From: guilhem@debian.org
--ZB4GlerfitfDbc/V
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Control: retitle -1 roundcube: [CVE-2026-26079] CSS injection vulnerability
and [CVE-2026-25916] remote image blocking bypass
Hi,
Thanks for the update! Here are tested debdiffs for trixie-security and
bookworm-security. As for the previous upload, I suggest to follow
1.6.x for trixie-security (the upstream diff [0] is pretty targeted already)
and backport targeted fixes for bookworm-security.
Cheers
--
Guilhem.
[0] https://github.com/roundcube/roundcubemail/compare/1.6.12...1.6.13
--ZB4GlerfitfDbc/V
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment;
filename="roundcube_1.6.13+dfsg-0+deb13u1.debdiff"
Content-Transfer-Encoding: quoted-printable
diffstat for roundcube-1.6.12+dfsg roundcube-1.6.13+dfsg
CHANGELOG.md | 6
debian/changelog | 9
debian/patches/Fix-FTBFS-with-phpunit-11.patch | 121
++++------
plugins/managesieve/Changelog | 1
plugins/managesieve/lib/Roundcube/rcube_sieve_vacation.php | 8
program/lib/Roundcube/rcube_utils.php | 64
+++--
program/lib/Roundcube/rcube_washtml.php | 3
public_html/plugins/managesieve/Changelog | 1
public_html/plugins/managesieve/lib/Roundcube/rcube_sieve_vacation.php | 8
tests/Framework/Utils.php | 16
+
tests/Framework/Washtml.php | 8
11 files changed, 160 insertions(+), 85 deletions(-)
diff -Nru roundcube-1.6.12+dfsg/CHANGELOG.md roundcube-1.6.13+dfsg/CHANGELOG.md
--- roundcube-1.6.12+dfsg/CHANGELOG.md 2025-12-14 09:10:51.000000000 +0100
+++ roundcube-1.6.13+dfsg/CHANGELOG.md 2026-02-08 10:25:02.000000000 +0100
@@ -2,6 +2,12 @@
## Unreleased
+- Managesieve: Fix handling of string-list format values for date tests in
Out of Office (#10075)
+- Fix remote image blocking bypass via SVG content reported by nullcathedral
+- Fix CSS injection vulnerability reported by CERT Polska
+
+## Release 1.6.12
+
- Support IPv6 in database DSN (#9937)
- Don't force specific error_reporting setting
- Fix compatibility with PHP 8.5 regarding array_first()
diff -Nru roundcube-1.6.12+dfsg/debian/changelog roundcube-1.6.1
+dfsg/debian/changelog
--- roundcube-1.6.12+dfsg/debian/changelog 2025-12-14 11:51:43.000000000 +0100
+++ roundcube-1.6.13+dfsg/debian/changelog 2026-02-11 10:55:46.000000000 +0100
@@ -1,3 +1,12 @@
+roundcube (1.6.13+dfsg-0+deb13u1) trixie-security; urgency=high
+
+ * New upstream security and bugfix release (closes: #1127447).
+ + Fix CVE-2026-26079: CSS injection vulnerability.
+ + Fix CVE-2026-25916: Remote image blocking bypass via SVG content.
+ * Refresh d/patches.
+
+ -- Guilhem Moulin Wed, 11 Feb 2026 10:55:46 +0100
+
roundcube (1.6.12+dfsg-0+deb13u1) trixie-security; urgency=high
* New upstream security and bugfix release (closes: #1122899).
diff -Nru roundcube-1.6.12+dfsg/debian/patches/Fix-FTBFS-with-phpunit-11.patch
roundcube-1.6.13+dfsg/debian/patches/Fix-FTBFS-with-phpunit-11.patch
--- roundcube-1.6.12+dfsg/debian/patches/Fix-FTBFS-with-phpunit-
1.patch 2025-12-14 11:51:43.000000000 +0100
+++ roundcube-1.6.13+dfsg/debian/patches/Fix-FTBFS-with-phpunit-
1.patch 2026-02-11 10:55:46.000000000 +0100
@@ -41,7 +41,7 @@
plugins/managesieve/tests/Forward.php | 16 +-
plugins/managesieve/tests/Managesieve.php | 14 +-
plugins/managesieve/tests/Script.php | 17 +-
- plugins/managesieve/tests/Vacation.php | 21 +-
+ plugins/managesieve/tests/Vacation.php | 21 ++-
plugins/markasjunk/tests/Markasjunk.php | 22 ++-
plugins/new_user_dialog/tests/NewUserDialog.php | 14 +-
.../new_user_identity/tests/NewUserIdentity.php | 14 +-
@@ -76,9 +76,9 @@
tests/Actions/Contacts/Qrcode.php | 17 +-
tests/Actions/Contacts/Save.php | 27 +--
tests/Actions/Contacts/Search.php | 18 +-
- tests/Actions/Contacts/SearchCreate.php | 21 +-
- tests/Actions/Contacts/SearchDelete.php | 21 +-
- tests/Actions/Contacts/Show.php | 21 +-
+ tests/Actions/Contacts/SearchCreate.php | 21 ++-
+ tests/Actions/Contacts/SearchDelete.php | 21 ++-
+ tests/Actions/Contacts/Show.php | 21 ++-
tests/Actions/Contacts/Undo.php | 15 +-
tests/Actions/Contacts/UploadPhoto.php | 19 +-
tests/Actions/Login/Oauth.php | 14 +-
@@ -149,7 +149,7 @@
tests/ExitException.php | 6 +-
tests/Framework/Addressbook.php | 40 ++--
tests/Framework/Addresses.php | 16 +-
- tests/Framework/BaseReplacer.php | 21 +-
+ tests/Framework/BaseReplacer.php | 21 ++-
tests/Framework/Bootstrap.php | 8 +-
tests/Framework/Browser.php | 34 ++--
tests/Framework/Cache.php | 18 +-
@@ -201,7 +201,7 @@
tests/Framework/Text2Html.php | 22 ++-
tests/Framework/TnefDecoder.php | 16 +-
tests/Framework/User.php | 30 +--
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
