Source: roundcube Version: 1.6.11+dfsg-1 Severity: important Control: found -1 1.6.5+dfsg-1+deb12u5 Control: found -1 1.4.15+dfsg.1-1+deb11u5 Tags: security upstream X-Debbugs-Cc: Debian Security Team <[email protected]>
Roundcube webmail upstream has recently released 1.6.12 [0] which fixes the following vulnerabilities: * Cross-Site-Scripting vulnerability via SVG's animate tag (reported by Valentin T., CrowdStrike). https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb * Information Disclosure vulnerability in the HTML style sanitizer (reported by somerandomdev). https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571 AFAICT no CVE-ID have been published for these issues. Will request them shortly if no one beats me to it. -- Guilhem. [0] https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
signature.asc
Description: PGP signature
