Debian Patches
Status for roundcube/1.6.5+dfsg-1+deb12u8
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| dbconfig-common-support.patch | Adapt db.inc.php to the use of dbconfig-common package | Romain Beauxis <toots@rastageeks.org> | not-needed | 2007-03-13 | ||
| debianize-config.patch | Debianize sample config file * By default we do not have any plugins available (these are in roundcube-plugins). * Disable spellchecking, because it needs recommended packages. |
Sandro Knauß <bugs@sandroknauss.de> | not-needed | 2016-05-09 | ||
| fix-install-path.patch | Fix INSTALL_PATH for bin/*.sh and tests/bootstrap.php These scripts get installed to /usr/share/roundcube/bin, but INSTALL_PATH should be /var/lib/roundcube/. Fixed/updated with sed -ri "s#(\\s*define\\s*\\(\\s*(['\"])INSTALL_PATH\\2)\\s*,.*#\\1, '/var/lib/roundcube/');#" \ bin/*.sh installer/index.php program/include/iniset.php Except: - bin/install-jsdeps.sh, where we keep define('INSTALL_PATH', realpath(__DIR__ . '/..') . '/' ); and - bin/updatecss.sh, where we use define('INSTALL_PATH', './'); We also edit tests/bootstrap.php to use the RCUBE_INSTALL_PATH environment variable. |
Guilhem Moulin <guilhem@debian.org> | not-needed | 2019-06-08 | ||
| update-script.patch | Patch update scripts to work with Debian package | Sandro Knauß <bugs@sandroknauss.de> | not-needed | 2015-03-13 | ||
| use-enchant.patch | Use enchant spellchecker engine by default. We don't want to send messages to a 3rd party… |
Vincent Bernat <bernat@debian.org> | not-needed | 2009-07-05 | ||
| default-charset-utf8.patch | Switch to UTF-8 as default charset | Vincent Bernat <bernat@debian.org> | not-needed | 2010-07-17 | ||
| debianize-password-plugin.patch | Specify Debian path and group names in password plugin | Jérémy Bobbio <lunar@debian.org> | not-needed | 2011-06-20 | ||
| map-sqlite3-to-sqlite.patch | Map dbconfig-common's "sqlite3" driver to "sqlite" | Vincent Bernat <bernat@luffy.cx> | not-needed | debian | 2013-07-12 | |
| use-embedded-jquery-for-http-authentication.patch | Avoid fetching jQuery from Google, use the embedded one This page is also just an example. The user is expected to provide their own page. |
Vincent Bernat <vincent@bernat.im> | not-needed | 2015-08-22 | ||
| update-composer.patch | Update PHP pear dependencies The current dependencies that are published by upstream are too conservative, so: * replace ~ and ^ (that only allows minor versions changes) with >= as documented in the INSTALL file; * replace pear/ with pear-pear.php.net/ to create current Debian package names. |
Sandro Knauß <bugs@sandroknauss.de> | not-needed | debian | Debian | 2021-07-06 |
| update-jsdeps.patch | Make it possible to download/install unminified sourcefiles We remove system libraries from this file so we easily notice updates (either of the version, or of the map). |
Sandro Knauß <hefee@debian.org> | not-needed | Debian | 2021-07-06 | |
| use-system-JQueryUI.patch | Use system JQueryUI We source jquery-ui-accessible-datepicker.min.js after libjs-jquery-ui's jquery-ui.min.js to avoid concatening these files (see the former's headers). Also libjs-jquery-ui's datepicker-* files don't have the ‘jquery.ui.’ prefix. |
Guilhem Moulin <guilhem@debian.org> | not-needed | 2019-06-07 | ||
| rename-python-to-python3.patch | Rename `python` to `python3` | Guilhem Moulin <guilhem@debian.org> | not-needed | 2021-01-10 | ||
| adjust-test-environment-for-dep8.patch | Adjust test environment for DEP-8 tests Changes: 1. Source ‘INSTALL_PATH . 'plugins/…’ rather than ‘__DIR__ . '/../…’ in setUp(). This doesn't cause FTBFS but we want to check installed code in DEP-8 tests. 2. Source ‘TESTS_DIR . '../SQL/…’ rather than ‘INSTALL_PATH . '/SQL/…’ in tests/ActionTestCase.php. Again, this doesn't cause FTBFS but we want to run DEP-8 tests too and the binary packages ship the SQL scripts under dbconfig-common not INSTALL_PATH. |
Guilhem Moulin <guilhem@debian.org> | not-needed | 2021-01-10 | ||
| fix-autoload-locations.patch | Fix autoload locations Snippets generated with `phpabtpl --suggest bacon/bacon-qr-code` and `phpabtpl --suggest GuzzleHttp`. |
Guilhem Moulin <guilhem@debian.org> | not-needed | debian | 2022-03-13 | |
| mark-flaky-tests-as-such.patch | Mark flaky tests as such. That way we can run phpunit with `--exclude-group=flaky --fail-on-skipped --verbose` and avoid missing unintentionally skipped tests. |
Guilhem Moulin <guilhem@debian.org> | no | 2022-03-13 | ||
| dont-force-set-session.gc_probability=1.patch | Don't force set session.gc_probability=1 We don't have to rely on probabilistic synchronous garbage collection since we're running bin/gc.sh periodically. If desired the local admin can manually set session.gc_probability > 0 in the PHP configuration (on Debian systems the default value is 0 which disables probability based GC). They may then want to disable the cronjob or systemd.timer(5) unit. This reverts upstream commit 32a0ad6778cde495e30f3447e5220136f0528cee. |
Guilhem Moulin <guilhem@debian.org> | no | 2022-06-29 | ||
| fix-upstream-test-suite.patch | Fix upstream's test suite Also, in our environment phpunit(1) resides in /usr/bin not vendor/bin. |
Guilhem Moulin <guilhem@debian.org> | no | 2022-12-20 | ||
| CVE-2024-37384.patch | Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences Reported by Huy Nguyễn Phạm Nhật. |
Aleksander Machniak <alec@alec.pl> | no | debian | https://github.com/roundcube/roundcubemail/commit/cde4522c5c95f13c6aeeb1600ab17e5067a536f7 | 2024-05-19 |
| CVE-2024-37383.patch | Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes Reported by Valentin T. and Lutz Wolf of CrowdStrike. |
Aleksander Machniak <alec@alec.pl> | no | debian | https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242 | 2024-05-19 |
| Fix-fatal-error-when-parsing-some-TNEF-attachments.patch | Fix fatal error when parsing some TNEF attachments | Aleksander Machniak <alec@alec.pl> | yes | upstream | https://github.com/roundcube/roundcubemail/commit/22d403d5fdea1846319389d3d65ef60726434712 | 2024-06-02 |
| Fix-bug-where-an-unhandled-exception-was-caused-by-an-inv.patch | Fix bug where an unhandled exception was caused by an invalid image attachment GD functions may throw ValueError in some cases since PHP 8.0. We wrap them in try/catch blocks. |
Aleksander Machniak <alec@alec.pl> | yes | upstream | https://github.com/roundcube/roundcubemail/commit/9d9f4d6926e16e9acd46231ee6d03695d058565a | 2024-07-21 |
| Fix-infinite-loop-when-parsing-malformed-Sieve-script.patch | Fix infinite loop when parsing malformed Sieve script | Aleksander Machniak <alec@alec.pl> | yes | upstream | https://github.com/roundcube/roundcubemail/commit/3567090a997e95aac6bb052bfb48bb301d0c03c3 | 2024-07-31 |
| Fix-bug-where-imap_conn_option-s-socket-was-ignored.patch | Fix bug where imap_conn_option's 'socket' was ignored | Aleksander Machniak <alec@alec.pl> | yes | upstream | https://github.com/roundcube/roundcubemail/commit/b5ed0e49464ecee70756ad6d1b96d38279b3916e | 2024-08-02 |
| CVE-2024-42009.patch | Fix XSS vulnerability in post-processing of sanitized HTML content Credits to Oskar Zeino-Mahmalat (https://www.sonarsource.com) |
Aleksander Machniak <alec@alec.pl> | no | debian | https://github.com/roundcube/roundcubemail/commit/68af7c864a36e1941764238dac440ab0d99a8d26 | 2024-08-03 |
| CVE-2024-42008.patch | Fix XSS vulnerability in serving of attachments other than HTML or SVG Credits to Oskar Zeino-Mahmalat (Sonar) https://www.sonarsource.com |
Aleksander Machniak <alec@alec.pl> | no | debian | https://github.com/roundcube/roundcubemail/commit/89c8fe9ae9318c015807fbcbf7e39555fb30885d | 2024-08-03 |
| Fix-regression-where-printing-scaling-rotating-image-atta.patch | Fix regression where printing/scaling/rotating image attachments was broken | Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/32fed15346e5b842042e5dd1001d6878225c5367 | 2024-08-08 |
| CVE-2024-42010.patch | Fix information leak (access to remote content) via insufficient CSS filtering Credits to Oskar Zeino-Mahmalat (Sonar) https://www.sonarsource.com |
Aleksander Machniak <alec@alec.pl> | no | debian | https://github.com/roundcube/roundcubemail/commit/602d0f566eb39b6dcb739ad78323ec434a3b92ce | 2024-08-03 |
| Fix-regression-where-HTML-messages-were-displayed-unstyle.patch | Fix regression where HTML messages were displayed unstyled | Aleksander Machniak <alec@alec.pl> | yes | upstream | https://github.com/roundcube/roundcubemail/commit/f343ecea09f8968d0655ff97fb7cea7a6d873a79 | 2024-08-16 |
| CVE-2025-49113.patch | Validate URL parameter in upload code | Pablo Zmdl <57864086+pabzm@users.noreply.github.com> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d | 2025-06-01 |
| CVE-2025-68461.patch | Fix Cross-Site-Scripting vulnerability via SVG's animate tag reported by Valentin T., CrowdStrike |
Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb | 2025-12-14 |
| CVE-2025-68460/01-08de250fb.patch | Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev |
Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571 | 2025-12-14 |
| CVE-2025-68460/02-a7349a4e2.patch | Fix the regexp so it will produce less false-positives | Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/a7349a4e21d27e0a3786139e4c879f236cafe4b1 | 2025-12-15 |
| CVE-2026-25916/01-036e851b6.patch | Fix remote image blocking bypass via SVG content reported by nullcathedral | Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/036e851b683333205813f70acda2dc047b4891c8 | 2026-02-08 |
| CVE-2026-25916/02-2b5625f1d.patch | Fix regression | Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447#diff-458653d23200a96c6f32ce2835e5d77128018494e800b9ead6d9542b778ff88e | 2026-02-08 |
| CVE-2026-26079/01-1f4c3a5af.patch | Fix CSS injection vulnerability reported by CERT Polska | Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816 | 2026-02-08 |
| CVE-2026-26079/02-2b5625f1d.patch | Fix regression | Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447#diff-a3f09795bbbad6183803c522e358c5aa6a468c84ab3bcc9c5de60f0ab70fa101 | 2026-02-08 |
| CVE-2026-26079/03-53d75d5df.patch | Fix regression | Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01 | 2026-02-08 |
| CVE-2026-35537.patch | Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler Disable GuzzleHttp\Cookie\FileCookieJar instantiation. Reported by y0us. |
Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/a4ead994d2f0ea92e4a1603196a197e0d5df1620 | 2026-03-17 |
| CVE-2026-35541.patch | Fix bug where a password could get changed without providing the old password The password plugin uses loose comparison, leading to a type juggling vulnerability that allows password changes without knowing the old password in specific cases. Reported by flydragon777 |
Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/6fa2bddc59b9c9fd31cad4a9e2954a208d793dce | 2026-03-17 |
| CVE-2026-35538/01-b18a8fa8e.patch | Fix IMAP Injection + CSRF bypass in mail search Reported by Martila Security Research Team |
Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952c | 2026-03-17 |
| CVE-2026-35538/02-6b137adda.patch | Fix regression where mail search would fail on non-ascii search criteria | Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/6b137adda9b042c3742b0f968692e95ed367d3d1 | 2026-03-19 |
| CVE-2026-35543.patch | Fix remote image blocking bypass via various SVG animate attributes Reported by nullcathedral |
Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/39471343ee081ce1d31696c456a2c163462daae3 | 2026-03-17 |
| CVE-2026-35542/01-fde14d01a.patch | Fix remote image blocking bypass via a crafted body background attribute Reported by nullcathedral |
Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/fde14d01adc9f37893cd82b635883e516ed453f8 | 2026-03-18 |
| CVE-2026-35542/02-5aba847cb.patch | Fix regression where some data url images could get ignored/lost | Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/5aba847cb8d5e00a52405e5cd1becb7ec0dcbe4b | 2026-03-28 |
| CVE-2026-35544.patch | Fix fixed position mitigation bypass via use of !important Reported by nullcathedral |
Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/099009b9c8e1d3c636fb9a5af72f7c2596018662 | 2026-03-18 |
| CVE-2026-35539.patch | Fix XSS issue in a HTML attachment preview Reported by aikido_security |
Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/10a6d1fa8acac85c727b0a6ae4a6642bfa27bea1 | 2026-03-18 |
| CVE-2026-35540.patch | Fix SSRF + Information Disclosure via stylesheet links to a local network hosts Reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/ |
Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/27ec6cc9cb25e1ef8b4d4ef39ce76d619caa6870 | 2026-03-18 |
| Avoid-dependency-on-new-package-mlocati-ip-lib.patch | Avoid dependency on new package mlocati/ip-lib Which as of today is not present in Debian. The dependency was introduced in 27ec6cc9cb25e1ef8b4d4ef39ce76d619caa6870 in order to fix a CVE-2026-35540. While it can be uploaded to sid, we need another solution to fix the vulnerability for older suites. |
Guilhem Moulin <guilhem@debian.org> | not-needed | debian | 2026-03-20 | |
| CVE-2026-35545.patch | Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke | Aleksander Machniak <alec@alec.pl> | yes | debian upstream | https://github.com/roundcube/roundcubemail/commit/9d18d524f3cc211003fc99e2e54eed09a2f3da88 | 2026-03-29 |
All known versions for source package 'roundcube'
- 1.6.15+dfsg-1 (forky, sid)
- 1.6.15+dfsg-0+deb13u1 (trixie-security, trixie-proposed-updates)
- 1.6.13+dfsg-0+deb13u1 (trixie)
- 1.6.5+dfsg-1+deb12u8 (bookworm-security, bookworm-proposed-updates)
- 1.6.5+dfsg-1+deb12u6 (bookworm)