Your message dated Wed, 25 Mar 2026 12:49:00 +0000
with message-id <[email protected]>
and subject line Bug#1131606: fixed in sogo 5.12.6-1
has caused the Debian Bug report #1131606,
regarding sogo: CVE-2026-33550
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131606: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131606
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sogo
Version: 5.12.4-1.2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for sogo.
CVE-2026-33550[0]:
| SOGo before 5.12.5 does not renew the OTP if a user disables/enables
| it, and has a too short length (only 12 digits instead of the 20
| recommended).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33550
https://www.cve.org/CVERecord?id=CVE-2026-33550
[1]
https://github.com/Alinto/sogo/commit/83d4c522f87cfde0ba543837d9b24c3479083ec2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sogo
Source-Version: 5.12.6-1
Done: Jordi Mallach <[email protected]>
We believe that the bug you reported is fixed in the latest version of
sogo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jordi Mallach <[email protected]> (supplier of updated sogo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 25 Mar 2026 12:03:46 +0100
Source: sogo
Architecture: source
Version: 5.12.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian SOGo Maintainers
<[email protected]>
Changed-By: Jordi Mallach <[email protected]>
Closes: 1130878 1131605 1131606
Changes:
sogo (5.12.6-1) unstable; urgency=medium
.
* New upstream release.
- [CVE-2025-33550] Issues with OTP renewal and length (closes: #1131606)
- [CVE-2025-71276] XSS in events, tasks and contacts (closes: #1131605)
- [CVE-2026-3054] XSS in unknown components (closes: #1130878)
* Drop CVE-2025-63499.patch, included in release.
* Update watch file to version 5.
* Update copyright years.
* Update Standards-Version to 4.7.3, with no changes needed.
Checksums-Sha1:
eb1e24632c376943fb95befc36dddc483677d78e 2291 sogo_5.12.6-1.dsc
4ca3db2d68b555a9435d26bcbe3f67f0fc379741 37849337 sogo_5.12.6.orig.tar.gz
448395d91538bd8815509fec6857880228f20c60 21252 sogo_5.12.6-1.debian.tar.xz
6a927a92dfcb2a5886f4de5f9bbdd956f0856ce9 13755 sogo_5.12.6-1_amd64.buildinfo
Checksums-Sha256:
53828b9bf7a552e65c0ff658c112bdf1207fafb01acb8603d81d1cff8251813b 2291
sogo_5.12.6-1.dsc
90a81733f4c75517cbcc16ac599d7b4a9d8b913b4cf449856d402a7928c08872 37849337
sogo_5.12.6.orig.tar.gz
6c7a0e2154ad893b813a75a51a58da62c6446fd84739fc6540e4412a72ab2ae5 21252
sogo_5.12.6-1.debian.tar.xz
e18a8b52528cd6d9a1f1656df1af332b41968dc690da7510afa81f73cf9fa49f 13755
sogo_5.12.6-1_amd64.buildinfo
Files:
b8af9ee3d09b9228f1c2fb6f6ca0522e 2291 mail optional sogo_5.12.6-1.dsc
8a064a77e6931d093d23fc708e1296d9 37849337 mail optional sogo_5.12.6.orig.tar.gz
0485e17c0e6ad7d1cf372710315a9eaa 21252 mail optional
sogo_5.12.6-1.debian.tar.xz
d37c062d94ba723e1bd943ae8db409f2 13755 mail optional
sogo_5.12.6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE6BdUhsApKYN8KGoWJVAvb8vjywQFAmnD1kkACgkQJVAvb8vj
ywTROQ//b2gTxnBfdV2uJT/pyZWFMaUxcBzj3b+ahCybKAWVUf3xPlWOtKmIS5SC
J/yGHLLuv6AHzHj5v+qzLMXPkCdvoszMqnG7+dbDzInYKhgImAUbx7ZgQbX7eBOd
cfYsNmbIJM25kHbx0s3ueGrAHORU/V3sGC/UmyNfGyj3I6mMMHBmp8IcEX56MJ33
yydoYOVTnQUytwFvpfEA1eZq0I8Z5Sx/XYZc2TQcxFaA4IFRXtMSyJe1L6yF8/tL
3Q2Nxb6k6Lko5Bwe+iD+gpMWWFVNgBkvE/j7lZ1sV8o8QME/SggJaLyrLge9klkB
lem4Zl6hmCi09OcZ7FHfscRZ0+4uEiCdZ73beCTQxaAiFkiggfxXA1vvTxwOZoi/
PTFvKvz4h2aF1+tutI2bd903W+mG3HXRMe9KeJr6/q92V19Ao5FwFRtY9euzFbJN
eNnmF141bDQaF7XK2F3t6QfAdnktyV0GNDY3gtFDKU7lGvEK5D6rBWltKQZYjFIc
/Gh0VE6+QL16IY+kqdd8nEmcoSwxR4siXSs+GiOS5aF43oUyWGpJG2lqKdg4yoA/
AMuni/BenL7YZze/d+/nRwk96Z3BE9TWHW2VYs/x81lfMA5IRPwW78r6Mo0SVHJa
lsO7Zddd0OFcyftAWsQsIk1AdUKE1/FZMkKUZQC480qHyB25rzQ=
=KiVQ
-----END PGP SIGNATURE-----
pgpruqRpH9nQM.pgp
Description: PGP signature
--- End Message ---
