Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted roundcube 1.4.15+dfsg.1-1+deb11u9 (source) into oldoldstable-security
Date: Thu, 28 May 2026 01:20:17 +0000
Signed by: Guilhem Moulin <guilhem@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 27 May 2026 23:48:41 +0200
Source: roundcube
Architecture: source
Version: 1.4.15+dfsg.1-1+deb11u9
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1132838 1137507
Changes:
 roundcube (1.4.15+dfsg.1-1+deb11u9) bullseye-security; urgency=high
 .
   * Backport upstream security fixes from v1.6.16 (closes: #1137507).
     + Fix CVE-2026-48842: Pre-auth SQL injection in `virtuser_query` plugin
       via `preg_replace()` backslash escape bypass.
     + Fix CVE-2026-48843: SSRF bypass via specific local address URLs.  Add
       support non quad-dotted IPs and non-decimal fields to
       d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch in order to
       match the new upstream behavior.
     + Fix CVE-2026-48844: Code injection vulnerability via code evaluation
       support in LDAP autovalues option.  Code evaluation support has now been
       removed.
     + Fix CVE-2026-48845: Local/private URL fetch bypass when remote resources
       were not allowed.
     + Fix CVE-2026-48846: Bypass of remote image blocking via CSS `var()`.
     + Fix CVE-2026-48847: Pre-auth arbitrary file delete via redis/memcache
       session poisoning bypass.
     + Fix CVE-2026-48848: CSS injection bypass in HTML sanitizer via SVG
       <animate attributeName="style">.
     + Fix CVE-2026-48849: Stored XSS/HTML/CSS injection in subject field of
       the draft restore dialog.
   * d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch: Avoid the use of
     array destructuring to restore compatibility with PHP<7.1.
     Closes: #1132838
Checksums-Sha1:
 975ad03ffacb9027c13384f6de3c213557d2bba4 3276 roundcube_1.4.15+dfsg.1-1+deb11u9.dsc
 fb0b5deacca5863d37a0b10c3771f27c91d4545e 128840 roundcube_1.4.15+dfsg.1.orig-tinymce-langs.tar.xz
 a53c61b8ec041aa5a15be0da438a990a34acc072 889052 roundcube_1.4.15+dfsg.1.orig-tinymce.tar.xz
 a3591df13cae970b04c53651221f316ba521c473 2976560 roundcube_1.4.15+dfsg.1.orig.tar.xz
 100aaae3eb42be0a3f7d9423176faa60170aa456 126136 roundcube_1.4.15+dfsg.1-1+deb11u9.debian.tar.xz
 36f8bbfc8bb0fd80bfa21e2c016adf6c337389cd 5866 roundcube_1.4.15+dfsg.1-1+deb11u9_source.buildinfo
Checksums-Sha256:
 21d31771709ce03db993dd9bcd3c49227c16569a9a51a84997e76b12787d69c0 3276 roundcube_1.4.15+dfsg.1-1+deb11u9.dsc
 d1806e62b75b5e2c8bbbce987abd3eae874f205dd560ad8f6f02a2171c8cf23a 128840 roundcube_1.4.15+dfsg.1.orig-tinymce-langs.tar.xz
 b61678512254fc2af25a42ac689ac6df69bdf6d15d7aea6e9001c8868653ee74 889052 roundcube_1.4.15+dfsg.1.orig-tinymce.tar.xz
 f56e664cddb698cf0eeefb1a34dd495ce0e6d29643b2e2ec0ae5cb9c6342882f 2976560 roundcube_1.4.15+dfsg.1.orig.tar.xz
 b77262d2efe519981d76d49a7c10072a9fd8f3ec345c146fd543420cd552d103 126136 roundcube_1.4.15+dfsg.1-1+deb11u9.debian.tar.xz
 ddb22716537ebea1d5654f1598afd07f9fbf4111f08cfb58916be89b0ece020b 5866 roundcube_1.4.15+dfsg.1-1+deb11u9_source.buildinfo
Files:
 a370b496c84a579817f050fb67d61deb 3276 web optional roundcube_1.4.15+dfsg.1-1+deb11u9.dsc
 450c693c68d2642b15356d06255a0d4c 128840 web optional roundcube_1.4.15+dfsg.1.orig-tinymce-langs.tar.xz
 5b440fff53353d7c0ad73292c1cfe6e2 889052 web optional roundcube_1.4.15+dfsg.1.orig-tinymce.tar.xz
 e98d3d252094ea231c3b02a3ff39471a 2976560 web optional roundcube_1.4.15+dfsg.1.orig.tar.xz
 f3f0185bf04f1f94ad4a2b8fe44e1e9b 126136 web optional roundcube_1.4.15+dfsg.1-1+deb11u9.debian.tar.xz
 d1d78652334e575a1500c97c90e59350 5866 web optional roundcube_1.4.15+dfsg.1-1+deb11u9_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmoXklEACgkQ05pJnDwh
pVIl3A/9H+l7EzbrROdn9Iu4DugfKokEi9oZ8YuHXwbrYGO3skBLAw6aNVMrN07f
BjnwD/NxnDIEw0u0YH0oNKgEvaIzbQh6Fo38xzgf1jE2UauytppMySTiXKj2B+ue
3QkdTvqv27Ms0IoyzgE4YmtwN5B0baZFUnnDc/qpgt+vQUfDFAlJezC+uyMfePXE
OSOUAqcRLTcoJ8fbfKhcQW4iRBIgiuSiaz3yooyiKAAr9Z37K///l+jmSQUkTzzk
knAOL5wSIYmfGRpk6SScixVuiax9tiPpH87DCgH/Nyolcl+XIgyD0XMp1Sr0jDsq
94p8nrxKr5/12pxjFE0phheipo/yc8zSnmN2lOnotC0c0R/ZKUlEFfJr6GwZlpS+
h0eeAnGE+c0NtS8cXwEGfg87az9aPCxoLHsJZ7N01WgXpXss7a+aE9W2TOyTw2cL
V8FhNc1y9rQRuadg8B8oyvwXWFuMbwFeWtKnabwa4EnkptwP8l0hpUbS8W2qdaiS
n53Nq4oM+Z2fFniTjaAwVUTPKybLlQq9QtiOVwKk5GNEyEigwWgLNM7ZxoHLiPld
FCrm63IfFC684++PeItddA+jxBXMA47kwrfUoC3TefVzgEUsRL1maEoo+oCVzjbi
22y1i2VhXSihXuZRBmyh/r3PzlILEttYAlhMvvU8YNjJQpyG3M4=
=ExS5
-----END PGP SIGNATURE-----
News for package roundcube
