-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 25 May 2026 23:06:33 +0200
Source: roundcube
Binary: roundcube roundcube-core roundcube-mysql roundcube-pgsql roundcube-plugins roundcube-sqlite3
Architecture: all
Version: 1.6.16+dfsg-0+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 roundcube  - skinnable AJAX based webmail solution for IMAP servers - metapack
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins
 roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube
Closes: 1137507
Changes:
 roundcube (1.6.16+dfsg-0+deb13u1) trixie-security; urgency=high
 .
   * New upstream security and bugfix release (closes: #1137507).
     + Fix CVE-2026-48842: pre-auth SQL injection in `virtuser_query plugin`
       via `preg_replace()` backslash escape bypass.
     + Fix CVE-2026-48843: SSRF bypass via specific local address URLs.  Add
       support non quad-dotted IPs and non-decimal fields to
       d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch in order to
       match the new upstream behavior.
     + Fix CVE-2026-48844: Code injection vulnerability via code evaluation
       support in LDAP autovalues option.  Code evaluation support has now been
       removed.
     + Fix CVE-2026-48845: Local/private URL fetch bypass when remote resources
       were not allowed.
     + Fix CVE-2026-48846: Bypass of remote image blocking via CSS `var()`.
     + Fix CVE-2026-48847: Pre-auth arbitrary file delete via redis/memcache
       session poisoning bypass.
     + Fix CVE-2026-48848: CSS injection bypass in HTML sanitizer via SVG
       <animate attributeName="style">.
     + Fix CVE-2026-48849: Stored XSS/HTML/CSS injection in subject field of
       the draft restore dialog.
     + Fix PHP8 warnings.
     + Fix potential too long value in IMAP ID command.
   * Refresh d/patches.
Checksums-Sha1:
 a92780a34fb077008a8608de14c122d70053ad66 4492368 roundcube-core_1.6.16+dfsg-0+deb13u1_all.deb
 7898f5076d13abfbffb3a60c9563a42fcb45736c 99984 roundcube-mysql_1.6.16+dfsg-0+deb13u1_all.deb
 c62aaa383437f73f2db9b4bbd1cfaa41099ba52c 99968 roundcube-pgsql_1.6.16+dfsg-0+deb13u1_all.deb
 8e8067b139e1578c9d85e28308d114435cfcc276 782084 roundcube-plugins_1.6.16+dfsg-0+deb13u1_all.deb
 de5f05178cbfcb1c0b603ae576a9cff4ad5dd20e 99928 roundcube-sqlite3_1.6.16+dfsg-0+deb13u1_all.deb
 00f55b10be761524e1d795144fe666cbb12b9bf5 14009 roundcube_1.6.16+dfsg-0+deb13u1_all-buildd.buildinfo
 efcbf42e707dbb0c54911ff3c59e7ad91f395b30 1292 roundcube_1.6.16+dfsg-0+deb13u1_all.deb
Checksums-Sha256:
 d06dc8c23f97c6df62f27cf464cb2532752323f10de7434976bab9c5efb606eb 4492368 roundcube-core_1.6.16+dfsg-0+deb13u1_all.deb
 717cec463f76397c8e7073d931029ae8ee993ff2e1d6fc602dc333dc6390c87e 99984 roundcube-mysql_1.6.16+dfsg-0+deb13u1_all.deb
 1619fd6c1944d4191dae674c02e95f8ef5ecad979b07f9a023cbb8dad0a5b302 99968 roundcube-pgsql_1.6.16+dfsg-0+deb13u1_all.deb
 c34c2c870160d15e75feb666e849c3d2c846b8bafb2ece25e2c7b83b7d4347ad 782084 roundcube-plugins_1.6.16+dfsg-0+deb13u1_all.deb
 943fa17fccdc757c9d9dfe0b04bf14beebc216a96d7210ce4d388c7d825fa5ce 99928 roundcube-sqlite3_1.6.16+dfsg-0+deb13u1_all.deb
 e20aa3b9edea57a536f028d241ef3a01d069086c45a85658be844963d2df2558 14009 roundcube_1.6.16+dfsg-0+deb13u1_all-buildd.buildinfo
 5ac5b9517a88cd312e49e2343640ec769d16c452511014d7546ece7c4df09d36 1292 roundcube_1.6.16+dfsg-0+deb13u1_all.deb
Files:
 380a44e2d0ccfb9fe5284afd8e7d3b15 4492368 web optional roundcube-core_1.6.16+dfsg-0+deb13u1_all.deb
 70e4226b8ca27a0938253c3ea5dfca37 99984 web optional roundcube-mysql_1.6.16+dfsg-0+deb13u1_all.deb
 3ef6b0d96adb7a4ee0fa0b3ec72439a4 99968 web optional roundcube-pgsql_1.6.16+dfsg-0+deb13u1_all.deb
 0f607017110ff57e67ccde6524db60df 782084 web optional roundcube-plugins_1.6.16+dfsg-0+deb13u1_all.deb
 ea0efcbbe45c47396cedf404089b0e53 99928 web optional roundcube-sqlite3_1.6.16+dfsg-0+deb13u1_all.deb
 62fe4edce25fe9ec968bd39757b923bf 14009 web optional roundcube_1.6.16+dfsg-0+deb13u1_all-buildd.buildinfo
 f18af8aedc087f0f39d8b08363b474d0 1292 web optional roundcube_1.6.16+dfsg-0+deb13u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmoWvqwACgkQmgPNRvTf
/zfM/g/+N59Cwl2s4oe/TlTythRgu9cyooLOsjQlMmBicVGltoj7+dv+WIzQXgQl
FLriTk18WZTZ0o4x2lo+ifBNe8lsOp7ZyRoZCE+yVDrigUr2bpwcxSXFULKXDkAQ
lLqu6uZeOQ5C/3kZBlHEWfriXC793vapV05hytOuiXn83453LILxWxKhGmxLNS+E
VnhjMQpfNbNgbKQbC3b8Eo/1o/vPhRCGhPgfYHUXFOw2HKIWWmuQalcvJZRkBa5k
KEEeoGOgqUM1NQ/OSpxF9GTSME4ensuiN6Ix1Wzev/Fd5XnCuDu6Stqk8hZGMuok
eT2ekZWcc/H1qXHD1ZcjTs+nyMqki5xDwdAGyxAPNNmktcFwyjwAETqmcgBHoUUX
nvfQJQb7gWhMsnShONJvDhOT6pSAaXT1WBbE8/c/O4Xm5J8NCx7yRTHZBsd1byQ6
4johJ2eK7zrWjMSaeREwtpomEXqfUxp3RJPOFcKfWoy1Wm37WM+akMtOqMV6RDqq
VtLxJzRFTN8vyQoQDWT1N0q/tVQqmxQJ4NOeR/Tr8Gs2vfjO1MYrcWv0LE4XEZsk
379hH/LrWMQ0LKLDXMz1oKd/VH6PLukf1aSruSPrzBOWxBd+7OyPrvPo95PYuU4P
jECwMKxuUkPjG4GsVGcqMOnepk4jpTZDemKS+RnDWMvTDCAGh8U=
=xHB4
-----END PGP SIGNATURE-----