Your message dated Tue, 22 Jul 2025 21:36:49 +0000
with message-id <e1uekfj-00cpjr...@fasolo.debian.org>
and subject line Bug#1108798: fixed in sope 5.12.1-2
has caused the Debian Bug report #1108798,
regarding sogo: CVE-2025-53603
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1108798: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108798
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: sogo
Version: 5.12.1-2
Severity: grave
Tags: security upstream
Forwarded: https://github.com/Alinto/sope/pull/69
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 5.8.0-1
Control: tags -1 + bookworm trixie sid
Hi,
The following vulnerability was published for sogo.
CVE-2025-53603[0]:
| In Alinto SOPE SOGo 2.0.2 through 5.12.2, sope-
| core/NGExtensions/NGHashMap.m allows a NULL pointer dereference and
| SOGo crash via a request in which a parameter in the query string is
| a duplicate of a parameter in the POST body.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-53603
https://www.cve.org/CVERecord?id=CVE-2025-53603
[1] https://github.com/Alinto/sope/pull/69
[2] https://www.openwall.com/lists/oss-security/2025/07/02/3
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sope
Source-Version: 5.12.1-2
Done: Jordi Mallach <jo...@debian.org>
We believe that the bug you reported is fixed in the latest version of
sope, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1108...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jordi Mallach <jo...@debian.org> (supplier of updated sope package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 22 Jul 2025 22:34:25 +0200
Source: sope
Architecture: source
Version: 5.12.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian SOGo Maintainers
<pkg-sogo-maintain...@lists.alioth.debian.org>
Changed-By: Jordi Mallach <jo...@debian.org>
Closes: 1108798
Changes:
sope (5.12.1-2) unstable; urgency=medium
.
* [CVE-2025-53603] Add proposed patch to fix DoS-enabling segfault
(closes: #1108798).
* Cherry-pick two additional fixes from the 5.12.2 release.
- allow SMTP replies that don't adhere to the SMTP spec
- don't check for the auth bearer token
Checksums-Sha1:
aea662dbf6a0c906c5278649c10372b2101a164f 2148 sope_5.12.1-2.dsc
0768e0776601a76f12bf73802edea9fa9f018b49 9924 sope_5.12.1-2.debian.tar.xz
53dad0a70a7d18daaab1790740e06c097a3c28c7 10512 sope_5.12.1-2_amd64.buildinfo
Checksums-Sha256:
54571b84ba55cce08ecec3a11002fc7bc124d89d2fe8f71126e595b0e1bafb62 2148
sope_5.12.1-2.dsc
8df5699821cd87b79c797e95dd082e8de440ac612966412ac0f27276cc1b09af 9924
sope_5.12.1-2.debian.tar.xz
a3150a820209ac0ea580bcfc177f6e76dff42dbbd238700d71aea1299c206bef 10512
sope_5.12.1-2_amd64.buildinfo
Files:
f287b653ef5c5e1ccfc72fbdcc89dada 2148 libs optional sope_5.12.1-2.dsc
728b58eb3f74769214275f30d8c388db 9924 libs optional sope_5.12.1-2.debian.tar.xz
f4a94fd234fc26000bae5894fa7e918d 10512 libs optional
sope_5.12.1-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE6BdUhsApKYN8KGoWJVAvb8vjywQFAmh/+QIACgkQJVAvb8vj
ywSNZw//S2kiuHFqKtzNSzv7i7MwgqTL5wSGM0YWnt8cCmgAmCt6Phy728yqNK+A
/yPuAPL3fW/crLzBus1na4BxY0PMnHgY0S0iUJU0IIXe6JjZ4TKWoHwVGk7W6PY+
jwPHXQMWvQziNFDvbLww2hQCC4R7vNQ8CM0U3wmf95aBWg7vBOHya64vxQzdvEcP
u4xfpiJOUa1NHlVPrxi94NHJhoDBidy94gEne2H7SunORG9H5Up5FK0jcW4sR4NV
xeMsmGCCXcH4TvZbZdTFvODUDDNVLDyjK/yJtubJq4f9h0MQ1p8cCaVr4i/gHE2A
WyBUeipmy5uNs/gVZ1K8uLneO5VCh2j8b4RGNbGoeG7Pxmth3CBUtxSFFH8QkiSZ
Tz445dHrAgKsg4sZbco36K80VHUSPAEccfgymKVCNm/cozJaZnXUQgVVhuZPrUTX
wV5P9fVcgYS0RbH4oE/hPpU+YVmmYT0B8J1CygZ06vlyIeIn84IrX6Wz1+8sODgK
pUmxbkPXZRdpaf5lJFeAtsM7tPHmASM9ZDpGhAlDOTAlJlEYlOi83C09vf6E3cVI
8zbJtESYrbTw+eT/pBzNiGxNIK6TJJdT3DoMIEBfPdcfnbMgzzNgJdjsrH/tKpQC
EZ1PayYFl2zs2RrW20+j8DVdY7XS8MrYL5nligVeDFv4tjFNASo=
=vI0N
-----END PGP SIGNATURE-----
pgpzxPU_PWw3N.pgp
Description: PGP signature
--- End Message ---
