Bug 34863 - roundcubemail: security
Summary: roundcubemail: security
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-12-16 21:53 CET by Marc Krämer
Modified: 2025-12-23 00:58 CET (History)
5 users (show)

See Also:
Source RPM: roundcubemail
CVE: CVE-2025-68460, CVE-2025-68461
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2025-12-16 21:53:01 CET 
- Fix Cross-Site-Scripting vulnerability via SVG's animate tag reported by Valentin T., CrowdStrike.
- Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev.

https://github.com/roundcube/roundcubemail/releases/tag/1.6.12
Comment 1 Marc Krämer 2025-12-16 22:12:55 CET 
New release fixes security volunerabities:

- Fix Cross-Site-Scripting vulnerability via SVG's animate tag reported by Valentin T., CrowdStrike.
- Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev.


References:
https://github.com/roundcube/roundcubemail/releases/tag/1.6.12


BUILD in core/updates_testing:
roundcubemail-1.6.12-1.mga9.noarch

SRPM:
roundcubemail-1.6.12-1.mga9.src.rpm

Assignee: mageia => qa-bugs

PC LX 2025-12-17 00:27:51 CET

CC: (none) => mageia

Comment 2 PC LX 2025-12-17 00:41:54 CET 
Installed and tested without issues.

Tested a bunch of functions but it was a quick test.
Will continue to use and report back if there are any issues.

Tested with:
- Apache, PHP-FPM, MariaDB and Dovecot;
- PHP 8.4.15 from the backport repositories;
- Large email accounts, with GiB of emails;
- 2FA enabled using a 3rd party plugin: roundcubemail-plugin-twofactor_gauthenticator
All OK.



System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz.



$ uname -a
Linux marte 6.6.116-server-1.mga9 #1 SMP PREEMPT_DYNAMIC Mon Nov  3 17:28:44 UTC 2025 x86_64 GNU/Linux
$ rpm -qa | grep roundcubemail
roundcubemail-1.6.12-1.mga9
$ php --version
PHP 8.4.15 (cli) (built: Nov 20 2025 09:34:22) (ZTS)
Copyright (c) The PHP Group
Zend Engine v4.4.15, Copyright (c) Zend Technologies
    with Zend OPcache v8.4.15, Copyright (c), by Zend Technologies
    with Xdebug v3.4.1, Copyright (c) 2002-2025, by Derick Rethans
Comment 3 katnatek 2025-12-17 18:47:00 CET 
FYI this advisory not have CVE list as is not provided in the upstream information

Keywords: (none) => advisory

Comment 4 Herman Viaene 2025-12-18 16:56:09 CET 
Followed QA procedure and got as far as installation step 3, testing of connection to my hotmail account fails both for smtp and imap connection.
No time left today to investigate further, but at least the installer procedure worked that far.

CC: (none) => herman.viaene

Comment 5 PC LX 2025-12-22 14:58:16 CET 
Using this update for over 5 days without issues. Giving this the OK.
Please undo if appropriate.

Whiteboard: (none) => MGA9-64-OK

Comment 6 katnatek 2025-12-22 21:07:26 CET 
(In reply to PC LX from comment #5)
> Using this update for over 5 days without issues. Giving this the OK.
> Please undo if appropriate.

I really think you know this beast better than us

CC: (none) => andrewsfarm

Comment 7 Thomas Andrews 2025-12-22 21:52:12 CET 
Agreed. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Dan Fandrich 2025-12-23 00:19:50 CET 
I added the missing CVE-2025-68460 & CVE-2025-68461 to the advisory, which look like the ones fixed here.

CVE: (none) => CVE-2025-68460, CVE-2025-68461
CC: (none) => dan

Comment 9 Mageia Robot 2025-12-23 00:58:03 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0332.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.