This update for roundcubemail fixes the following issues:

Update to 1.5.4 (boo#1215433)

* Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
* Fix so output of log_date_format with microseconds contains time in server time zone, not UTC
* Fix so N property always exists in a vCard export (#8771)
* Fix so rcmail::format_date() works with DateTimeImmutable input (#8867)
* Fix bug where a non-ASCII character in app.js could cause error in javascript engine (#8894)