Your message dated Fri, 24 Dec 2021 13:52:55 +0000
with message-id <[email protected]>
and subject line Bug#989479: fixed in sogo 5.0.1-4+deb11u1
has caused the Debian Bug report #989479,
regarding sogo: CVE-2021-33054
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
989479: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989479
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sogo
Version: 5.1.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 5.0.1-4
Control: found -1 4.0.7-1+deb10u1
Control: found -1 4.0.7-1
Hi,
The following vulnerability was published for sogo.
CVE-2021-33054[0]:
| SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not
| validate the signatures of any SAML assertions it receives. Any actor
| with network access to the deployment could impersonate users when
| SAML is the authentication method. (Only versions after 2.0.5a are
| affected.)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-33054
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33054
[1]
https://github.com/inverse-inc/sogo/commit/e53636564680ac0df11ec898304bc442908ba746
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sogo
Source-Version: 5.0.1-4+deb11u1
Done: Jordi Mallach <[email protected]>
We believe that the bug you reported is fixed in the latest version of
sogo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jordi Mallach <[email protected]> (supplier of updated sogo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 11 Nov 2021 21:44:21 +0100
Source: sogo
Architecture: source
Version: 5.0.1-4+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian SOGo Maintainers
<[email protected]>
Changed-By: Jordi Mallach <[email protected]>
Closes: 989479
Changes:
sogo (5.0.1-4+deb11u1) bullseye-security; urgency=high
.
* [CVE-2021-33054] fixes validation of SAML message signatures
(closes: #989479)
* Switch gbp debian branch to bullseye.
Checksums-Sha1:
c20b54502a668f89ba7d7a54f1632299a7ace8d3 2199 sogo_5.0.1-4+deb11u1.dsc
c1afa9eb00c98f0466a4174068aaf73730653883 34678734 sogo_5.0.1.orig.tar.gz
8342955957d5a364aa525918e21e9d565ebefbc3 17336
sogo_5.0.1-4+deb11u1.debian.tar.xz
aa00e41b72b31b14bb5c112f66db49818b6b8012 10034
sogo_5.0.1-4+deb11u1_amd64.buildinfo
Checksums-Sha256:
fc6d25050de3c65bbca57982ab5c9941686be550b0b649ab4967094900e55da3 2199
sogo_5.0.1-4+deb11u1.dsc
e2af4b0b1642dc6094043360bb4b3f3a653d63029139d5c41ed0585ac1b944ed 34678734
sogo_5.0.1.orig.tar.gz
55d6ed0749d596f77426b827fce334979cf6f55c873b5aa3c01ddd6d8832afba 17336
sogo_5.0.1-4+deb11u1.debian.tar.xz
91451626f9d819a18ff74870ddd9b879c944a395fc3d8a7fa166cbbbb758af9a 10034
sogo_5.0.1-4+deb11u1_amd64.buildinfo
Files:
7bf1a955db32abacddd580c9ff620544 2199 mail optional sogo_5.0.1-4+deb11u1.dsc
f7112b11568d68d58b32fb4ba64a8bbc 34678734 mail optional sogo_5.0.1.orig.tar.gz
002184691fc195c1d53d86b2b0b44652 17336 mail optional
sogo_5.0.1-4+deb11u1.debian.tar.xz
99f823d9ed50f4d01ad859f6923ffd55 10034 mail optional
sogo_5.0.1-4+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE6BdUhsApKYN8KGoWJVAvb8vjywQFAmG8WCoACgkQJVAvb8vj
ywQxzg//RIcJUBUIOUq6mwvh8+PmhTRbUakHrhr791CvxrsKeTVeV3/0N0wueTUR
mDHrmCrUpCzTuRmNME45Te2wgl22I9IsM69CQ3GYcxrvivI1mq0PSNnRy6SPRiMG
LgPkI9LnT5JdoAvEcWknxacsTEPQxzZoCg8iHpK/0PbeOZ4H4F93sLQmvcyKKwrG
wQ/o0uk56PLLey/dJ40/x3l0tC10Bsb67BUcWSDQDccjcZp0DJn7IbyUiVQji2ek
jPwOq1YDtRH/3TgTPCPhVZbn1XXgDo20AW5XK+DAeQL3g/ToUvTB3QDl5nuyWfcC
deR0l+vdGoK9/Smwm9ewyhjBY6NnJBW61nZ81Cz+OkG67YoYGitgXgGbxHoZQQx9
YaWEkQKpxQYupbPdrwWq0tUY68U22Fq3dyCrBEZJzt6Sz51n27fZq8XwwVEDG07p
NFDriuDcx1JyAaT8fAf3QRHi+sir5aeTI/9R3e6mPO7CyA/aXbTgU7qZJYkAedrt
vXQ4fdpMQoSDdj7AVuDBvqQ7QNKJO7j18oEbAiY4u9to30yfOoiUyU8b+PcRUByA
hLpH4FqlOaRA6KeH3SiTqLUTo+/g7xBcDQ4VBKTPrxDek+jd0ihroqkOhXwPyKQI
UqJekNiqgEERwbi2140D/EP/zfUrIzVzUR3a1mUKa1lnjKdvMu4=
=j0Dp
-----END PGP SIGNATURE-----
--- End Message ---
