Hello,
our SOGo is at 5.12.7.
5.12.8: Four major vulnerabilities have been reported and fixed
(You can find the entire release e-mail below.)
I've had a go on SOPE-5.12.8.tar.gz, a prerequisite.
It failed with:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
if [ -r "STXSaxDriver-Info.plist" ]; then \
plmerge STXSaxDriver.sax/Resources/Info-gnustep.plist
STXSaxDriver-Info.plist; \
fi
Segmentation fault (core dumped)
gmake[4]: ***
[/usr/local/share/GNUstep/Makefiles/Instance/bundle.make:301:
STXSaxDriver.sax/Resources/Info-gnustep.plist] Error 139
[...]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
egdb(1) tells me:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Reading symbols from /usr/local/bin/plmerge...
(No debugging symbols found in /usr/local/bin/plmerge)
[New process 488098]
Core was generated by `plmerge'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00000b20741b3297 in
tsl::detail_robin_hash::bucket_entry<std::__1::pair<void const*,
(anonymous namespace)::WeakRef*>, false>::dist_from_ideal_bucket() \
const () from /usr/local/lib/libobjc2.so.4.0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I'm at my wits end.
My diffs to the Makefiles and the distfiles below and attached.
Followed by the release e-mail.
Marcus
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Index: Makefile
===================================================================
RCS file: /cvs/ports/www/sope/Makefile,v
retrieving revision 1.106
diff -u -p -r1.106 Makefile
--- Makefile 6 May 2026 13:26:09 -0000 1.106
+++ Makefile 13 May 2026 15:59:12 -0000
@@ -2,7 +2,7 @@ COMMENT-main= Skyrix Object Publishing
COMMENT-mysql= SOPE MySQL adaptor
COMMENT-postgres= SOPE PostgreSQL adaptor
-VERSION = 5.12.7
+VERSION = 5.12.8
DISTNAME = SOPE-${VERSION}
PKGNAME-main = sope-${VERSION}
PKGNAME-mysql = sope-mysql-${VERSION}
Index: distinfo
===================================================================
RCS file: /cvs/ports/www/sope/distinfo,v
retrieving revision 1.65
diff -u -p -r1.65 distinfo
--- distinfo 6 May 2026 13:26:09 -0000 1.65
+++ distinfo 13 May 2026 15:59:12 -0000
@@ -1,2 +1,2 @@
-SHA256 (SOPE-5.12.7.tar.gz) = CyfQ15P7yEQmDwqwcCVejdBf5aRdLfFBx6CIgh+Pg/M=
-SIZE (SOPE-5.12.7.tar.gz) = 2307155
+SHA256 (SOPE-5.12.8.tar.gz) =
0b27d0d793fbc844260f0ab070255e8dd05fe5a45d2df141c7a088821f8f83f3
+SIZE (SOPE-5.12.8.tar.gz) = 2307155
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Index: Makefile
===================================================================
RCS file: /cvs/ports/www/sogo/Makefile,v
retrieving revision 1.118
diff -u -p -u -r1.118 Makefile
--- Makefile 6 May 2026 13:26:09 -0000 1.118
+++ Makefile 13 May 2026 16:01:16 -0000
@@ -1,6 +1,6 @@
COMMENT = web based groupware server
-VERSION = 5.12.7
+VERSION = 5.12.8
DISTNAME = SOGo-${VERSION}
PKGNAME = sogo-${VERSION}
Index: distinfo
===================================================================
RCS file: /cvs/ports/www/sogo/distinfo,v
retrieving revision 1.63
diff -u -p -u -r1.63 distinfo
--- distinfo 6 May 2026 13:26:09 -0000 1.63
+++ distinfo 13 May 2026 16:01:16 -0000
@@ -1,2 +1,2 @@
-SHA256 (SOGo-5.12.7.tar.gz) = xcHvqOE7Ugkc9SfiptoUr/tT7EmgdxjUN7Xg1bxP2ws=
-SIZE (SOGo-5.12.7.tar.gz) = 37847103
+SHA256 (SOGo-5.12.8.tar.gz) =
05f81b604651f72de94c8bb012cc5e6aea17f8d3281161423fee6f091dd2a0e9
+SIZE (SOGo-5.12.8.tar.gz) = 37848204
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
----- Weitergeleitete Nachricht von "\"SOGo Reporter\"" <[email protected]> -----
Date: Tue, 12 May 2026 15:51:28 +0200
From: SOGo Reporter <[email protected]>
To: [email protected]
Subject: [SOGo] [announce] Latest updates on SOGo
SOGo 5.12.8 Release
ANNOUNCEMENT
SOGo 5.12.8 Release
Dear SOGo community,
The Alinto team is pleased to announce the immediate availability of
SOGo v5.12.8. This is a major release as it fixes security
vulnerabilities.
IMPORTANT
Four major vulnerabilities have been reported and fixed in this version
5.12.8 or since the nightly of the 8th of May 2026:
`sogo_5.12.7.20260508`.
Those vulnerabilities affect any previous SOGO version. Please update
as soon as possible
[1]CVE ID will be on our website once they're created.
Affect anyone
* 2 possible XSS injections with malicious mail: fixed
* 1 possible SQL injection with specific request: fixed
Affect SOGo when using OpenID with a non-matching usersource
* Impersonification with untrusted user source: fixed
Regression
Some regression, mainly on the mail view, can happen. If you find any,
please report them [2]bugs.sogo.nu
Thanks
* [3]dninh of SACOMBANK for the SQL injection.
* [4]Luke H for one XSS injection.
* [5]Greg Lesnewich from [6]Proofpoint Threat Research for one XSS
injection.
* Last one was found by us, Alinto
[7]Find the full post on our website
SOGo Team
What is SOGo
SOGo is a free and modern scalable groupware server. It offers shared
calendars, address books and emails through your favorite Web browser
or by using a native client such as Mozilla Thunderbird and Lightning,
Apple Calendar and Address Book (Mac OS X and iOS) and Microsoft
Outlook.
SOGo is standard-compliant and supports CalDAV, CardDAV and reuses
existing IMAP, SMTP and database servers - making the solution easy to
deploy and interoperable with many applications.
SOGo features:
* Scalable architecture suitable for deployments from dozen to many
thousand users
* Rich, responsible Web-based interface aligned with Google Material
Design guidelines
* Improved integration with Mozilla Thunderbird and Lightning by
using the SOGo Connector and the SOGo Integrator
* Two-way synchronization support with any Microsoft
ActiveSync-capable device (Apple iOS, Android, Windows Phone,
BlackBerry 10) or Outlook 2013/2016/365
* Excellent native integration with Apple software (OS X and iOS) and
Android-based devices
and many more! SOGo and our connectors are completely free.
[8]Try Online
Available accounts: sogo1, sogo2 and sogo3.
Their password is sogo.
Helping
SOGo is a collaborative effort in order to create the best Free and
Open Source groupware solution.
There are multiple ways you can contribute to the project:
* Documentation reviews, enhancements and translations
* Write test cases - if you know Python, join in!
* Feature requests or by sharing your ideas
* Participate to the discussion in mailing lists
* Patches for [9]bugs or enhancements
* Provide new [10]translations
Feel free to send us your questions. You can also post them to the SOGo
[11]mailing list.
Getting Support
For any questions, do not hesitate to contact us by writing to
[12][email protected]
Customer support packages for SOGo are also [13]available.
[14][?size=100&id=JP7JIPAexYpx&format=png&color=000000]
[15][linkedin.png]
[16][github.png]
References
1. https://www.sogo.nu/news/2026/sogo-v5128-released.html
2. https://bugs.sogo.nu/
3. https://vn.linkedin.com/in/ninhld
4. https://github.com/lukehebe
5. https://www.linkedin.com/in/greglesnewich
6. https://www.proofpoint.com/us/blog/threat-insight
7. https://www.sogo.nu/news/2026/sogo-v5128-released.html
8. https://demo.sogo.nu/SOGo
9. https://bugs.sogo.nu/
10. https://github.com/Alinto/sogo#translations
11. https://mailing.sogo.nu/sympa/info/users
12. mailto:[email protected]
13. https://www.sogo.nu/support.html#/commercial
14. https://floss.social/@SOGo
15.
https://www.linkedin.com/shareArticle?mini=true&url=https://www.linkedin.com/groups/4164805/&title=&summary=&source=
16. https://github.com/Alinto/sogo/
----- Ende weitergeleitete Nachricht -----
Index: Makefile
===================================================================
RCS file: /cvs/ports/www/sope/Makefile,v
retrieving revision 1.106
diff -u -p -u -r1.106 Makefile
--- Makefile 6 May 2026 13:26:09 -0000 1.106
+++ Makefile 13 May 2026 16:02:48 -0000
@@ -2,7 +2,7 @@ COMMENT-main= Skyrix Object Publishing
COMMENT-mysql= SOPE MySQL adaptor
COMMENT-postgres= SOPE PostgreSQL adaptor
-VERSION = 5.12.7
+VERSION = 5.12.8
DISTNAME = SOPE-${VERSION}
PKGNAME-main = sope-${VERSION}
PKGNAME-mysql = sope-mysql-${VERSION}
Index: distinfo
===================================================================
RCS file: /cvs/ports/www/sope/distinfo,v
retrieving revision 1.65
diff -u -p -u -r1.65 distinfo
--- distinfo 6 May 2026 13:26:09 -0000 1.65
+++ distinfo 13 May 2026 16:02:48 -0000
@@ -1,2 +1,2 @@
-SHA256 (SOPE-5.12.7.tar.gz) = CyfQ15P7yEQmDwqwcCVejdBf5aRdLfFBx6CIgh+Pg/M=
-SIZE (SOPE-5.12.7.tar.gz) = 2307155
+SHA256 (SOPE-5.12.8.tar.gz) =
0b27d0d793fbc844260f0ab070255e8dd05fe5a45d2df141c7a088821f8f83f3
+SIZE (SOPE-5.12.8.tar.gz) = 2307155
Index: Makefile
===================================================================
RCS file: /cvs/ports/www/sogo/Makefile,v
retrieving revision 1.118
diff -u -p -u -r1.118 Makefile
--- Makefile 6 May 2026 13:26:09 -0000 1.118
+++ Makefile 13 May 2026 16:02:22 -0000
@@ -1,6 +1,6 @@
COMMENT = web based groupware server
-VERSION = 5.12.7
+VERSION = 5.12.8
DISTNAME = SOGo-${VERSION}
PKGNAME = sogo-${VERSION}
Index: distinfo
===================================================================
RCS file: /cvs/ports/www/sogo/distinfo,v
retrieving revision 1.63
diff -u -p -u -r1.63 distinfo
--- distinfo 6 May 2026 13:26:09 -0000 1.63
+++ distinfo 13 May 2026 16:02:22 -0000
@@ -1,2 +1,2 @@
-SHA256 (SOGo-5.12.7.tar.gz) = xcHvqOE7Ugkc9SfiptoUr/tT7EmgdxjUN7Xg1bxP2ws=
-SIZE (SOGo-5.12.7.tar.gz) = 37847103
+SHA256 (SOGo-5.12.8.tar.gz) =
05f81b604651f72de94c8bb012cc5e6aea17f8d3281161423fee6f091dd2a0e9
+SIZE (SOGo-5.12.8.tar.gz) = 37848204
