Bug#1124633: bookworm-pu: package sogo/5.8.0-2+deb12u1

Sun, 04 Jan 2026 13:33:16 -0800 

On Sun, Jan 04, 2026 at 07:56:06PM +0000, Adam D. Barratt wrote:
> On Sun, 2026-01-04 at 20:30 +0100, Salvatore Bonaccorso wrote:
> > Hi Tobias,
> > 
> > On Sun, Jan 04, 2026 at 05:51:37PM +0100, Tobias Frost wrote:
> > 
> [...]
> > > This o-s-p-u fixes the following CVES:
> > >  * CVE-2024-48104 - HTML Injection (Closes: #1060925)
> > 
> > This should have been CVE-2023-48104. Adam can you update that for
> > the comments at least, not sure we have enough time to make a reject
> > and new upload correcting that.
> 
> I used the correct ID in the comment, but given the time between
> oldstable point releases I decided to accept the package as-is rather
> than wait for a reject-and-reupload cycle.
> 
> If desired then I'd likely accept a u2 that simply corrected the typo
> in the u1 changelog, so long as it happened quickly.

Uploaded, diff:
(patch had wrong name too, used the opportunity to fix that too.)

diff --git a/debian/changelog b/debian/changelog
index 11098c635..cfd0c43bb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+sogo (5.8.0-2+deb12u2) bookworm; urgency=medium
+
+  * Fixing wrong CVE number for CVE-2023-48104.
+
+ -- Tobias Frost <[email protected]>  Sun, 04 Jan 2026 22:20:06 +0100
+
 sogo (5.8.0-2+deb12u1) bookworm; urgency=high

   [ Tobias Frost ]
@@ -5,7 +11,7 @@ sogo (5.8.0-2+deb12u1) bookworm; urgency=high
   * Cherry-pick patch from salsa repo to fix below mentioned
     WSTG-INPV-02 issue. (The patch was present in the git repo,
     but the never released as part of a package)
-  * CVE-2024-48104 - HTML Injection (Closes: #1060925)
+  * CVE-2023-48104 - HTML Injection (Closes: #1060925)
   * CVE-2024-24510 - CSS Injection
   * CVE-2024-34462 - Cross Site Scripting (XSS) (Closes: #1071163)
   * CVE-2025-63498 - Cross Site Scripting (XSS)
diff --git a/debian/patches/CVE-2024-48104.patch 
b/debian/patches/CVE-2023-48104.patch
similarity index 100%
rename from debian/patches/CVE-2024-48104.patch
rename to debian/patches/CVE-2023-48104.patch
diff --git a/debian/patches/series b/debian/patches/series
index d115549e0..ab26037ed 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,4 +14,4 @@ CVE-2025-63499.patch
 CVE-2025-63498.patch
 CVE-2024-34462.patch
 CVE-2024-24510.patch
-CVE-2024-48104.patch
+CVE-2023-48104.patch


> Regards,
> 
> Adam

Reply via email to