-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 20 Mar 2026 19:15:19 +0100 Source: roundcube Architecture: source Version: 1.6.5+dfsg-1+deb12u8 Distribution: bookworm-security Urgency: high Maintainer: Debian Roundcube Maintainers Changed-By: Guilhem Moulin Closes: 1131182 1132268 Changes: roundcube (1.6.5+dfsg-1+deb12u8) bookworm-security; urgency=high . * Cherry pick upstream security fixes from v1.6.14 and v1.6.15 (closes: #1131182, #1132268): + Fix CVE-2026-35537: Pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler. + Fix CVE-2026-35538: IMAP Injection + CSRF bypass in mail search. + Fix CVE-2026-35539: XSS vulnerability in HTML attachment preview. + Fix CVE-2026-35540: SSRF and information disclosure vulnerability via stylesheet links pointing to a local network hosts. + Fix CVE-2026-35541: A password could get changed without providing the old password in some situations. + Fix CVE-2026-35542: Remote image blocking bypass via a crafted background attribute. + Fix CVE-2026-35543: Remote image blocking bypass via various SVG animate attributes. + Fix CVE-2026-35544: Fixed position mitigation bypass via use of `!important`. + Fix CVE-2026-35545: SVG animate FUNCIRI attribute bypass (remote image loading via fill/filter/stroke). * Add custom patch to avoid runtime dependency on mlocati/ip-lib which is not present in bookworm. Checksums-Sha1: a95c6a9aaf4667b202da4cddfd8972f13e0e0b51 3833 roundcube_1.6.5+dfsg-1+deb12u8.dsc 75e8f83121324fcf70adecf57378e2e42210d29a 130548 roundcube_1.6.5+dfsg-1+deb12u8.debian.tar.xz 78e4665c4a53ec24e82a59ef862bcffacec8e211 6238 roundcube_1.6.5+dfsg-1+deb12u8_source.buildinfo Checksums-Sha256: d04503b681969d1541aaf9523a7a565bdaf4789b72923e7615376423f8b41cad 3833 roundcube_1.6.5+dfsg-1+deb12u8.dsc 489d5acb099250123e0a5e058202299400ac57492e941f555055e13b477805b0 130548 roundcube_1.6.5+dfsg-1+deb12u8.debian.tar.xz 48f77db6f2d21add8b342ab57c05d7c93057cb42b399898e86ddcaa3850a661d 6238 roundcube_1.6.5+dfsg-1+deb12u8_source.buildinfo Files: bffef305afbe28b922814c1692687734 3833 web optional roundcube_1.6.5+dfsg-1+deb12u8.dsc ac9ac632a4e422f52c0022b5278365c8 130548 web optional roundcube_1.6.5+dfsg-1+deb12u8.debian.tar.xz b5e0596543fee232be22cb56597c742c 6238 web optional roundcube_1.6.5+dfsg-1+deb12u8_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmnPahoACgkQ05pJnDwh pVL5MxAAlsg+6JLU+WOtuEDFQDeumMIw5FJlBHKoXbVcS6Vx96lQs37OJ81W2bzp +GZUKi9mO+QPViFjC727oCvXvHtp2qXAjwEZX9AF2znnurqQWACl+pimJHvIbmVC kYQaDDkgjFxuD7Zy2U2ve8PEazkbbegoB4CutaDX87VbFZwwBrcN5qFaUO7OnWSZ 0+Tfoi9cMKCjFCIEk7ZLMImxlmnC5LkUwveEalv95E3Qjjy32Lb2E65YkrfHjeZx DkzHHb46K2OCAXIspmN0KlFApD88INqOLdaZmidOa1JNBmX4Dt9pFhyWMpkso7++ LXB4ngXnimZiZEPS164zriORUzkZk2fkoHVm+pxCJEZ2aqfkBD+935lxm5tb4Z18 +A7oZm+oXP8Ay2GhggiqwAj2LmcxY6YYrt4XlELpJ+bKTgT4outS2mu6BYji8j3Q XQH+nYPkKXOW62yysxfdNo29WLt+CQV8dHDN/utLSPrGs2WQW7WxjCLjfgiWuaHO 2wrfxKufH+U0VJJsAdI5vM1sLKMKdSyk3f7rNgboC2SzYmhmTSqTzLfIP5KVvgX7 2Q40YHpyrhP62KtnCo0H4YlPsEfQnW5MkiL6JOcyuz4+PFicdXbAZSh2DwrN9Wdx zaSAHT5Wrdhjm4rKUAyIsmCiEaIBPdgJ3gTW4P/x593R+6BdFmI= =qGOR -----END PGP SIGNATURE-----