CVS commit: pkgsrc/mail

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/mail
From: "Takahiro Kambe" <taca%netbsd.org@localhost>
Date: Sun, 24 May 2026 13:05:18 +0000

Module Name:    pkgsrc
Committed By:   taca
Date:           Sun May 24 13:05:18 UTC 2026

Modified Files:
        pkgsrc/mail/roundcube: Makefile.common PLIST distinfo
        pkgsrc/mail/roundcube-plugin-password: distinfo

Log Message:
mail/roundcube: update to 1.6.16

1.6.16 (2026-05-14)

This is a security update to the LTS version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

* Fix stored XSS/HTML/CSS injection in subject field of the draft restore
  dialog, reported by zazy
* Fix CSS injection bypass in HTML sanitizer via SVG <animate
  attributeName="style">, reported by wooseokdotkim
* Fix pre-auth SQL injection in virtuser_query plugin via preg_replace
  backslash escape bypass, reported by skull
* Fix SSRF bypass via specific local address URLs
* Fix local/private URL fetch bypass when remote resources were not allowed,
  reported by Orange Cyberdefense Vulnerability Disclosure Team
* Fix bypass of remote image blocking via CSS var(), reported by Geame
* Fix pre-auth arbitrary file delete via redis/memcache session poisoning
  bypass, reported by valent1
* Fix code injection vulnerability - remove support for code evaluation in
  LDAP autovalues option, reported by Glendaenri

This version is considered stable and we recommend to update all productive
installations of Roundcube 1.6.x with it.  Please do backup your data before
updating!

CHANGELOG

* Fix potential too long value in IMAP ID command (#10136)
* Security: Fix stored XSS/HTML/CSS injection in subject field of the draft
  restore dialog
* Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate
  attributeName="style">
* Security: Fix pre-auth SQL injection in virtuser_query plugin via
  preg_replace backslash escape bypass
* Security: Fix SSRF bypass via specific local address URLs
* Security: Fix bypass of remote image blocking via CSS var()
* Security: Fix local/private URL fetch bypass when remote resources were
  not allowed
* Security: Fix pre-auth arbitrary file delete via redis/memcache session
  poisoning bypass
* Security: Fix code injection vulnerability - remove support for code
  evaluation in LDAP autovalues option


To generate a diff of this commit:
cvs rdiff -u -r1.43 -r1.44 pkgsrc/mail/roundcube/Makefile.common
cvs rdiff -u -r1.59 -r1.60 pkgsrc/mail/roundcube/PLIST
cvs rdiff -u -r1.99 -r1.100 pkgsrc/mail/roundcube/distinfo
cvs rdiff -u -r1.45 -r1.46 pkgsrc/mail/roundcube-plugin-password/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/mail/roundcube/Makefile.common
diff -u pkgsrc/mail/roundcube/Makefile.common:1.43 pkgsrc/mail/roundcube/Makefile.common:1.44
--- pkgsrc/mail/roundcube/Makefile.common:1.43  Sun Mar 29 14:31:58 2026
+++ pkgsrc/mail/roundcube/Makefile.common       Sun May 24 13:05:18 2026
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.common,v 1.43 2026/03/29 14:31:58 taca Exp $
+# $NetBSD: Makefile.common,v 1.44 2026/05/24 13:05:18 taca Exp $
 #
 # used by mail/roundcube/Makefile
 # used by mail/roundcube/plugins.mk
@@ -10,7 +10,7 @@ GITHUB_PROJECT=       roundcubemail
 GITHUB_RELEASE=        ${RC_VERS}
 HOMEPAGE=      https://roundcube.net/
 
-RC_VERS=       1.6.15
+RC_VERS=       1.6.16
 
 USE_LANGUAGES=         # none
 USE_TOOLS+=            pax

Index: pkgsrc/mail/roundcube/PLIST
diff -u pkgsrc/mail/roundcube/PLIST:1.59 pkgsrc/mail/roundcube/PLIST:1.60
--- pkgsrc/mail/roundcube/PLIST:1.59    Wed Mar 18 14:58:17 2026
+++ pkgsrc/mail/roundcube/PLIST Sun May 24 13:05:18 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.59 2026/03/18 14:58:17 taca Exp $
+@comment $NetBSD: PLIST,v 1.60 2026/05/24 13:05:18 taca Exp $
 share/doc/roundcube/CHANGELOG.md
 share/doc/roundcube/INSTALL
 share/doc/roundcube/LICENSE
@@ -2134,6 +2134,7 @@ share/roundcube/vendor/guzzlehttp/guzzle
 share/roundcube/vendor/guzzlehttp/promises/CHANGELOG.md
 share/roundcube/vendor/guzzlehttp/promises/LICENSE
 share/roundcube/vendor/guzzlehttp/promises/README.md
+share/roundcube/vendor/guzzlehttp/promises/UPGRADING.md
 share/roundcube/vendor/guzzlehttp/promises/composer.json
 share/roundcube/vendor/guzzlehttp/promises/src/AggregateException.php
 share/roundcube/vendor/guzzlehttp/promises/src/CancellationException.php
@@ -2154,6 +2155,7 @@ share/roundcube/vendor/guzzlehttp/promis
 share/roundcube/vendor/guzzlehttp/psr7/CHANGELOG.md
 share/roundcube/vendor/guzzlehttp/psr7/LICENSE
 share/roundcube/vendor/guzzlehttp/psr7/README.md
+share/roundcube/vendor/guzzlehttp/psr7/UPGRADING.md
 share/roundcube/vendor/guzzlehttp/psr7/composer.json
 share/roundcube/vendor/guzzlehttp/psr7/src/AppendStream.php
 share/roundcube/vendor/guzzlehttp/psr7/src/BufferStream.php

Index: pkgsrc/mail/roundcube/distinfo
diff -u pkgsrc/mail/roundcube/distinfo:1.99 pkgsrc/mail/roundcube/distinfo:1.100
--- pkgsrc/mail/roundcube/distinfo:1.99 Sun Mar 29 14:31:58 2026
+++ pkgsrc/mail/roundcube/distinfo      Sun May 24 13:05:18 2026
@@ -1,8 +1,5 @@
-$NetBSD: distinfo,v 1.99 2026/03/29 14:31:58 taca Exp $
+$NetBSD: distinfo,v 1.100 2026/05/24 13:05:18 taca Exp $
 
-BLAKE2s (roundcubemail-1.6.15-complete.tar.gz) = 4cca817ff79802fd977c1df23002938feb1eae76eb597d2ed7338e2f61835c08
-SHA512 (roundcubemail-1.6.15-complete.tar.gz) = 8c99493c0008a5c498d9ad665881ce2a3d4368affb831e5af36ca65d37e643ba9aded1129ee41c576aa50d5bed2080e80ee7ec5d0f942b0f02fb48c5082f54fe
-Size (roundcubemail-1.6.15-complete.tar.gz) = 5872562 bytes
-SHA1 (patch-config_config.inc.php.sample) = 92a48a97b16fe3f5f4b9441fce762a559d8daca7
-SHA1 (patch-program_include_iniset.php) = 8a6c13c0c87d583ed60e43c01a4173d9d802a6a1
-SHA1 (patch-program_lib_Roundcube_rcube__mime.php) = bfefc6850d3db230dd4224491e895fe25a32e87a
+BLAKE2s (roundcubemail-1.6.16-complete.tar.gz) = 9f6d8f810b23ba938456e8b390f2951f5f10c67a096f4851486e609deabfab18
+SHA512 (roundcubemail-1.6.16-complete.tar.gz) = 08481d09413ed71fbd31580141821a68f66d4e73bba23e630a7bb3bc0dc878af2b5172051e3f9be7beff09f5625d5443f235913ff4d87ae729f5efeb49923be3
+Size (roundcubemail-1.6.16-complete.tar.gz) = 5879804 bytes

Index: pkgsrc/mail/roundcube-plugin-password/distinfo
diff -u pkgsrc/mail/roundcube-plugin-password/distinfo:1.45 pkgsrc/mail/roundcube-plugin-password/distinfo:1.46
--- pkgsrc/mail/roundcube-plugin-password/distinfo:1.45 Sun Mar 29 14:31:59 2026
+++ pkgsrc/mail/roundcube-plugin-password/distinfo      Sun May 24 13:05:18 2026
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.45 2026/03/29 14:31:59 taca Exp $
+$NetBSD: distinfo,v 1.46 2026/05/24 13:05:18 taca Exp $
 
-BLAKE2s (roundcubemail-1.6.15-complete.tar.gz) = 4cca817ff79802fd977c1df23002938feb1eae76eb597d2ed7338e2f61835c08
-SHA512 (roundcubemail-1.6.15-complete.tar.gz) = 8c99493c0008a5c498d9ad665881ce2a3d4368affb831e5af36ca65d37e643ba9aded1129ee41c576aa50d5bed2080e80ee7ec5d0f942b0f02fb48c5082f54fe
-Size (roundcubemail-1.6.15-complete.tar.gz) = 5872562 bytes
+BLAKE2s (roundcubemail-1.6.16-complete.tar.gz) = 9f6d8f810b23ba938456e8b390f2951f5f10c67a096f4851486e609deabfab18
+SHA512 (roundcubemail-1.6.16-complete.tar.gz) = 08481d09413ed71fbd31580141821a68f66d4e73bba23e630a7bb3bc0dc878af2b5172051e3f9be7beff09f5625d5443f235913ff4d87ae729f5efeb49923be3
+Size (roundcubemail-1.6.16-complete.tar.gz) = 5879804 bytes
 SHA1 (patch-plugins_password_helpers_passwd-expect) = 15e427a3c90bf7c0437a023b3f099abb5a139165

Prev by Date: CVS commit: pkgsrc/databases/py-influxdb
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/databases/py-influxdb
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index