Hi Markus, Sorry for the late reply. This bug also isn't fixed in jessie, the reason for this is that upstream isn't going to fix this for SOGo 2 and earlier. The security bug is about the complete lack of CSRF protection and implementing that is going to be a lot of work. SOGo 3 has a complete new frontend and that has CSRF protection now, so I think it is best to just mark SOGo as unsupported in wheezy-lts. I haven't had the time yet to finish packaging SOGo 3, but I'll be at debcamp next month and should have enough time then to do that and create a backport for jessie.
Kind regards, Jeroen Dekkers At Mon, 9 May 2016 09:53:13 +0200, Markus Koschany wrote: > > Hello Jeroen, > > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of sogo: > https://security-tracker.debian.org/tracker/CVE-2015-5395 > > Would you like to take care of this yourself? > > If yes, please follow the workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > Thank you very much. > > Markus Koschany, > on behalf of the Debian LTS team. > > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
