Overview

File _patchinfo of Package patchinfo.19386

<patchinfo incident="19386">
  <issue tracker="bnc" id="1258052">VUL-0: CVE-2026-26079: roundcubemail: Cascading Style Sheets (CSS) injection via mishandled comments</issue>
  <issue tracker="bnc" id="1257909">VUL-0: CVE-2026-25916: roundcubemail: remote image blocking bypass via SVG content</issue>
  <issue tracker="bnc" id="1255306">VUL-0: CVE-2025-68460: roundcubemail: HTML style sanitizer can cause information disclosure</issue>
  <issue tracker="bnc" id="1255308">VUL-0: CVE-2025-68461: roundcubemail: crafted SVG animate tag can enable cross-site scripting (XSS)</issue>
  <issue tracker="cve" id="2026-26079"/>
  <issue tracker="cve" id="2026-25916"/>
  <issue tracker="cve" id="2025-68461"/>
  <issue tracker="cve" id="2025-68460"/>
  <packager>abergmann</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for roundcubemail</summary>
  <description>This update for roundcubemail fixes the following issues:

- update to 1.6.13
  This is a security update to the stable version 1.6 of Roundcube Webmail.
  It provides fixes to recently reported security vulnerabilities:
  + Fix CSS injection vulnerability reported by CERT Polska (boo#1258052,
    CVE-2026-26079).
  + Fix remote image blocking bypass via SVG content reported by nullcathedral
    (boo#1257909, CVE-2026-25916).
  This version is considered stable and we recommend to update all productive 
  installations of Roundcube 1.6.x with it. Please do backup your data 
  before updating!
  CHANGELOG
  + Managesieve: Fix handling of string-list format values for date 
    tests in Out of Office (#10075)
  + Fix CSS injection vulnerability reported by CERT Polska.
  + Fix remote image blocking bypass via SVG content reported by nullcathedral.

- update to 1.6.12
  This is a security update to the stable version 1.6 of Roundcube Webmail.
  It provides fixes to recently reported security vulnerabilities:
  
  + Fix Cross-Site-Scripting vulnerability via SVG's animate tag 
    reported by Valentin T., CrowdStrike (boo#1255308, CVE-2025-68461).
  + Fix Information Disclosure vulnerability in the HTML style 
    sanitizer reported by somerandomdev (boo#1255306, CVE-2025-68460).
  This version is considered stable and we recommend to update all 
  productive installations of Roundcube 1.6.x with it. 
  + Support IPv6 in database DSN (#9937)
  + Don't force specific error_reporting setting
  + Fix compatibility with PHP 8.5 regarding array_first()
  + Remove X-XSS-Protection example from .htaccess file (#9875)
  + Fix "Assign to group" action state after creation of a first group (#9889)
  + Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
  + Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
  + Fix parsing of inline styles that aren't well-formatted (#9948)
  + Fix Cross-Site-Scripting vulnerability via SVG's animate tag
  + Fix Information Disclosure vulnerability in the HTML style sanitizer
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places