-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 26 May 2026 01:08:43 +0200 Source: roundcube Binary: roundcube roundcube-core roundcube-mysql roundcube-pgsql roundcube-plugins roundcube-sqlite3 Architecture: all Version: 1.6.5+dfsg-1+deb12u9 Distribution: bookworm-security Urgency: high Maintainer: all Build Daemon (x86-csail-02) Changed-By: Guilhem Moulin Description: roundcube - skinnable AJAX based webmail solution for IMAP servers - metapack roundcube-core - skinnable AJAX based webmail solution for IMAP servers roundcube-mysql - metapackage providing MySQL dependencies for RoundCube roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube Closes: 1137507 Changes: roundcube (1.6.5+dfsg-1+deb12u9) bookworm-security; urgency=high . * Cherry pick upstream security fixes from v1.6.16 (closes: #1137507). + Fix CVE-2026-48842: pre-auth SQL injection in `virtuser_query` plugin via `preg_replace()` backslash escape bypass. + Fix CVE-2026-48843: SSRF bypass via specific local address URLs. Add support non quad-dotted IPs and non-decimal fields to d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch in order to match the new upstream behavior. + Fix CVE-2026-48844: Code injection vulnerability via code evaluation support in LDAP autovalues option. Code evaluation support has now been removed. + Fix CVE-2026-48845: Local/private URL fetch bypass when remote resources were not allowed. + Fix CVE-2026-48846: Bypass of remote image blocking via CSS `var()`. + Fix CVE-2026-48847: Pre-auth arbitrary file delete via redis/memcache session poisoning bypass. + Fix CVE-2026-48848: CSS injection bypass in HTML sanitizer via SVG . + Fix CVE-2026-48849: Stored XSS/HTML/CSS injection in subject field of the draft restore dialog. Checksums-Sha1: dc81a42f3f551659931ef311713802a366e934a1 4700828 roundcube-core_1.6.5+dfsg-1+deb12u9_all.deb 44971065d9df70c2a0334bab23e6d1f774c88a7e 96320 roundcube-mysql_1.6.5+dfsg-1+deb12u9_all.deb 3f15c31be67c82964b0531f4f270c63c352b18a3 96296 roundcube-pgsql_1.6.5+dfsg-1+deb12u9_all.deb 757cce62faa80aa44ff2e94d04b68a25cd115064 777884 roundcube-plugins_1.6.5+dfsg-1+deb12u9_all.deb fec2eeaa41d4323bd049593cd11c75e1e5b5b845 96276 roundcube-sqlite3_1.6.5+dfsg-1+deb12u9_all.deb 25058a60a1a5065230965aa99b11a04c53d8b2b1 14110 roundcube_1.6.5+dfsg-1+deb12u9_all-buildd.buildinfo 204137fbe88679917557f1339befb2467abafb50 1296 roundcube_1.6.5+dfsg-1+deb12u9_all.deb Checksums-Sha256: 36c9f6d29e2eb16a3cd202c1ec165c449a24e455125c2ac5187b76d442104aa0 4700828 roundcube-core_1.6.5+dfsg-1+deb12u9_all.deb 8740a849dde95a8a6c56ac7bf5be603f3a93bbea78d220bf927204766f38bff3 96320 roundcube-mysql_1.6.5+dfsg-1+deb12u9_all.deb e5dde76784263b3745bb7389f667e244cb53d43c2044eaef936fc9a526e24978 96296 roundcube-pgsql_1.6.5+dfsg-1+deb12u9_all.deb 3974d2705cb6c3f9a61915772b44af9843726a712ed5e4842a0234e297dfb2f3 777884 roundcube-plugins_1.6.5+dfsg-1+deb12u9_all.deb 3e38ba14723cea2e9c83e58aeda386a3e101de2ccf96f02fc9c3447c24c010b4 96276 roundcube-sqlite3_1.6.5+dfsg-1+deb12u9_all.deb 3ebd5d402b0e2994e21877594aaadf38c7b0f67010823844565b2e0cebe88ee5 14110 roundcube_1.6.5+dfsg-1+deb12u9_all-buildd.buildinfo 42e25010d0a250885225445d3f39359dd2143df613665e4039faa05d774014c1 1296 roundcube_1.6.5+dfsg-1+deb12u9_all.deb Files: 2b32e319641fafaf3582f5d72af70641 4700828 web optional roundcube-core_1.6.5+dfsg-1+deb12u9_all.deb 5d71a0ac187b8968f8ac9bb224a4e262 96320 web optional roundcube-mysql_1.6.5+dfsg-1+deb12u9_all.deb 0fe27ee54872af73b6c48a7d68bcbf93 96296 web optional roundcube-pgsql_1.6.5+dfsg-1+deb12u9_all.deb 27983fdbab592e84b04512e50583feb5 777884 web optional roundcube-plugins_1.6.5+dfsg-1+deb12u9_all.deb d99f7a76705141bd75657ee69b8a627b 96276 web optional roundcube-sqlite3_1.6.5+dfsg-1+deb12u9_all.deb 771dfbd966222e0664ffe121b8b61ac8 14110 web optional roundcube_1.6.5+dfsg-1+deb12u9_all-buildd.buildinfo 0a2c9556968270327043922f3cc5a6ea 1296 web optional roundcube_1.6.5+dfsg-1+deb12u9_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXLxUpUHQBQBTDtd4aBVi67oXtfkFAmoWvp0ACgkQaBVi67oX tflRwxAAmN2twkiSOtYru+quALtVp60b/QavTp0z37WsaExEPFFgPr37MMPg9Wnu AiLYDcRaeZK+TYoyU3e8dqjYkpr5dUrhDohpzwfyvM9CF1dcwe8skwnEhtY5D2+e j+QWCUN4EnzkHvLT6fRpjbZKpuxyMctf4nfOK7TecVz6OFhj+DS6Y5SR3UJuCO2G G5645prKYG+rKYkxaRqhM96X/qh7ZPRQda2s/NmdMwzzRRt3iB7gpUmP9YpyaZss Y918SxlyMKHM7R5pgByHXHIPuKG1P0TWXisfY9S1JndNAG1j0o5W+M6YTxgQyoTf jbx2rE8vJa9Cd58xWA3DyB+09xKgLYlHA369R5ldqssHBaqhAMBsj7dcxaIiJ+Wp EMX2h1uWH1/FBXrH6J+YJMW2mHukrA3c+48y0VvXX0q37/cKIPd3aglchdlvxlPv SG4BjLA+MWjwvcIgNm7lqPDU7Bg6LyCTsnGz82NF00J0B86LgyqqfrZioU3xy63K LN+4Si+UpC5/tz/OrgnFYjHV5rBDS5dhGLF3be9BaDI4dTA6WGrVGMl5I3EsAvlt Sn+Yg/+ApNjJmVYeHAiD6NnYkbkvGXRoaAoOVwcVH780FX8LBFjqdSlqpAVZrmwH jd+CnKQPSMMii7D4zM7ij3UnDIBrDy+my3CBzNz2JvYXV8Xvgzo= =vgfG -----END PGP SIGNATURE-----