Bug#1107073: marked as done (CVE-2025-49113: Post-Auth RCE via PHP Object Deserialization)

[Debian Bug Tracking System]

Your message dated Tue, 03 Jun 2025 18:02:28 +0000
with message-id <e1umvy0-000rcj...@fasolo.debian.org>
and subject line Bug#1107073: fixed in roundcube 1.6.5+dfsg-1+deb12u5
has caused the Debian Bug report #1107073,
regarding CVE-2025-49113: Post-Auth RCE via PHP Object Deserialization
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1107073: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107073
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: roundcube
Version: 1.6.10+dfsg-2
Severity: grave
Control: found -1 1.6.5+dfsg-1+deb12u4
Control: found -1 1.4.15+dfsg.1-1+deb11u4
Tags: security upstream
Justification: user security hole

Roundcube webmail upstream has recently released 1.6.10 [0] which fixes
the following vulnerability:

 * Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.
   
https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d

AFAICT no CVE-ID has been published for this issue.  Will request one
tomorrow if no one beats me to it.
-- 
Guilhem.

[0] https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: roundcube
Source-Version: 1.6.5+dfsg-1+deb12u5
Done: Guilhem Moulin <guil...@debian.org>

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1107...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <guil...@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 02 Jun 2025 10:01:44 +0200
Source: roundcube
Architecture: source
Version: 1.6.5+dfsg-1+deb12u5
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Roundcube Maintainers 
<pkg-roundcube-maintain...@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guil...@debian.org>
Closes: 1107073
Changes:
 roundcube (1.6.5+dfsg-1+deb12u5) bookworm-security; urgency=high
 .
   * Fix CVE-2025-49113: Post-Auth RCE via PHP Object Deserialization.
     (Closes: #1107073)
   * Regression fix: CVE-2024-42009.patch from 1.6.5+dfsg-1+deb12u3 and
     1.6.5+dfsg-1+deb12u4 caused some HTML messages to be displayed unstyled.
Checksums-Sha1:
 854412e0893445d63f49d328fc0cae717886692c 3833 
roundcube_1.6.5+dfsg-1+deb12u5.dsc
 a6eadb33c966b2a1ffd12e2c2d4d7c86d579f897 121480 
roundcube_1.6.5+dfsg-1+deb12u5.debian.tar.xz
 c7772ecc1bc3b1c61d0dc6c2c6f532f81675e9e4 14465 
roundcube_1.6.5+dfsg-1+deb12u5_amd64.buildinfo
Checksums-Sha256:
 266a33fbb1f6b774a50b78d126e3216d9fc8e79eca8e54b3543ba2184e21ee6e 3833 
roundcube_1.6.5+dfsg-1+deb12u5.dsc
 2e7dbd5096278134b124f41cba20a9671ca9f846b6866fcbb0f28ca90fa5d0b2 121480 
roundcube_1.6.5+dfsg-1+deb12u5.debian.tar.xz
 c06d81d6da8c0289abd9f5e5e9d659d8f4919bab03184e9798a02209430421e5 14465 
roundcube_1.6.5+dfsg-1+deb12u5_amd64.buildinfo
Files:
 09d3ba4cbaa3f22f5fdf5291c52d400a 3833 web optional 
roundcube_1.6.5+dfsg-1+deb12u5.dsc
 9f59eec392779742a1b42772dbcfb88e 121480 web optional 
roundcube_1.6.5+dfsg-1+deb12u5.debian.tar.xz
 1dbc6feabcb2a24c2aa0f67a935a0db9 14465 web optional 
roundcube_1.6.5+dfsg-1+deb12u5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmg9W4oACgkQ05pJnDwh
pVKeUhAAqRSlHoiC80Yl1L5iEgom3WcQsWIzlRAHoPcFyJAw7SmMEXxq29fDUpi1
eca9b6fH3TR/kQ6+3r5M9Udbs+koqB+vnDnCF+ypn2wMRxD9Jx6FB3aEqcf04Ith
/uHcbzMPJFlmqjesjXOXdyyBspCf9Pp+2mg484hlC7ItMolXJyT0OcvsmCZnrgpu
IJFu3d0T4PeCOKPMrclQ1PXzN4rXB0IKbF/m9L9HOFDxkc/bE4Rr4RMGqsd+5RPj
bUtiqxMDdmfx4OedVjE4mDGlTecS8Dr4v8ovGT7/8mM8nhbOlIfc51lvLQPvgKvv
bPqxmUa4L+KGl3q8LR325v78OY9H9f4QvdOtRWjI3kGo5LDybZzJWhyTuW9RW+F4
RcykpeV/CFOEJ36PJnHVRuoDzovHoEzbLtwrLK8XNhD0mYWYRp8dBntFYhJIhbyT
31A7jDQ0/OFuOTlBZ+eL5SxJTWEYoLYpCsd3Qn3+zFnSzJi8x0YPAnc6LPPrzmah
ZhYqeN/eVQsRnL9QVGHsbanFPcQGaeiCuVT3M3cWIUAdE9JxtToYQ4VKQkoWj1WI
0AtZMb5zy1zJHA8376lvD1WcurErodHdm4jn/D3WiruQEIJ4fQgsi+NDDjpmjZLu
NgsUExnyLQYnIJa2UNGDO4imdsx2yiHiCQ3kWqDpICtOJ4+6Oec=
=k4UW
-----END PGP SIGNATURE-----

pgpJWNOTic79h.pgp
Description: PGP signature

--- End Message ---