8je7E59nLctGHKLJYz1 UKkTmJ2Ux2z+A8QHA8v2Mgx0mJIqcmRQnlsVpwGRGNk6P8ittzcCmO1r7cguZhZS UoPS+rvQZp7gr6MeGoYVzZ9pYuw2p9w+ztEimWX7MfZsn2GjUwXiI303BmqtZy1O xukTuVfg3IKDFSq8/XoYRZjy9d8guyYYu80Fzd1PW+FMZYbZXgHRkXl5RCTf86h6 SWxdxpToKgaXrdrx9ARW/9774NcsFLdxpQv1Qqlcmaj94u4xft/cTfjf+IU1cT7K EOxyFjgm93/uNQP7P8ZQPbiol2DGFxD27Ypy6dfmlCDoFv0N7tuP4jllU0ruoW/Z 9AQm26tssCVr3XVsqLnUT+mhayzMP4sZKuyAvTXbNCvqNvI0CVc= =yWIg -----END PGP SIGNATURE-----
