Aggregator

FEDORA-2026-6d293b6889 Packages in this update:

• roundcubemail-1.7~rc6-1.fc44

Update description:

Version 1.7-rc6

This is hopefully the last release candidate for the next major version 1.7 of Roundcube Webmail. It provides a fix to recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

We believe it is production ready, but we recommend to test it on a separate environment.

Migrate existing configs with either the installto.sh or the update.sh scripts.

And don't forget to backup your data before installing it!

CHANGELOG

• Added support for arrays in smtp_user and smtp_pass config options (#10083)
• Added system health checker CLI script (#10106)
• Stricter recognition of an Ajax request (#10118)
• Password: Added Stalwart driver (#10114)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

FEDORA-EPEL-2026-646aebe990 Packages in this update:

• roundcubemail-1.6.15-1.el10_2

Update description:

Version 1.6.15

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

FEDORA-2026-051825ca18 Packages in this update:

• roundcubemail-1.6.15-1.fc42

Update description:

Version 1.6.15

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

FEDORA-EPEL-2026-82b702d826 Packages in this update:

• roundcubemail-1.6.15-1.el10_1

Update description:

Version 1.6.15

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

FEDORA-EPEL-2026-f7a0d90857 Packages in this update:

• roundcubemail-1.6.15-1.el10_3

Update description:

Version 1.6.15

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

FEDORA-2026-8ba1a085a9 Packages in this update:

• roundcubemail-1.6.15-1.fc43

Update description:

Version 1.6.15

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

FEDORA-EPEL-2026-bf73d904ba Packages in this update:

• roundcubemail-1.5.15-1.el9

Update description:

Version 1.5.15

This is a security update to the stable version 1.5 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!

CHANGELOG

• Fix so distribution packages (and composer.json) don't include development dependencies
• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

It was discovered that Pillow did not correctly handle reading J2K files, which could lead to an out-of-bounds read vulnerability. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2021-25287, CVE-2021-25288) It was discovered that Pillow did not correctly handle certain integer arithmetic, which could lead to a buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2021-25290) It was discovered that Pillow did not correctly perform bounds checking for certain operations. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2021-28675, CVE-2021-28676, CVE-2021-28677) It was discovered that Pillow did not correctly handle certain memory operations. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-44271) It was discovered that Pillow did not correctly sanitize certain inputs. An attacker could possibly use this issue to execute arbitrary code. (CVE-2023-50447)

FEDORA-2026-7b2964fc42 Packages in this update:

• pspp-2.1.1-5.fc43

Update description:

Fix several low-priority CVEs

Build with new Gnulib

FEDORA-2026-e153173659 Packages in this update:

• pspp-2.1.1-5.fc44

Update description:

Fix several low-priority CVEs

Build with new Gnulib

It was discovered that Roundcube Webmail did not properly sanitize certain HTML elements within the e-mail body. An attacker could possibly use this issue to cause a cross-site scripting attack. This issue was only addressed in Ubuntu 16.04 LTS. (CVE-2016-4068, CVE-2016-4069) It was discovered that Roundcube Webmail did not properly handle certain configuration parameters. An attacker could possibly use this issue to execute arbitrary code. This issue was only addressed in Ubuntu 16.04 LTS. (CVE-2016-9920) It was discovered that Roundcube Webmail did not properly sanitize CSS styles within SVG documents. An attacker could possibly use this issue to cause a cross-site scripting attack. This issue was only addressed in Ubuntu 16.04 LTS. (CVE-2017-6820) It was discovered that Roundcube Webmail did not properly restrict exec call in certain drivers of the password plugin. An authenticated user could possibly use this issue to perform arbitrary password resets. This issue was only addressed in Ubuntu 16.04 LTS. (CVE-2017-8114) It was discovered that Roundcube Webmail did not properly set file permissions within the Enigma plugin. An attacker could possibly use this issue to exfiltrate GPG private keys via network connectivity. (CVE-2018-1000071) It was discovered that Roundcube Webmail did not properly handle GnuPG MDC integrity-protection warnings. An attacker could possibly use this issue to obtain sensitive information from encrypted communications. (CVE-2018-19205) It was discovered that Roundcube Webmail did not properly sanitize and tags within HTML attachments. An attacker could possibly use this issue to cause a cross-site scripting attack. (CVE-2018-19206) It was discovered that Roundcube Webmail did not properly handle partially encrypted multipart messages. An attacker could possibly use this issue to cause leaking of the plaintext of encrypted messages via an email reply. (CVE-2019-10740) It was discovered that Roundcube Webmail did not properly sanitize a certain parameter within the archive plugin. An attacker could possibly use this issue to perform an IMAP injection attack. This issue was only addressed in Ubuntu 16.04 LTS. (CVE-2018-9846)

Version:next-20260330 (linux-next) Released:2026-03-30

It was discovered that pyasn1 could exhaust system resources when attempting to decode a malformed certificate. An attacker could possibly use this to cause a denial of service. (CVE-2026-23490) Kevin Tu discovered that pyasn1 could exhaust system resources via uncontrolled recursion when attempting to decode malicously-crafted certificates. An attacker could possibly use this to cause a denial of service. (CVE-2026-30922)

FEDORA-2026-5e16254ca6 Packages in this update:

• gst-devtools-1.26.11-1.fc42
• gst-editing-services-1.26.11-1.fc42
• gstreamer1-1.26.11-1.fc42
• gstreamer1-doc-1.26.11-1.fc42
• gstreamer1-plugin-libav-1.26.11-1.fc42
• gstreamer1-plugins-bad-free-1.26.11-1.fc42
• gstreamer1-plugins-base-1.26.11-1.fc42
• gstreamer1-plugins-good-1.26.11-1.fc42
• gstreamer1-plugins-ugly-free-1.26.11-1.fc42
• gstreamer1-rtsp-server-1.26.11-1.fc42
• gstreamer1-vaapi-1.26.11-1.fc42
• python-gstreamer1-1.26.11-1.fc42

Update description:

1.26.11

FEDORA-2026-6ff3ef2d32 Packages in this update:

• goose-1.23.2-8.fc44

Update description:

Update goose to fix fedora#2449678

FEDORA-2026-a45f438402 Packages in this update:

• goose-1.23.2-7.fc43

Update description:

Update goose to fix fedora#2449678

FEDORA-2026-f0293b845e Packages in this update:

• rauc-1.15.2-1.fc43

Update description:

version bumped from 1.15.1 to 1.15.2

FEDORA-2026-17dbeca425 Packages in this update:

• rauc-1.15.2-1.fc44

Update description:

version bumped from 1.15.1 to 1.15.2