Fedora has issued an advisory on April 21:
The issue is fixed upstream in 1.3.6.
Mageia 5 and Mageia 6 are also affected.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Updated package uploaded for cauldron and Mageia 6.
Updated roundcubemail package fixes security vulnerability:
This update fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. (CVE-2018-9846).
Updated packages in core/updates_testing:
Adds some new dependencies. Is that expected?
# urpmi roundcubemail
To satisfy dependencies, the following packages are going to be installed:
Package Version Release Arch
(medium "Core Release2")
perl-Authen-SASL 2.160.0 7.mga6 noarch
perl-Convert-ASN1 0.270.0 5.mga6 noarch
perl-Digest-HMAC 1.30.0 8.mga6 noarch
perl-Digest-SHA1 2.130.0 19.mga6 x86_64
perl-ldap 0.650.0 3.mga6 noarch
(medium "Core Updates Testing")
roundcubemail 1.3.6 1.mga6 noarch
Also bad signature..
The following package has bad signature:
/var/cache/urpmi/rpms/roundcubemail-1.3.6-1.mga6.noarch.rpm: Missing signature (OK ((none)))
perl dependencies are automatically generated, so they are what they are, but we can't have bad signatures, so the package will need to rebuilt.