[SECURITY] [DLA 4517-1] roundcube security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4517-1] roundcube security update
From: Guilhem Moulin <guilhem@debian.org>
Date: Mon, 30 Mar 2026 17:09:08 +0200
Message-id: <[🔎] acqSFFCQ42ZxtEa_@debian.org>
Mail-followup-to: debian-lts-announce@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4517-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
March 30, 2026                                https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : roundcube
Version        : 1.4.15+dfsg.1-1+deb11u8
CVE ID         : not yet available
Debian Bug     : 1131182 1132268

Multiple vulnerabilities were discovered in Roundcube, a skinnable AJAX
based webmail solution for IMAP servers, which might lead to information
disclosure or privilege escalation.

 * Georgios Tsimpidas discovered an Server-side request forgery (SSRF)
   vulnerability via stylesheet links to a local network hosts.
 * An IMAP injection and CSRF bypass vulnerability was found within the
   email search logic.
 * It was discovered that one could change password without providing
   the old one in some situations.
 * NULL CATHEDRAL discovered that the HTML sanitizer doesn't sanitize
   image sources in SVG `<animate>` attributes.  This allows attackers
   to bypass remote image blocking to track email open action or
   potentially bypass access control.
 * NULL CATHEDRAL discovered that the HTML sanitizer doesn't sanitize
   `<body background="…">` attributes.  This allows attackers to bypass
   remote image blocking to track email open action or potentially
   bypass access control.
 * NULL CATHEDRAL discovered that the CSS sanitizer doesn't convert
   `position: fixed` `position: absolute` when `!important` is used.
   This allows an attacker to mask the Roundcube UI with a fake "session
   expired" page and trick the user into an attacker-controlled login
   page.
 * It was discovered that the HTML sanitizer doesn't sanitize image
   sources in SVG `<animate>` attributes via fill/filter/stroke.  This
   allows attackers to bypass remote image blocking to track email open
   action or potentially bypass access control.
 * A Cross-site scripting (XSS) vulnerability was found in the HTML
   attachment preview.

CVE IDs have been requested but have not been assigned yet.

For Debian 11 bullseye, this problem has been fixed in version
1.4.15+dfsg.1-1+deb11u8.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 4515-1] asterisk security update
Next by Date: [SECURITY] [DLA 4518-1] phpseclib security update
Previous by thread: [SECURITY] [DLA 4515-1] asterisk security update
Next by thread: [SECURITY] [DLA 4518-1] phpseclib security update
Index(es):
- Date
- Thread