|
|
Log in / Subscribe / Register

Ubuntu alert USN-8132-1 (roundcube)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-8132-1] Roundcube Webmail vulnerabilities


Date:
              Mon, 30 Mar 2026 21:41:58 +0000


Message-ID:
              <E1w7KMw-0000Vr-UI@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-8132-1
March 30, 2026

roundcube vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Roundcube Webmail.

Software Description:
- roundcube: skinnable AJAX based webmail solution for IMAP servers - metapack

Details:

It was discovered that Roundcube Webmail did not properly sanitize 
certain HTML elements within the e-mail body. An attacker could possibly 
use this issue to cause a cross-site scripting attack. This issue was only 
addressed in Ubuntu 16.04 LTS. (CVE-2016-4068, CVE-2016-4069)

It was discovered that Roundcube Webmail did not properly handle certain 
configuration parameters. An attacker could possibly use this issue to 
execute arbitrary code. This issue was only addressed in Ubuntu 16.04 LTS. 
(CVE-2016-9920)

It was discovered that Roundcube Webmail did not properly sanitize CSS styles 
within SVG documents. An attacker could possibly use this issue to cause 
a cross-site scripting attack. This issue was only addressed in Ubuntu 16.04 LTS.
(CVE-2017-6820)

It was discovered that Roundcube Webmail did not properly restrict exec call in 
certain drivers of the password plugin. An authenticated user could possibly 
use this issue to perform arbitrary password resets. This issue was only addressed in 
Ubuntu 16.04 LTS. (CVE-2017-8114)

It was discovered that Roundcube Webmail did not properly set file permissions within 
the Enigma plugin. An attacker could possibly use this issue to exfiltrate GPG private 
keys via network connectivity. (CVE-2018-1000071)

It was discovered that Roundcube Webmail did not properly handle GnuPG MDC 
integrity-protection warnings. An attacker could possibly use this issue to obtain 
sensitive information from encrypted communications. (CVE-2018-19205)

It was discovered that Roundcube Webmail did not properly sanitize <svg> and <style>
tags within HTML attachments. An attacker could possibly use this issue to cause a 
cross-site scripting attack. (CVE-2018-19206)

It was discovered that Roundcube Webmail did not properly handle partially encrypted
multipart messages. An attacker could possibly use this issue to cause 
leaking of the plaintext of encrypted messages via an email reply. (CVE-2019-10740)

It was discovered that Roundcube Webmail did not properly sanitize a certain parameter 
within the archive plugin. An attacker could possibly use this issue to perform an 
IMAP injection attack. This issue was only addressed in Ubuntu 16.04 LTS. (CVE-2018-9846)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
  roundcube-core                  1.3.6+dfsg.1-1ubuntu0.1~esm7
                                  Available with Ubuntu Pro
  roundcube-plugins               1.3.6+dfsg.1-1ubuntu0.1~esm7
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  roundcube-core                  1.2~beta+dfsg.1-0ubuntu1+esm7
                                  Available with Ubuntu Pro
  roundcube-plugins               1.2~beta+dfsg.1-0ubuntu1+esm7
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8132-1
  CVE-2016-4068, CVE-2016-4069, CVE-2016-9920, CVE-2017-6820,
  CVE-2017-8114, CVE-2018-1000071, CVE-2018-19205, CVE-2018-19206,
  CVE-2018-9846, CVE-2019-10740




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmnK7dsACgkQcpJm3tlz
hgF/ZBAAhVKIKJ9UZY3RVMxZlRbTzay1D11GAiWRb32oJQkYiWoCR3cUG7sMeWSb
+rtIC6RFSESTloc4uNti8Ito3Px9il9EaJwVXjmX8p2YHwAblYnhZxYI4K0z0iIg
Fd9qINEwX80/hqxNlxb2WH4e1CJ8H+gFXX2mUwRm8M8paInhhmkbO5mM+6MqbkOP
PPaveEvkgPSHU6CjlCVj2YiaijqQWlM5NW/zKlc/aX4CujkVaTYwShm0l1Fz99nr
K9tDQT8M8PJamWxMnn+g5ox/8KypOOhenoGH2UleY+KIwqsdCv+erhX8AcBAt0gU
BeoHyq3SuCHQDy57cMiwhlkOObMUm/p93mjAB+BcEdzjG17vyYcEuR95hV+wvPj+
ING0nQeEUskiaD6LgBmtqzrQnJgF7tel8HzaVIbfYWbQm1DPfWwTeOG47rdLmKPQ
RuaFa5CJ+V3G0fmKxpvjLTA+ukLDWqenYVRBdObViS8zqooS7TAdVj15llOtCBTL
5w7FsVkPbc6paMOHR3Is5/UQMbdhoY615N3nOkVrP/42khexAxhceZ2fhaSgXOt8
lZogMcSfOuVzcUki6AguPZgy5Sj2kFaoO9cVwqiSc2NRaFZXSOGTrrAO5kzAL5+k
DXTxjxd+9HJnklZ9O68cbGyPcOm/fusTpM5r9Lmu7omniCmCVeM=
=wBuR
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds