On Wed, 18 Mar 2026 at 17:19:35 +0100, Guilhem Moulin wrote: > 8. SSRF + Information Disclosure via stylesheet links to a local > network hosts, reported by Georgios Tsimpidas. > > https://github.com/roundcube/roundcubemail/commit/579b68eff90650a5c782e153debd66c765648942 > > Upstream's solution for the last issue adds a new runtime dependency > mlocati/ip-lib ≥1.22 > which unfortunately is not in Debian yet. I can upload it to sid as > part of the PEAR team, but older suites will need another solution.
On second thought there is some value in having the workaround in sid too, at least for now (in case there would be regressions). Here is the PHP-native alternative I came up with: https://salsa.debian.org/roundcube-team/roundcube/-/blob/debian/latest/debian/patches/Avoid-dependency-on-new-package-mlocati-ip-lib.patch -- Guilhem.
signature.asc
Description: PGP signature
