SUSE alert openSUSE-SU-2026:0070-1 (roundcubemail)
| From: | maintenance@opensuse.org | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | openSUSE-SU-2026:0070-1: important: Security update for roundcubemail | |
| Date: | Thu, 05 Mar 2026 21:05:00 +0100 | |
| Message-ID: | <20260305200500.751B3FCCC@maintenance.suse.de> | |
| Archive-link: | Article |
openSUSE Security Update: Security update for roundcubemail ______________________________________________________________________________ Announcement ID: openSUSE-SU-2026:0070-1 Rating: important References: #1255306 #1255308 #1257909 #1258052 Cross-References: CVE-2025-68460 CVE-2025-68461 CVE-2026-25916 CVE-2026-26079 CVSS scores: CVE-2026-26079 (SUSE): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N Affected Products: openSUSE Backports SLE-15-SP7 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for roundcubemail fixes the following issues: - update to 1.6.13 This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to recently reported security vulnerabilities: + Fix CSS injection vulnerability reported by CERT Polska (boo#1258052, CVE-2026-26079). + Fix remote image blocking bypass via SVG content reported by nullcathedral (boo#1257909, CVE-2026-25916). This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating! CHANGELOG + Managesieve: Fix handling of string-list format values for date tests in Out of Office (#10075) + Fix CSS injection vulnerability reported by CERT Polska. + Fix remote image blocking bypass via SVG content reported by nullcathedral. - update to 1.6.12 This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to recently reported security vulnerabilities: + Fix Cross-Site-Scripting vulnerability via SVG's animate tag reported by Valentin T., CrowdStrike (boo#1255308, CVE-2025-68461). + Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev (boo#1255306, CVE-2025-68460). This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. + Support IPv6 in database DSN (#9937) + Don't force specific error_reporting setting + Fix compatibility with PHP 8.5 regarding array_first() + Remove X-XSS-Protection example from .htaccess file (#9875) + Fix "Assign to group" action state after creation of a first group (#9889) + Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850) + Fix bug where an mbox export file could include inconsistent message delimiters (#9879) + Fix parsing of inline styles that aren't well-formatted (#9948) + Fix Cross-Site-Scripting vulnerability via SVG's animate tag + Fix Information Disclosure vulnerability in the HTML style sanitizer Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP7: zypper in -t patch openSUSE-2026-70=1 Package List: - openSUSE Backports SLE-15-SP7 (noarch): roundcubemail-1.6.13-bp157.2.6.1 References: https://www.suse.com/security/cve/CVE-2025-68460.html https://www.suse.com/security/cve/CVE-2025-68461.html https://www.suse.com/security/cve/CVE-2026-25916.html https://www.suse.com/security/cve/CVE-2026-26079.html https://bugzilla.suse.com/1255306 https://bugzilla.suse.com/1255308 https://bugzilla.suse.com/1257909 https://bugzilla.suse.com/1258052