On 6/04/2026 8:48 pm, Guilhem Moulin wrote:
Control: tag -1 moreinfo
On Mon, 06 Apr 2026 at 20:23:29 +1200, Mark Foster wrote:
Upgrade: libpng16-16:amd64 (1.6.37-3+deb11u2, 1.6.37-3+deb11u3),
roundcube-core:amd64 (1.4.15+dfsg.1-1+deb11u7, 1.4.15+dfsg.1-1+deb11u8),
roundcube:amd64 (1.4.15+dfsg.1-1+deb11u7, 1.4.15+dfsg.1-1+deb11u8),
roundcube-mysql:amd64 (1.4.15+dfsg.1-1+deb11u7, 1.4.15+dfsg.1-1+deb11u8)
On completion of the update attempts to access /roundcube/ logged the following
in my errors file:
PHP Parse error: syntax error, unexpected '[' in
/usr/share/roundcube/program/lib/Roundcube/rcube_utils.php on line 433,
Is your roundcube instance running on PHP<7.1? The syntax error at the
array destructuring on line 433 suggest so, at least. reportbug(1)
output says otherwise but that code snippet has good test coverage from
a stock Bullseye system and a syntax error would have been caught.
I suppose I should've looked into this sooner. The machine has php7.4 on
it but still had php5 on it from a long time ago when I used to host
some web services for some non-profits and friends and such.
I'm not presently aware of any system dependencies on php5 so i've done
this:
> a2dismod php5
> a2enmod php7.4
> systemctl restart apache2
I've removed the comments from rcube_utils.php and so far roundcube is
working without errors.
So I guess - so long as I don't trip over a php5 requirement that i've
missed - that i've now prompted apache2 to actually use the newer
version of php which has been available all this time... ???
I'm not sure why roundcube wants knowledge of RFC1918 and 4291 and how
this changes the user experience, to be honest, but i'm happy to live
without it.
You made yourself vulnerable to CVE-2026-35540. See
https://salsa.debian.org/roundcube-team/roundcube/-/commit/021968cea0fd16a16d8e1a565d183ac51237576a
for an alternative that doesn't use array destructuring and restore
compatibility with PHP<7.1.
I don't see any reason not to use the newer php package already present
on the machine - but thanks for the prompt response and an explanation
which gave me just enough clues.
Regards
Mark.
