Your message dated Fri, 24 Dec 2021 13:54:30 +0000 with message-id <e1n0l1i-0003np...@fasolo.debian.org> and subject line Bug#989479: fixed in sogo 4.0.7-1+deb10u2 has caused the Debian Bug report #989479, regarding sogo: CVE-2021-33054 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 989479: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989479 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: sogo Version: 5.1.0-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 5.0.1-4 Control: found -1 4.0.7-1+deb10u1 Control: found -1 4.0.7-1 Hi, The following vulnerability was published for sogo. CVE-2021-33054[0]: | SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not | validate the signatures of any SAML assertions it receives. Any actor | with network access to the deployment could impersonate users when | SAML is the authentication method. (Only versions after 2.0.5a are | affected.) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-33054 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33054 [1] https://github.com/inverse-inc/sogo/commit/e53636564680ac0df11ec898304bc442908ba746 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: sogo Source-Version: 4.0.7-1+deb10u2 Done: Jordi Mallach <jo...@debian.org> We believe that the bug you reported is fixed in the latest version of sogo, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 989...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jordi Mallach <jo...@debian.org> (supplier of updated sogo package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 11 Nov 2021 22:36:02 +0100 Source: sogo Architecture: source Version: 4.0.7-1+deb10u2 Distribution: buster-security Urgency: high Maintainer: Debian SOGo Maintainers <pkg-sogo-maintain...@lists.alioth.debian.org> Changed-By: Jordi Mallach <jo...@debian.org> Closes: 989479 Changes: sogo (4.0.7-1+deb10u2) buster-security; urgency=high . * [CVE-2021-33054] fixes validation of SAML message signatures (closes: #989479) Checksums-Sha1: 99a6a8103a52e0cad5c31340b026b1f2aa46040f 2142 sogo_4.0.7-1+deb10u2.dsc 70993f335a1aa685721efa6dc2830a9f0a85b39f 34561851 sogo_4.0.7.orig.tar.gz 9d2c1886c468a9ec9b33da55ecce61d38f96cc71 16092 sogo_4.0.7-1+deb10u2.debian.tar.xz 9bf77184668833452a34363897dd1d83395eb223 10380 sogo_4.0.7-1+deb10u2_amd64.buildinfo Checksums-Sha256: 9b6ceb691d1915140e5062c8d84a3cd2c6102f219d526b8d45be43b3ad884963 2142 sogo_4.0.7-1+deb10u2.dsc da75a51c38d8e34c4df7af0d643f1780a0ef8cacfa81b50028a8af9510cc0efd 34561851 sogo_4.0.7.orig.tar.gz 0b9a6f8ba1713a0bfe10c91d7ba2ea0ab0eac34a3282cc1596cb601d0dd091f6 16092 sogo_4.0.7-1+deb10u2.debian.tar.xz b0a804b662b79ef572dbf47d61e51c615b102b848774ed56a9dbf8e79797b83f 10380 sogo_4.0.7-1+deb10u2_amd64.buildinfo Files: 749bb2fd1e574c705548486a67a20cf7 2142 mail optional sogo_4.0.7-1+deb10u2.dsc 9528263eb8f13cee637ff869ca21d81c 34561851 mail optional sogo_4.0.7.orig.tar.gz bec82537b995b4dd8f498c42c0ef9961 16092 mail optional sogo_4.0.7-1+deb10u2.debian.tar.xz 355752f44505f3a5f617fd2203e3125d 10380 mail optional sogo_4.0.7-1+deb10u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE6BdUhsApKYN8KGoWJVAvb8vjywQFAmG8WeEACgkQJVAvb8vj ywQnmxAAmpM8IVU7ySZY13ZgeuLT7uLAFqQrjhmXVA0afZ4U5wSkmqYBbufOekZK bgQi42XaXtL80344yjBY4JcTo7EXvEq+0h4vSZDGhMGN05FO/MBR0YfSm6iY5bgR mZfHXC+HUHySN6Qb6BIAWkz5+I2XOAWZfEVbtiPz/8+JQoFnyki9QEHuauxeIvR1 nxdFqRbnmFge2/m6/omH8AQmiQt1XllWHDlxikePJvJNqtneCOcS0Jyu2d0/lv4i osWYZbGxOt7ZbpusLUhtQlHSGI5edz3tynxZsB/4pFeyzyqNP9JbOzrYeJPA0WYx mRurLnt0DSTVc6SM/9jdAuvI9AP2qhckD/50xBiwU2nLkq4eogWyAEW/jdWE9rm/ nds4bCVR8em90JyYkCGdUNOBRaXDUMx4+gAEfQ7sTGJUrCrKkDNahiXp2KBe8pMV o/P3XBwzfPfF0g99rivaasNTpbwMekvLULNDnY6XE4M4r1Da9/8G6aul5ZPfTcYz 1x/PbV8d/0ouBW9AK0EXkAVGCb8VoTHbRshCN96LiJ7AmYS3wTa6HxpWY7LHu1CQ 8qQwtwlllfe0w32+GO5uUtVVBoPaw6f9LNeOzwYuEc6H9rkYmTkvNiGrHNegqkBn 0Wc09WqLl++KJ50pk5ctY/QvMoha4aM2CH0FMUVKtuSkj1fS8dU= =x7iy -----END PGP SIGNATURE-----
--- End Message ---
