roundcube (1.6.15+dfsg-1)
[PTS] [DDPO]
COMMITS: VCS has seen 2 commits since the debian/1.6.15+dfsg-1 tag
- Git: https://salsa.debian.org/roundcube-team/roundcube.git -b debian/latest
-
- Branch: debian/latest
- Path: debian/changelog
- Repo size: 22663168
- Browser: https://salsa.debian.org/roundcube-team/roundcube
- Last scan: 2026-05-12 09:38:02+00
- Next scan: 2026-05-21 01:27:00+00
- CI pipeline status: success
- Debian changelog in Git:
roundcube (1.6.15+dfsg-1) unstable; urgency=high
* New upstream security and bugfix release (closes: #1132268).
+ Fix CVE-2026-35545: SVG animate FUNCIRI attribute bypass (remote image
loading via fill/filter/stroke).
+ Fix regression where mail search would fail on non-ascii search
criteria.
+ Fix regression where some data url images could get ignored/lost.
* Refresh d/patches and remove those applied upstream.
* d/control: Add Build-Depends: node-source-map.
* Improve custom patch to avoid dependency on mlocati/ip-lib:
+ Trim leading zeros from the decimal representation of IPv4 octets to
match GuzzleHTTP's mangling of invalid IP addresses.
+ Treat IPv4-mapped and IPv4-compatible addresses as belonging to the
local range when the v4 address is also local.
-- Guilhem Moulin <guilhem@debian.org> Mon, 30 Mar 2026 09:54:58 +0200
- This branch is 2 commits ahead of tag debian/1.6.15+dfsg-1
- Git log:
commit 4111e4a47ed3254a1f2a9f470cc80ca21638337e
Author: Guilhem Moulin <guilhem@debian.org>
Date: Fri Apr 3 09:24:52 2026 +0200
d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch: Improve DEP-3 headers.
Gbp-Dch: Ignore
commit 23c2b7a5c771fb0e7d57538cb3b1178cf1c0c1da
Author: Guilhem Moulin <guilhem@debian.org>
Date: Fri Apr 3 08:41:49 2026 +0200
d/changelog: Retroactively mention CVE-2026-35537 to -35544 and -35545 for 1.6.14+dfsg-1 and -35545 for 1.6.15+dfsg-1.
Gbp-Dch: Ignore
