-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 20 Mar 2026 19:15:19 +0100
Source: roundcube
Binary: roundcube roundcube-core roundcube-mysql roundcube-pgsql roundcube-plugins roundcube-sqlite3
Architecture: all
Version: 1.6.5+dfsg-1+deb12u8
Distribution: bookworm-security
Urgency: high
Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) <buildd_amd64-x86-grnet-03@buildd.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 roundcube  - skinnable AJAX based webmail solution for IMAP servers - metapack
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins
 roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube
Closes: 1131182 1132268
Changes:
 roundcube (1.6.5+dfsg-1+deb12u8) bookworm-security; urgency=high
 .
   * Cherry pick upstream security fixes from v1.6.14 and v1.6.15 (closes:
     #1131182, #1132268):
     + Fix CVE-2026-35537: Pre-auth arbitrary file write via unsafe
       deserialization in redis/memcache session handler.
     + Fix CVE-2026-35538: IMAP Injection + CSRF bypass in mail search.
     + Fix CVE-2026-35539: XSS vulnerability in HTML attachment preview.
     + Fix CVE-2026-35540: SSRF and information disclosure vulnerability via
       stylesheet links pointing to a local network hosts.
     + Fix CVE-2026-35541: A password could get changed without providing the
       old password in some situations.
     + Fix CVE-2026-35542: Remote image blocking bypass via a crafted <body>
       background attribute.
     + Fix CVE-2026-35543: Remote image blocking bypass via various SVG animate
       attributes.
     + Fix CVE-2026-35544: Fixed position mitigation bypass via use of
       `!important`.
     + Fix CVE-2026-35545: SVG animate FUNCIRI attribute bypass (remote image
       loading via fill/filter/stroke).
   * Add custom patch to avoid runtime dependency on mlocati/ip-lib which is
     not present in bookworm.
Checksums-Sha1:
 65e21f4cb8179265b4314dee5f43aa9390741a36 4699776 roundcube-core_1.6.5+dfsg-1+deb12u8_all.deb
 a17c1c432dee3eac94c27a47614b6d553d9ddbba 95924 roundcube-mysql_1.6.5+dfsg-1+deb12u8_all.deb
 6fc6c91fdc7c19d53ce527496dfab67421d0215a 95888 roundcube-pgsql_1.6.5+dfsg-1+deb12u8_all.deb
 fb7c2716329b7500293cfbe9371ca61f4a8ae958 777288 roundcube-plugins_1.6.5+dfsg-1+deb12u8_all.deb
 6fc79ad37580f0eb074b15ae552d97ec04ed1b49 95872 roundcube-sqlite3_1.6.5+dfsg-1+deb12u8_all.deb
 568305cfb6d5e7a11c1963df96215bb22e51e321 14086 roundcube_1.6.5+dfsg-1+deb12u8_all-buildd.buildinfo
 f6c0bd0ac20596af302c301c6d091ccfa4b14a05 1296 roundcube_1.6.5+dfsg-1+deb12u8_all.deb
Checksums-Sha256:
 d619aed44425dfddeed1fdf18de786f49eed4b3d40d5f942c2ec8e5e5d010686 4699776 roundcube-core_1.6.5+dfsg-1+deb12u8_all.deb
 ab5ad96521c9fecdc2ef0e4b6864cfab5d8bda256402b87f95f985f1768322c5 95924 roundcube-mysql_1.6.5+dfsg-1+deb12u8_all.deb
 7a5423495a9ede1a6e87fc3eb57643b82271621211f7ba57a616a0616ce048c0 95888 roundcube-pgsql_1.6.5+dfsg-1+deb12u8_all.deb
 261b6397eb8c5eb2fe22689acabbe6b857aa7a8c83dccd37b5f9ecdebdf39e40 777288 roundcube-plugins_1.6.5+dfsg-1+deb12u8_all.deb
 51dd942a7ce89d011fb09dd0c6ef7f43c960df32dcaecd10cfcd8c460d739c4b 95872 roundcube-sqlite3_1.6.5+dfsg-1+deb12u8_all.deb
 cb7961476aefd409159fff0226b29e1231b1a96097a3aaf8e1f3a2122b228310 14086 roundcube_1.6.5+dfsg-1+deb12u8_all-buildd.buildinfo
 6f54ce7923e59e0bb9ea86145c16a95de1f0bdca3d419199a6b9b06f4d0e4cea 1296 roundcube_1.6.5+dfsg-1+deb12u8_all.deb
Files:
 757432a1af02dd3fea3c9ea26cd36c35 4699776 web optional roundcube-core_1.6.5+dfsg-1+deb12u8_all.deb
 9856dad5165eef433c8937b701c6a138 95924 web optional roundcube-mysql_1.6.5+dfsg-1+deb12u8_all.deb
 a5c401ac472982e7d389835262f0af2b 95888 web optional roundcube-pgsql_1.6.5+dfsg-1+deb12u8_all.deb
 67ead8a79ea1f08f06f6c91ca23100be 777288 web optional roundcube-plugins_1.6.5+dfsg-1+deb12u8_all.deb
 d42c0b67a1cf1a82b0fffe6102ea20dd 95872 web optional roundcube-sqlite3_1.6.5+dfsg-1+deb12u8_all.deb
 29c5ab782c5a14ae441aa543916ef4cf 14086 web optional roundcube_1.6.5+dfsg-1+deb12u8_all-buildd.buildinfo
 d8fbca8efc6a891df93a9145f8a4ef28 1296 web optional roundcube_1.6.5+dfsg-1+deb12u8_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5ZI1lXv5WjhHIVjsN8Ugyu9dQiQFAmnQApYACgkQN8Ugyu9d
QiTU5w//ZnoTbKcXOFXGHhRrVB6UVfYvOPkTTeDMNirDXUckeTERo5BIeOFq9ajL
mF7oqSQ0xLN3bE/QmBlMTlw5iMe57YVwgyBRrrdTtXVwJdel/E5E28oEGocfAHaM
VPGHFGN7mtW/2H6QDNc1Wl/mCufZFWqGjzi/uwrF/vMjm8rTx9zPfrExnO01C7t1
KILyL1rBkWtaxx8zCYhi4mzm3Pt/NuHVld1yR8KzGq+cNilpWgS3yqiitqKb2pcR
LXHBZ/yVbZU19aPBgLYpDziOYD9dYAXO79dF/qY3O1atygPvKViayBAjy3eyRFG8
cf5TCr6ilbbv0wYr60IRnbqQozk2LIBKT72CkrGBv88H90ektNDWgliLV8yAoe8c
JH5kXlONDIl4NRI2tSYmoHyyi50VXRVKVTYc2NKgOvg5gpOb9irQ9FpGj1rZnoA9
mLTqVIzhLVIfWGB9QixxIL91ad48+pOjwqZBSo8dTd7uL14XtNdNpq05LtSLXNz4
ZphWZ683faOUvg6Lfz8TDBZ8STbhNOlMiKafWCNwhZZuvUg3TchtZWScpQwoDLDr
u2HeGfrFx7PmWhG1iLi5e91bRNbosAJzSjim6/feOY9jqcGEpHlUBxdezXbEZzW6
Wn6u6lluo1OI6Wv1PkYkVD95URZfDAKKthuwBv+vuxnajBYkoks=
=5N4j
-----END PGP SIGNATURE-----