Source: roundcube Version: 1.6.10+dfsg-2 Severity: grave Control: found -1 1.6.5+dfsg-1+deb12u4 Control: found -1 1.4.15+dfsg.1-1+deb11u4 Tags: security upstream Justification: user security hole
Roundcube webmail upstream has recently released 1.6.10 [0] which fixes the following vulnerability: * Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v. https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d AFAICT no CVE-ID has been published for this issue. Will request one tomorrow if no one beats me to it. -- Guilhem. [0] https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
signature.asc
Description: PGP signature
