-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Mar 2026 13:40:22 +0200
Source: roundcube
Binary: roundcube roundcube-core roundcube-mysql roundcube-pgsql roundcube-plugins roundcube-sqlite3
Architecture: all
Version: 1.6.15+dfsg-0+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 roundcube  - skinnable AJAX based webmail solution for IMAP servers - metapack
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins
 roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube
Closes: 1131182 1132268
Changes:
 roundcube (1.6.15+dfsg-0+deb13u1) trixie-security; urgency=high
 .
   * New upstream security and bugfix release (closes: #1131182, #1132268).
     + Fix CVE-2026-35537: Pre-auth arbitrary file write via unsafe
       deserialization in redis/memcache session handler.
     + Fix CVE-2026-35538: IMAP Injection + CSRF bypass in mail search.
     + Fix CVE-2026-35539: XSS vulnerability in HTML attachment preview.
     + Fix CVE-2026-35540: SSRF and information disclosure vulnerability via
       stylesheet links pointing to a local network hosts.
     + Fix CVE-2026-35541: A password could get changed without providing the
       old password in some situations.
     + Fix CVE-2026-35542: Remote image blocking bypass via a crafted <body>
       background attribute.
     + Fix CVE-2026-35543: Remote image blocking bypass via various SVG animate
       attributes.
     + Fix CVE-2026-35544: Fixed position mitigation bypass via use of
       `!important`.
     + Fix CVE-2026-35545: SVG animate FUNCIRI attribute bypass (remote image
       loading via fill/filter/stroke).
   * Refresh d/patches.
   * Add custom patch to avoid runtime dependency on mlocati/ip-lib which is
     not present in trixie.
Checksums-Sha1:
 07e1e7b6ef367dd4b510b1240e7442d2a7f16401 4490932 roundcube-core_1.6.15+dfsg-0+deb13u1_all.deb
 1a91dc075bde28f72a21a01fda307d03bd4aeaad 99356 roundcube-mysql_1.6.15+dfsg-0+deb13u1_all.deb
 6cb53f895a1ac9ca9b05e553a77698b2481255f7 99348 roundcube-pgsql_1.6.15+dfsg-0+deb13u1_all.deb
 bde623e1b91e0a51caa5b5b8d9e2e57f71eb3db3 781288 roundcube-plugins_1.6.15+dfsg-0+deb13u1_all.deb
 9bd1bac056651defedeb39704430cc65de0beff6 99320 roundcube-sqlite3_1.6.15+dfsg-0+deb13u1_all.deb
 1534e83169fa72bb8d249752e8ab7a564d57a434 13967 roundcube_1.6.15+dfsg-0+deb13u1_all-buildd.buildinfo
 82117bd33bd5d554c8d66882b40c53ba573ac3d8 1292 roundcube_1.6.15+dfsg-0+deb13u1_all.deb
Checksums-Sha256:
 fa5e957fa7584dd766bb5d063ed1683e6d03b53a630f982c34cd79686c8bdc63 4490932 roundcube-core_1.6.15+dfsg-0+deb13u1_all.deb
 f8ebf565b1435a57a44366d43c3ac37e85f66cde1f5d45b987b9e0d6e83740c3 99356 roundcube-mysql_1.6.15+dfsg-0+deb13u1_all.deb
 42d8e8e2132069f5165306caf6f5d17f144a7fa5957c975169bd0e0c1bc7b575 99348 roundcube-pgsql_1.6.15+dfsg-0+deb13u1_all.deb
 4a037b74f1ba51d151c0696496e28938940bcb136bb5634382c4f6c73e85b8d0 781288 roundcube-plugins_1.6.15+dfsg-0+deb13u1_all.deb
 ac595de27f1a36912cd4e526beebbcf6e97b8ab635f2a58a1836e959b60695af 99320 roundcube-sqlite3_1.6.15+dfsg-0+deb13u1_all.deb
 a08995cb5842039f2f764e867c803b9613d1bc0469ad1f09cc79f14ad78f17dc 13967 roundcube_1.6.15+dfsg-0+deb13u1_all-buildd.buildinfo
 27334f09044b021ce355f36a8ad2bf3a811658b3bdd15cad48691068f1325556 1292 roundcube_1.6.15+dfsg-0+deb13u1_all.deb
Files:
 7f9cbebe2cece9353a91d31c99888000 4490932 web optional roundcube-core_1.6.15+dfsg-0+deb13u1_all.deb
 c4c7ccc970541b603f4dfa00bfd989b7 99356 web optional roundcube-mysql_1.6.15+dfsg-0+deb13u1_all.deb
 ccae44e8a306ee7a909d3722e62cd749 99348 web optional roundcube-pgsql_1.6.15+dfsg-0+deb13u1_all.deb
 5d1ed4c3b046795cba14991de3a150fd 781288 web optional roundcube-plugins_1.6.15+dfsg-0+deb13u1_all.deb
 99497bec9303a0c4f99800efab2be416 99320 web optional roundcube-sqlite3_1.6.15+dfsg-0+deb13u1_all.deb
 b4cfde5228f71848d8a2333399ea145d 13967 web optional roundcube_1.6.15+dfsg-0+deb13u1_all-buildd.buildinfo
 70e5ba64ba4fabf911946a4f57f60dd6 1292 web optional roundcube_1.6.15+dfsg-0+deb13u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmnQAuIACgkQmgPNRvTf
/zcMBA/+PRWnsL6BCi1R0aAglSMWnJzgpvo+vGzIgXD+J2ILR0yihEcvRIcanDXT
WlygWiycrrAcfzQsb1cFgdxUh85B24hUUiVUsSHZTdUymQXpz2bu0XEvLPJ5l03z
208r5yX1AKrjNlzH5+WM+T+HMLvseBSriN9d3OP4zSfenu2qSZqJ2r3eJ7raY/BK
rTlZ2D2nxqnbYX2g2GOwq0S/xJRqxHYluwMXJCG5r7MiCUtFsKUoEm+UoEsPNCLS
JWxOfPtStuz5Wa3agFfIv4WIa0/gbs50U33djquciGsSdLkNzEyfQoGep3qvD8w3
8NniDk0hXIrOW8/tNeREDuXTM4RhxcDbk1Jqn5/XcNVd9tvrsADzVo2bm95h1i+p
oaNQvgH5m+gn4aZm7sPauQM4TN56CXUAsr3C/ONHD/XsXSSLtaBwCap4ZWbL8cV8
OGxN97a1i/0HEbK5To3cwDJ+RSQeP9aHCC4CZlu/bwyQbu1OIT8/Csk8Xdx7Wagq
4c14JS83/q1ikFkMX9WstuSVueQ3/TF3w9v/ClIcxcMsa13xmyOY9LxV1bp9uS0Q
i+qFYMwUsg/sQ35uaHH66kqSYOumr9Pv7XE+pHfOU05+2vA7yJRqPkKWM6kg9+45
k4uXiZDNahxlfmzLuCMyhS/fe6x6kO8nQ1eGYnysJZUX63Bs1ZA=
=r1s6
-----END PGP SIGNATURE-----