Updated roundcubemail packages fix security vulnerabilities:
More security issues in the DBMail driver for the password plugin, related to CVE-2015-2181.
XSS issue in SVG images handling (CVE-2015-8864).
Lack of protection for attachment download URLs against CSRF (CVE-2016-4069).
The roundcubemail package has been updated to version 1.0.9, fixing these issues and several other bugs.