Your message dated Sun, 04 Jan 2026 19:17:15 +0000
with message-id <[email protected]>
and subject line Bug#1121952: fixed in sogo 5.8.0-2+deb12u1
has caused the Debian Bug report #1121952,
regarding sogo: CVE-2025-63499
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121952
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sogo
Version: 5.12.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for sogo.
CVE-2025-63499[0]:
| Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via
| the theme parameter.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-63499
https://www.cve.org/CVERecord?id=CVE-2025-63499
[1]
https://github.com/Alinto/sogo/commit/16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sogo
Source-Version: 5.8.0-2+deb12u1
Done: Tobias Frost <[email protected]>
We believe that the bug you reported is fixed in the latest version of
sogo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <[email protected]> (supplier of updated sogo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 04 Jan 2026 17:27:30 +0100
Source: sogo
Architecture: source
Version: 5.8.0-2+deb12u1
Distribution: bookworm
Urgency: high
Maintainer: Debian SOGo Maintainers
<[email protected]>
Changed-By: Tobias Frost <[email protected]>
Closes: 1060925 1071163 1121952
Changes:
sogo (5.8.0-2+deb12u1) bookworm; urgency=high
.
[ Tobias Frost ]
* Non-maintainer upload.
* Cherry-pick patch from salsa repo to fix below mentioned
WSTG-INPV-02 issue. (The patch was present in the git repo,
but the never released as part of a package)
* CVE-2024-48104 - HTML Injection (Closes: #1060925)
* CVE-2024-24510 - CSS Injection
* CVE-2024-34462 - Cross Site Scripting (XSS) (Closes: #1071163)
* CVE-2025-63498 - Cross Site Scripting (XSS)
* CVE-2025-63499 - Cross Site Scripting (XSS) (Closes: #1121952)
.
[ Jordi Mallach ]
* Add upstream fix for a WSTG-INPV-02 security issue, crash on
invalid mailIdentities.
Checksums-Sha1:
9ef6556fded1e642d1dd73d5321ed81536f69000 2296 sogo_5.8.0-2+deb12u1.dsc
53cf3471d97d0ea029b07b9f31d1a42afb6a3bd8 34926380 sogo_5.8.0.orig.tar.gz
a194c78832c7f6ee7caa7767e41df0b4e642306b 22008
sogo_5.8.0-2+deb12u1.debian.tar.xz
09895ed6934366a23e0c9762c97a6ba872626b03 13410
sogo_5.8.0-2+deb12u1_source.buildinfo
Checksums-Sha256:
49aed28e61944a42a94f821f795f3468bd5855c786b58c1ea99a1a1b85283bbb 2296
sogo_5.8.0-2+deb12u1.dsc
0031e30f48b523ec5c015f5f3fe90184e8a9abdfa3efe3ab08fd980ab7173380 34926380
sogo_5.8.0.orig.tar.gz
0aaa29e8ed352a9e403409e5e00bf3b4840553032afc142d9ed13d13eb04e714 22008
sogo_5.8.0-2+deb12u1.debian.tar.xz
daeb6275c1b4c32560b5496b88f4a220d542a15c5828d8710650b28024c73f01 13410
sogo_5.8.0-2+deb12u1_source.buildinfo
Files:
34fa21c00cde649118055e5591c532e4 2296 mail optional sogo_5.8.0-2+deb12u1.dsc
07da886b2b4faa942d68af8a3d6a38a6 34926380 mail optional sogo_5.8.0.orig.tar.gz
88e83df11ae85ad92f8d88771a76d5d3 22008 mail optional
sogo_5.8.0-2+deb12u1.debian.tar.xz
629fe7bfa7ed00f5adce9b32bcfa38e5 13410 mail optional
sogo_5.8.0-2+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmlam60ACgkQkWT6HRe9
XTal8RAAjSZ8SiAJ/NFjligDhdJljxn4La8+u+OJQQrjeUvGhfZdaeTiCm8cqvyb
ZTKPQtq5D3Dq99T1C3r+S/rFOoI2BQd/QJGN2pYBFv5iCRI9JoWe3xKmIZnQ3yyl
BQV1Fp+HTIA4ZaYidpqd7PF0aF556CJ8kC7PhTCrCMrjRKHA3OwRWtWEow9wmrPF
L0vAm302SLnYigY6oH7wotdoOo6TPfezIGW0NKsX2L9Gd9DEgwSpAs6azW0wfDdv
9JL4AyBOYJEZZveOwdTPzCzfV61YY/4gQKU/bNRg+OL+aunKY+EhxNqk2TfSFNhr
/duSAvnYlZ0hP/ksjIM2OYe6KtxZRjO8HGoqZods2ThOB6vPyhCoX3y5ytzZ/y1T
1SBQZmG/5SSmeQAL/tp5hdkpwsUSebJmem4nc+cxaZH8pgu01dAutHdyGp/kXzo0
tDEDQ4Xw2dB3OD/gCJkNypsXNlZ3lnEN6Eod1LAuA+4gdD17F8LW8q7E+eGhWZha
L2+PhtFrRSM11KrJ0exFrtAWHGCi4c2vHjCbXWuYUx8OrkMM7x9/OWjkBvDnHRKm
9lCLPUTHjxymRqhgX6UGBIxe0zgpmYMZWrbQbxkdJ/6sTuwY90toUJMpe0ThW3jM
gAzMldBZjjV42L6hpN+fENIsXbyTbYnjJhfjsnMmqZkz+3KQtyo=
=p0fB
-----END PGP SIGNATURE-----
pgpyKdm282tnC.pgp
Description: PGP signature
--- End Message ---
