Control: tag -1 moreinfo On Mon, 06 Apr 2026 at 20:23:29 +1200, Mark Foster wrote: > Upgrade: libpng16-16:amd64 (1.6.37-3+deb11u2, 1.6.37-3+deb11u3), > roundcube-core:amd64 (1.4.15+dfsg.1-1+deb11u7, 1.4.15+dfsg.1-1+deb11u8), > roundcube:amd64 (1.4.15+dfsg.1-1+deb11u7, 1.4.15+dfsg.1-1+deb11u8), > roundcube-mysql:amd64 (1.4.15+dfsg.1-1+deb11u7, 1.4.15+dfsg.1-1+deb11u8) > > On completion of the update attempts to access /roundcube/ logged the > following in my errors file: > > PHP Parse error: syntax error, unexpected '[' in > /usr/share/roundcube/program/lib/Roundcube/rcube_utils.php on line 433,
Is your roundcube instance running on PHP<7.1? The syntax error at the array destructuring on line 433 suggest so, at least. reportbug(1) output says otherwise but that code snippet has good test coverage from a stock Bullseye system and a syntax error would have been caught. > I'm not sure why roundcube wants knowledge of RFC1918 and 4291 and how > this changes the user experience, to be honest, but i'm happy to live > without it. You made yourself vulnerable to CVE-2026-35540. See https://salsa.debian.org/roundcube-team/roundcube/-/commit/021968cea0fd16a16d8e1a565d183ac51237576a for an alternative that doesn't use array destructuring and restore compatibility with PHP<7.1. -- Guilhem.
signature.asc
Description: PGP signature
