alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 5 Actions Activity

chore(deps): update dependency roundcube/roundcubemail to v1.6.14 #4863

Merged
renovate-bot merged 1 commits from renovate/unified-roundcuberoundcubemail into main 2026-03-19 04:03:03 +00:00
Conversation 0 Commits 1 Files Changed 1 +1 -1
renovate-bot commented 2026-03-19 04:02:57 +00:00
Collaborator
Copy Link

This PR contains the following updates:

Package Update Change
roundcube/roundcubemail patch 1.6.131.6.14

⚠️ Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

roundcube/roundcubemail (roundcube/roundcubemail)

v1.6.14: Roundcube Webmail 1.6.14

Compare Source

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

  • Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us.
  • Fix bug where a password could get changed without providing the old password, reported by flydragon777.
  • Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team.
  • Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral.
  • Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral.
  • Fix fixed position mitigation bypass via use of !important, reported by nullcathedral.
  • Fix XSS issue in a HTML attachment preview, reported by aikido_security.
  • Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

  • Fix Postgres connection using IPv6 address (#​10104)
  • Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
  • Security: Fix bug where a password could get changed without providing the old password
  • Security: Fix IMAP Injection + CSRF bypass in mail search
  • Security: Fix remote image blocking bypass via various SVG animate attributes
  • Security: Fix remote image blocking bypass via a crafted body background attribute
  • Security: Fix fixed position mitigation bypass via use of !important
  • Security: Fix XSS issue in a HTML attachment preview
  • Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [roundcube/roundcubemail](https://github.com/roundcube/roundcubemail) | patch | `1.6.13` → `1.6.14` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/2) for more information. --- ### Release Notes <details> <summary>roundcube/roundcubemail (roundcube/roundcubemail)</summary> ### [`v1.6.14`](https://github.com/roundcube/roundcubemail/releases/tag/1.6.14): Roundcube Webmail 1.6.14 [Compare Source](https://github.com/roundcube/roundcubemail/compare/1.6.13...1.6.14) This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to recently reported security vulnerabilities: - Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us. - Fix bug where a password could get changed without providing the old password, reported by flydragon777. - Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team. - Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral. - Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral. - Fix fixed position mitigation bypass via use of !important, reported by nullcathedral. - Fix XSS issue in a HTML attachment preview, reported by aikido\_security. - Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at <https://i0.rs/>. This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating! #### CHANGELOG - Fix Postgres connection using IPv6 address ([#&#8203;10104](https://github.com/roundcube/roundcubemail/issues/10104)) - Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler - Security: Fix bug where a password could get changed without providing the old password - Security: Fix IMAP Injection + CSRF bypass in mail search - Security: Fix remote image blocking bypass via various SVG animate attributes - Security: Fix remote image blocking bypass via a crafted body background attribute - Security: Fix fixed position mitigation bypass via use of !important - Security: Fix XSS issue in a HTML attachment preview - Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4yIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlIiwiaW1hZ2UiXX0=-->
renovate-bot added the automergeimage labels 2026-03-19 04:02:57 +00:00
renovate-bot added 1 commit 2026-03-19 04:02:58 +00:00
chore(deps): update dependency roundcube/roundcubemail to v1.6.14
Some checks are pending
renovate/stability-days Updates have not met minimum release age requirement
Details
lint-test-helm / lint-helm (pull_request) Successful in 19s
Details
lint-test-helm / validate-kubeconform (pull_request) Has been skipped
Details
render-manifests / render-manifests (pull_request) Successful in 42s
Details
786dcee70c
renovate-bot scheduled this pull request to auto merge when all checks succeed 2026-03-19 04:03:00 +00:00
renovate-bot merged commit 78bfaaf004 into main 2026-03-19 04:03:03 +00:00
renovate-bot deleted branch renovate/unified-roundcuberoundcubemail 2026-03-19 04:03:07 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
Renovate
Issue generated by Renovate.
 automerge
This PR will be automerged by Renovate.
 chart
Chart update generated by Renovate.
 image
Image update generated by Renovate.
 stale
PR or Issue that has not been updated recently.
No Label automerge image
Milestone
No items
No Milestone
Assignees
Clear assignees
gitea-bot renovate-bot alexlebens
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: alexlebens/infrastructure#4863
Delete Branch "renovate/unified-roundcuberoundcubemail"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?