-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 30 Mar 2026 13:40:22 +0200 Source: roundcube Architecture: source Version: 1.6.15+dfsg-0+deb13u1 Distribution: trixie-security Urgency: high Maintainer: Debian Roundcube Maintainers Changed-By: Guilhem Moulin Closes: 1131182 1132268 Changes: roundcube (1.6.15+dfsg-0+deb13u1) trixie-security; urgency=high . * New upstream security and bugfix release (closes: #1131182, #1132268). + Fix CVE-2026-35537: Pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler. + Fix CVE-2026-35538: IMAP Injection + CSRF bypass in mail search. + Fix CVE-2026-35539: XSS vulnerability in HTML attachment preview. + Fix CVE-2026-35540: SSRF and information disclosure vulnerability via stylesheet links pointing to a local network hosts. + Fix CVE-2026-35541: A password could get changed without providing the old password in some situations. + Fix CVE-2026-35542: Remote image blocking bypass via a crafted background attribute. + Fix CVE-2026-35543: Remote image blocking bypass via various SVG animate attributes. + Fix CVE-2026-35544: Fixed position mitigation bypass via use of `!important`. + Fix CVE-2026-35545: SVG animate FUNCIRI attribute bypass (remote image loading via fill/filter/stroke). * Refresh d/patches. * Add custom patch to avoid runtime dependency on mlocati/ip-lib which is not present in trixie. Checksums-Sha1: 0a900997286378c2c456da611f2099ee50e64cda 3860 roundcube_1.6.15+dfsg-0+deb13u1.dsc 0cffaaa8522bb9496ff3ec1aad1b9d17f1e7edd7 126856 roundcube_1.6.15+dfsg.orig-tinymce-langs.tar.xz 7c3866251bfef08a39b1459b05fb2e99b177a786 1928608 roundcube_1.6.15+dfsg.orig-tinymce.tar.xz ed576296b8b4da4e49f384344934fb2c6ed4a5dd 2793028 roundcube_1.6.15+dfsg.orig.tar.xz ee4dbb450455f4c2e846eb49616715718a22bb03 155332 roundcube_1.6.15+dfsg-0+deb13u1.debian.tar.xz d559d32bbef7dc805ebf9908ad2b80bb60bb0b6e 6242 roundcube_1.6.15+dfsg-0+deb13u1_source.buildinfo Checksums-Sha256: dabd0480dc852a33b7d560a1c439250b272f079f8867316037fb7dc15a2c2279 3860 roundcube_1.6.15+dfsg-0+deb13u1.dsc f3d8c7e7137dad314b7acff2b80649ea036c4532f3b1194bd39c163d6884416c 126856 roundcube_1.6.15+dfsg.orig-tinymce-langs.tar.xz 3040064c9e504486506dc597f3eeec0a79a31278e06d0d15b7c0568938124b0c 1928608 roundcube_1.6.15+dfsg.orig-tinymce.tar.xz b23845f78b4bf5460821d1449f22f2069fa53ccbcc9ed918068549bbc1b651fb 2793028 roundcube_1.6.15+dfsg.orig.tar.xz 574efce6ce318d43cd3fd831d4f68d1347c7c04a29f84a28590663c0dbedb150 155332 roundcube_1.6.15+dfsg-0+deb13u1.debian.tar.xz 0362af1a6695fb66df0d9b6526e9f4a74b42dea99abf56e7403a71b567c45c5e 6242 roundcube_1.6.15+dfsg-0+deb13u1_source.buildinfo Files: 6a4ee3fed544c1163b9e705ed704ebff 3860 web optional roundcube_1.6.15+dfsg-0+deb13u1.dsc 916486a39ee15f3bd2d10c9472af340c 126856 web optional roundcube_1.6.15+dfsg.orig-tinymce-langs.tar.xz 9b7a65d3a402cfbad01a3144b59da634 1928608 web optional roundcube_1.6.15+dfsg.orig-tinymce.tar.xz 1eca96bad2b14b928e4e62390fd7d3f9 2793028 web optional roundcube_1.6.15+dfsg.orig.tar.xz 9fbb65d67b96ad0786d2d538fb0ec86d 155332 web optional roundcube_1.6.15+dfsg-0+deb13u1.debian.tar.xz 274be445cb05a5d3d7649a86a0e61ada 6242 web optional roundcube_1.6.15+dfsg-0+deb13u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmnPY+AACgkQ05pJnDwh pVJKJQ//RUTIIO6yTz8Mj9PrZHWyUJcknyYUbr/RdAxswF5+ckQNzOXzub2o3P7X GlEsvNgY+8W+Px4pCTTqpY56NgS8EdiJdYEJ2hSujHzq++iFfCOeWg7X7R15ucYB e9P9DKZIi5+pYFEHkyxVj/Ug2a+L3ObSCX5h5SJfFTmpzr5RhPZ/wwzb+Ef0l5hY 5Q1nN3TqKPnOkqXRbedD+z8BQq4UsvkPm09NtAKBXm9pgm0giCan/LUii2Ahc5/M EZZJby3YP2XNzf3GpCEqNdi2Hq4Hh4ltRQoN9DSw2lMm0ojEkGc5vDXRhArKFRff 2jwQdtgW0+G2WFtWleWstgaiIKMXdX3KIZ4U/TqSr8ZD8vymcpG2BVam590wRwwn vzR2fyKXW8Xs3ALgc0uHymL9XRegNcBAxXGqe/cjeihfWG7ryhN97OEyOqXUT+3q Xbke83sjqhelUePuAUSim9Ehi3+qds7LhhPcl/4TssXOHn5JolkfOdAjq6ZlgvnY Guj5QXTcCkeg6GwL5sk64hpoiw0vWI+EhxhnDqxoUyeUPYKddXa1ZQFpJsgVo+Hw Uuxiqildbvr2tNrmMc0qdun0bm+0cqIq8Jrg66y0Ja5YpY3ZKYc6GnFo9dsE8Df/ vKkPhi8U3g6tSnd+wYy1rov0LVU4tf4n49LIpUpMWQq0A89ioXY= =TCC8 -----END PGP SIGNATURE-----