https://github.com/roundcube/roundcubemail/releases/tag/1.6.14 - Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us. - Fix bug where a password could get changed without providing the old password, reported by flydragon777. - Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team. - Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral. - Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral. - Fix fixed position mitigation bypass via use of !important, reported by nullcathedral. - Fix XSS issue in a HTML attachment preview, reported by aikido_security. - Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/.
new roundcube-mail fixes some security issues: - Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us. - Fix bug where a password could get changed without providing the old password, reported by flydragon777. - Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team. - Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral. - Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral. - Fix fixed position mitigation bypass via use of !important, reported by nullcathedral. - Fix XSS issue in a HTML attachment preview, reported by aikido_security. - Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/. https://github.com/roundcube/roundcubemail/releases/tag/1.6.14 ---------------------------- RPM in core/updates_testing: roundcubemail-1.6.14-1.mga9.noarch.rpm SRPM: roundcubemail-1.6.14-1.mga9.src.rpm
Assignee: mageia => qa-bugs
*** Bug 35235 has been marked as a duplicate of this bug. ***
*** Bug 35236 has been marked as a duplicate of this bug. ***
CC: (none) => mageia
MGA9-64 server Plasma Wayland on Compaq H000SB No initial installation problems. Followed wiki and bug 34341. I get stuck on step 2 of the installer: the test mail sending fails with Connection failed: (Code: -1). I tried my 3 email addresses with their asssociated settins, but none works. I don't get it. But the setup process worked OK up to that point. The IMAP connection test is OK. On https://support.cpanel.net/hc/en-us/articles/360053206713-Roundcube-Webmail-login-page-says-Connection-to-storage-server-failed I find: Verify that the Dovecot authentication process is running. Verify the Dovecot configuration files exist and have proper syntax. If necessary, you might need to restore a default configuration or template file, then rebuild dovecot.conf and restart the service. Notes The Dovecot authentication process is commonly shown as "dovecot/auth" in the output of the following command: ps -aux | grep dovecot/auth and this one returns nothing Starting the dovecot on its defaults does not help either. Fiddling in its conf neither. Giving up for someone els with more knowlegde in this area.
CC: (none) => herman.viaene
It's weird have Security bug without CVE number(s)
Keywords: (none) => advisory
Installed and tested without issues. Tested for two days of normal usage. No issues found. Tested with: - Apache, PHP-FPM, MariaDB and Dovecot; - PHP 8.4.19 from the backport repositories; - Large email accounts, with GiB of emails; - 2FA enabled using a 3rd party plugin: roundcubemail-plugin-twofactor_gauthenticator All OK. System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz. $ uname -a Linux marte 6.6.120-server-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Jan 14 03:15:42 UTC 2026 x86_64 GNU/Linux $ rpm -qa | grep roundcubemail roundcubemail-1.6.14-1.mga9 $ php --version PHP 8.4.19 (cli) (built: Mar 11 2026 20:30:21) (ZTS) Copyright (c) The PHP Group Zend Engine v4.4.19, Copyright (c) Zend Technologies with Zend OPcache v8.4.19, Copyright (c), by Zend Technologies with Xdebug v3.4.1, Copyright (c) 2002-2025, by Derick Rethans
Thanks
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Flags: (none) => test_passed_mga9_64+
I won't hold back this update for lack of CVE entries in the report, but they should be added for posterity. I see the following CVEs that appear to affect our currently-shipping version 1.6.12: https://cve.org/CVERecord?id=CVE-2026-26079 https://cve.org/CVERecord?id=CVE-2026-25916
CC: (none) => dan
Actually, I'll just add those two CVEs now before pushing since they appear to affect our version. If someone finds more or finds these aren't relevant, they can be removed from the advisory.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2026-0065.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED