Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Installing security update DSA 6301-1 on debian 12
* What exactly did you do (or not do) that was effective (or
ineffective)?
apt-get update; apt-get upgrade. Error during upgrade:
PHP Parse error: syntax error, unexpected '|', expecting ';' or '{' in /usr/share/roundcube/program/lib/Roundcube/rcube_utils.php on line 431
Fatal error: Please check the Roundcube error log and/or server error logs for more information.
* What was the outcome of this action?
Webmail does not work :
Oops... something went wrong!
An internal error has occurred. Your request cannot be processed at this time.
For administrators: Please check the application and/or server error logs for more information.
apache error log is full of [Thu May 28 10:06:47.523141 2026] [php7:error] [pid 26433:tid 26433] [client 10.3.20.97:62510] PHP Parse error: syntax error, unexpected '|', expecting ';' or '{' in /usr/share/roundcube/program/lib/Roundcube/rcube_utils.php on line 431
Running php 7.4
* What outcome did you expect instead?
*** End of the template - remove these template lines ***
Hello, I noticed that the problem is in the PHP version. We were running PHP 7.4. Problem was gone after switching to PHP 8.2. Best Regards Vladislav Kurz
Dne 28. 05. 26 v 10:41 Vladislav Kurz napsal(a): https://github.com/roundcube/roundcubemail/wiki/Version-History Version 1.6 has PHP support: >=7.3 <=8.3 So this is probably an upstream bug introduced in 1.6.16 and backported to debian 12 in DSA 6301-1 Best Regards Vladislav Kurz
Hi, The upstream PHP compatibility is mostly irrelevant for Debian. Trixie has PHP 8.4 and Bookworm 8.2, so that's the PHP versions against which the packages are tested and AFAIK everything else is unsupported. Not a reason to break compatibility with older PHP versions in a -security (or -pu) update if it can be avoided, of course. No, that's an issue I introduced in the custom (Debian-specific) fix for CVE-2026-48843. (The upstream fix introduces a new dependency which is not in Debian, so we need a custom native solution for older suites.) Noticed the issue as I was working on backport for Bullseye LTS, but unfortunately not in time for DSA 6301-1. It's already fixed in the repository at https://salsa.debian.org/roundcube-team/roundcube/-/commit/ce0683b27c29f6f8470744a8d01dd352f6065250 so it'll be fixed in th enext upload. Compatibility with PHP ≥7.3 to <8 can be trivially restored by removing the union type annotation in /usr/share/roundcube/program/lib/Roundcube/rcube_utils.php:inet_pton2() . I don't think it warrants a regression update given supported systems are not affected, but I'm CC'ing the Security Team in case they have a different assessment (I can prepare the debdiffs in that case).
Dne 28. 05. 26 v 13:19 Guilhem Moulin napsal(a): Thanks for the info, I see updated packages for bullseye, but no advisory yet. Is it safe to install them? Best regards Vladislav Kurz
Yes, I tested that one with PHP5.6. Will send the DLA latter today.
Indeed, running the Debian packaged versions with external PHP versions
is unsupported.
We can include the patch in a future Roundcube security update.
Cheers,
Moritz