Hi, El dj. 11 de 11 de 2021 a les 22:07 +0100, en/na Jordi Mallach va escriure: > Hi Salvatore, > > El dv. 04 de 06 de 2021 a les 23:07 +0200, en/na Salvatore Bonaccorso > va escriure: > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog > > entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2021-33054 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33054 > > [1] > > https://github.com/inverse-inc/sogo/commit/e53636564680ac0df11ec898304bc442908ba746 > > > > Please adjust the affected versions in the BTS as needed. > > I have prepared a source package for bullseye, with a debdiff > attached.
Now attached... Jordi -- Jordi Mallach <jo...@debian.org> Debian Project
diff -Nru sogo-5.0.1/debian/changelog sogo-5.0.1/debian/changelog --- sogo-5.0.1/debian/changelog 2021-02-02 01:28:14.000000000 +0100 +++ sogo-5.0.1/debian/changelog 2021-11-11 21:44:21.000000000 +0100 @@ -1,3 +1,11 @@ +sogo (5.0.1-4+deb11u1) bullseye-security; urgency=high + + * [CVE-2021-33054] fixes validation of SAML message signatures + (closes: #989479) + * Switch gbp debian branch to bullseye. + + -- Jordi Mallach <jo...@debian.org> Thu, 11 Nov 2021 21:44:21 +0100 + sogo (5.0.1-4) unstable; urgency=medium * Build against OpenSSL, now that ftpmaster considers it a system diff -Nru sogo-5.0.1/debian/gbp.conf sogo-5.0.1/debian/gbp.conf --- sogo-5.0.1/debian/gbp.conf 2019-10-31 09:28:21.000000000 +0100 +++ sogo-5.0.1/debian/gbp.conf 2021-11-11 21:43:53.000000000 +0100 @@ -1,5 +1,5 @@ [DEFAULT] pristine-tar = True -debian-branch = debian -upstream-branch=upstream +debian-branch = bullseye +upstream-branch = upstream upstream-vcs-tag = SOGo-%(version)s diff -Nru sogo-5.0.1/debian/patches/cve-2021-33054.patch sogo-5.0.1/debian/patches/cve-2021-33054.patch --- sogo-5.0.1/debian/patches/cve-2021-33054.patch 1970-01-01 01:00:00.000000000 +0100 +++ sogo-5.0.1/debian/patches/cve-2021-33054.patch 2021-11-11 21:40:56.000000000 +0100 @@ -0,0 +1,18 @@ +commit e53636564680ac0df11ec898304bc442908ba746 +Author: Francis Lachapelle <flachape...@inverse.ca> +Date: Mon May 17 10:10:01 2021 -0400 + + fix(saml): don't ignore the signature of messages + +diff --git a/SoObjects/SOGo/SOGoSAML2Session.m b/SoObjects/SOGo/SOGoSAML2Session.m +index 782bc1f2c..e07f84116 100644 +--- a/SoObjects/SOGo/SOGoSAML2Session.m ++++ b/SoObjects/SOGo/SOGoSAML2Session.m +@@ -454,7 +454,6 @@ static NSMapTable *serverTable = nil; + + responseData = strdup ([authnResponse UTF8String]); + +- lasso_profile_set_signature_verify_hint(lassoLogin, LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE); + rc = lasso_login_process_authn_response_msg (lassoLogin, responseData); + if (rc) + [NSException raiseSAML2Exception: rc]; diff -Nru sogo-5.0.1/debian/patches/series sogo-5.0.1/debian/patches/series --- sogo-5.0.1/debian/patches/series 2021-02-02 01:28:14.000000000 +0100 +++ sogo-5.0.1/debian/patches/series 2021-11-11 21:41:21.000000000 +0100 @@ -9,3 +9,4 @@ 0008-Unset-MAKEFLAGS-and-MFLAGS-in-configure.patch 0009-Omit-signedViewer-altogether-when-not-using-openssl.patch python3.patch +cve-2021-33054.patch