Debian alert DLA-4517-1 (roundcube)
| From: | Guilhem Moulin <guilhem@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4517-1] roundcube security update | |
| Date: | Mon, 30 Mar 2026 17:09:08 +0200 | |
| Message-ID: | <acqSFFCQ42ZxtEa_@debian.org> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4517-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin March 30, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : roundcube Version : 1.4.15+dfsg.1-1+deb11u8 CVE ID : not yet available Debian Bug : 1131182 1132268 Multiple vulnerabilities were discovered in Roundcube, a skinnable AJAX based webmail solution for IMAP servers, which might lead to information disclosure or privilege escalation. * Georgios Tsimpidas discovered an Server-side request forgery (SSRF) vulnerability via stylesheet links to a local network hosts. * An IMAP injection and CSRF bypass vulnerability was found within the email search logic. * It was discovered that one could change password without providing the old one in some situations. * NULL CATHEDRAL discovered that the HTML sanitizer doesn't sanitize image sources in SVG `<animate>` attributes. This allows attackers to bypass remote image blocking to track email open action or potentially bypass access control. * NULL CATHEDRAL discovered that the HTML sanitizer doesn't sanitize `<body background="…">` attributes. This allows attackers to bypass remote image blocking to track email open action or potentially bypass access control. * NULL CATHEDRAL discovered that the CSS sanitizer doesn't convert `position: fixed` `position: absolute` when `!important` is used. This allows an attacker to mask the Roundcube UI with a fake "session expired" page and trick the user into an attacker-controlled login page. * It was discovered that the HTML sanitizer doesn't sanitize image sources in SVG `<animate>` attributes via fill/filter/stroke. This allows attackers to bypass remote image blocking to track email open action or potentially bypass access control. * A Cross-site scripting (XSS) vulnerability was found in the HTML attachment preview. CVE IDs have been requested but have not been assigned yet. For Debian 11 bullseye, this problem has been fixed in version 1.4.15+dfsg.1-1+deb11u8. We recommend that you upgrade your roundcube packages. For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmnKkhIACgkQ05pJnDwh pVIGew//Uk8nFs7FBaIWSAlcm13z7vQ5wU3EhONNw8fEmw24Z4TFrSAWleNdghqs wAinWA47XYoywHHgC81ufnJCYBpRw6ejgSIY7jRP0UG7GK6zkXdS/WYCBMRyPJuE u9X9h2PeNyY3DIhQWgNU0h/VgL27vQm8zJ+hIXTx8X8f/ap9zf0doOzxc0FjInJK L1uUYRUKB3zCTpuMueJkF4walaQDjUIz8ES8ZOICfcJyyEW1fEd55PWHCgftC5r8 9TsYQ5LFGla8e+7GkGJhBhjtQ9ui6wo5YSjB4+WVqCH/8Z/ilfvosVpfTeNiUu79 8ULbrHcRggJ6CEDLphhrbkHZFNS9PcHo4sGNsR4h96212bUsoQMVLXtp+a0QANvG l8PxCb0tUDOTSMG9YxhgiKzh+ZOffwFuWIvQkeJ0JQ8tTkJr66PySsH3g8odJmWk g2i+rlO7DYU8PSWUg3qozKQe0LVwjz2m7g4DTlTbB2X5ALrLqz7dPivs6akF1Zjq 2eH7rlU/dZld0QfgyazG+aQhg3wMv74H3g3PQ65C/ZyppiDiTeG/CHUBMbWX2CCa sG4WdGh61CX1kjrX0pCH8pHPJVB77EeCPuCrzSL/kDmgZf9p9S9qfA0SJejyO4FC g+1xqL2U5AoINoeNEb/hNYDHlU3AmTYZqThW4gABhyguAoh9qlY= =s6F7 -----END PGP SIGNATURE-----