Hi all,
I’m using for a long time now roundcube(mail) on my VPS, now Leap 15.6.
Moved this VPS to a new hosting company, with a nice “living” customer forum. Read there in a thread about this hoster’s webhosting packaged software offers about a recent and serious roundcube vulnerability. Details: Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization [CVE-2025-49113]. From my perspective “good luck” that vulnerability has an authorized user session as prereq, means not that critical for me, as my roundcube is pure privately used, just a few family users, no PW breaches to be expected.
But digging into this CVE I’ve several subsequent questions reg. our patch and release cycles etc.
This is my roundcube zypper history:
# grep roundcube history
2024-10-11 20:47:18|install|roundcubemail|1.6.9-lp156.2.1|noarch||server:php:applications.repo|0725fea4bc12516387b752b8a95c7e0fc5880e00f8f478ed159af501a0eb2275|
# 2025-06-06 00:43:53 roundcubemail-1.6.11-lp156.1.1.noarch.rpm installed ok
2025-06-06 00:43:53|install|roundcubemail|1.6.11-lp156.1.1|noarch||server:php:applications.repo|7531f2cad332aa57e8e70e5080060624bc45bb1e7956a48a73eaa58f934e479d|
AFAI understood both entries from 2024-10-11 and from today are about the roundcube versions in the server:php:applications.repo repo. Whyever, I’ve seen that this server:php:applications.repo was NOT enabled yesterday. So probably I’ve disabled it between 2024-10-11 and (?), no idea why 
However: I’ve some general questions reg. our way of backporting etc.:
If I look into yast on my VPS:
it shows me that the newest roundcube without server:php:applications.repo would be 1.6.10-bp156.2.6.1
Q1: How do I find out how old this 1.6.10-bp156.2.6.1 is, and if recently made available, if a CVE, e.g. CVE-2025-49113, was fixed with this version?
Aunt chatGPT gave a hint about
zypper lp --cve=CVE-2025-49113
but this says no matches even with 1.6.11 now installed. Also a hint about
rpm -q --changelog roundcubemail
which shows
* So Jun 01 2025 Aeneas Jaißle <aj@ajaissle.de>
- update to 1.6.11
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
* Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.
- CHANGELOG
* Managesieve: Fix match-type selector (remove unsupported options) in delete header action (#9610)
* Improve installer to fix confusion about disabling SMTP authentication (#9801)
* Fix PHP warning in index.php (#9813)
* OAuth: Fix/improve token refresh
* Fix dark mode bug where wrong colors were used for blockquotes in HTML mail preview (#9820)
* Fix HTML message preview if it contains floating tables (#9804)
* Fix removing/expiring redis/memcache records when using a key prefix
* Fix bug where a wrong SPECIAL-USE folder could have been detected, if there were more than one per-type (#9781)
* Fix a default value and documentation of password_ldap_encodage option (#9658)
* Remove mobile/floating Create button from the list in Settings > Folders (#9661)
* Fix Delete and Empty buttons state while creating a folder (#9047)
* Fix connecting to LDAP using ldapi:// URI (#8990)
* Fix cursor position on "below the quote" reply in HTML mode (#8700)
* Fix bug where attachments with content type of application/vnd.ms-tnef were not parsed (#7119)
for 1.6.11, stating fixes to recently reported security vulnerabilities but not mentioning CVE-2025-49113 concretely.
Last question: My zypper history shows that I’ve probably missed the upgrade from 1.6.9 to 1.6.10, probably because the somewhat mystic disabled repo… I’m using manually, aside to the automatically set “zypper (whatever option)” system updates,
zypper ref && zypper up && zypper ps -s
at least twice or three times a week, but is there a zypper option available giving me for scenarios like this hints like “you’re using 1.6.9 from repoA but a newer version (1.6.10) would be avail. via (also used, of course) repoB”?
