Bug#1124633: bookworm-pu: package sogo/5.8.0-2+deb12u1
On Sun, Jan 04, 2026 at 07:56:06PM +, Adam D. Barratt wrote: > On Sun, 2026-01-04 at 20:30 +0100, Salvatore Bonaccorso wrote: > > Hi Tobias, > > > > On Sun, Jan 04, 2026 at 05:51:37PM +0100, Tobias Frost wrote: > > > [...] > > > This o-s-p-u fixes the following CVES: > > > * CVE-2024-48104 - HTML Injection (Closes: #1060925) > > > > This should have been CVE-2023-48104. Adam can you update that for > > the comments at least, not sure we have enough time to make a reject > > and new upload correcting that. > > I used the correct ID in the comment, but given the time between > oldstable point releases I decided to accept the package as-is rather > than wait for a reject-and-reupload cycle. > > If desired then I'd likely accept a u2 that simply corrected the typo > in the u1 changelog, so long as it happened quickly. Uploaded, diff: (patch had wrong name too, used the opportunity to fix that too.) diff --git a/debian/changelog b/debian/changelog index 11098c635..cfd0c43bb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +sogo (5.8.0-2+deb12u2) bookworm; urgency=medium + + * Fixing wrong CVE number for CVE-2023-48104. + + -- Tobias Frost Sun, 04 Jan 2026 22:20:06 +0100 + sogo (5.8.0-2+deb12u1) bookworm; urgency=high [ Tobias Frost ] @@ -5,7 +11,7 @@ sogo (5.8.0-2+deb12u1) bookworm; urgency=high * Cherry-pick patch from salsa repo to fix below mentioned WSTG-INPV-02 issue. (The patch was present in the git repo, but the never released as part of a package) - * CVE-2024-48104 - HTML Injection (Closes: #1060925) + * CVE-2023-48104 - HTML Injection (Closes: #1060925) * CVE-2024-24510 - CSS Injection * CVE-2024-34462 - Cross Site Scripting (XSS) (Closes: #1071163) * CVE-2025-63498 - Cross Site Scripting (XSS) diff --git a/debian/patches/CVE-2024-48104.patch b/debian/patches/CVE-2023-48104.patch similarity index 100% rename from debian/patches/CVE-2024-48104.patch rename to debian/patches/CVE-2023-48104.patch diff --git a/debian/patches/series b/debian/patches/series index d115549e0..ab26037ed 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -14,4 +14,4 @@ CVE-2025-63499.patch CVE-2025-63498.patch CVE-2024-34462.patch CVE-2024-24510.patch -CVE-2024-48104.patch +CVE-2023-48104.patch > Regards, > > Adam
Bug#1124633: bookworm-pu: package sogo/5.8.0-2+deb12u1
On Sun, Jan 04, 2026 at 07:56:06PM +, Adam D. Barratt wrote: > On Sun, 2026-01-04 at 20:30 +0100, Salvatore Bonaccorso wrote: > > Hi Tobias, > > > > On Sun, Jan 04, 2026 at 05:51:37PM +0100, Tobias Frost wrote: > > > [...] > > > This o-s-p-u fixes the following CVES: > > > * CVE-2024-48104 - HTML Injection (Closes: #1060925) > > > > This should have been CVE-2023-48104. Adam can you update that for > > the comments at least, not sure we have enough time to make a reject > > and new upload correcting that. > > I used the correct ID in the comment, but given the time between > oldstable point releases I decided to accept the package as-is rather > than wait for a reject-and-reupload cycle. > > If desired then I'd likely accept a u2 that simply corrected the typo > in the u1 changelog, so long as it happened quickly. Will provide an u2 later tonight. -- tobi > Regards, > > Adam
Bug#1124633: bookworm-pu: package sogo/5.8.0-2+deb12u1
On Sun, 2026-01-04 at 20:30 +0100, Salvatore Bonaccorso wrote: > Hi Tobias, > > On Sun, Jan 04, 2026 at 05:51:37PM +0100, Tobias Frost wrote: > [...] > > This o-s-p-u fixes the following CVES: > > * CVE-2024-48104 - HTML Injection (Closes: #1060925) > > This should have been CVE-2023-48104. Adam can you update that for > the comments at least, not sure we have enough time to make a reject > and new upload correcting that. I used the correct ID in the comment, but given the time between oldstable point releases I decided to accept the package as-is rather than wait for a reject-and-reupload cycle. If desired then I'd likely accept a u2 that simply corrected the typo in the u1 changelog, so long as it happened quickly. Regards, Adam
Bug#1124633: bookworm-pu: package sogo/5.8.0-2+deb12u1
Hi Tobias, On Sun, Jan 04, 2026 at 05:51:37PM +0100, Tobias Frost wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: [email protected], [email protected], > [email protected] > Control: affects -1 + src:sogo > User: [email protected] > Usertags: pu > > This o-s-p-u fixes the following CVES: > * CVE-2024-48104 - HTML Injection (Closes: #1060925) This should have been CVE-2023-48104. Adam can you update that for the comments at least, not sure we have enough time to make a reject and new upload correcting that. Regards, Salvatore
Bug#1124633: bookworm-pu: package sogo/5.8.0-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected], [email protected], [email protected] Control: affects -1 + src:sogo User: [email protected] Usertags: pu This o-s-p-u fixes the following CVES: * CVE-2024-48104 - HTML Injection (Closes: #1060925) * CVE-2024-24510 - CSS Injection * CVE-2024-34462 - Cross Site Scripting (XSS) (Closes: #1071163) * CVE-2025-63498 - Cross Site Scripting (XSS) * CVE-2025-63499 - Cross Site Scripting (XSS) (Closes: #1121952) It additinonally fixes a crash (NSException) that could be triggered when mailIdentities was invalid [ Tests ] I've verified that the POCs the tracker mentions stops working (they did trigger before) in a Bookworm VM and additionally manually tested sogo. [ Risks ] The Patches are cherry-picked from upstream are small and quite straight forward. See the dep3 headers for pointers to the upstream changes. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] see above I'll upload the changes after this mail has been sent. -- tobi diff -Nru sogo-5.8.0/debian/changelog sogo-5.8.0/debian/changelog --- sogo-5.8.0/debian/changelog 2022-12-01 12:47:54.0 +0100 +++ sogo-5.8.0/debian/changelog 2026-01-04 17:27:30.0 +0100 @@ -1,3 +1,22 @@ +sogo (5.8.0-2+deb12u1) bookworm; urgency=high + + [ Tobias Frost ] + * Non-maintainer upload. + * Cherry-pick patch from salsa repo to fix below mentioned +WSTG-INPV-02 issue. (The patch was present in the git repo, +but the never released as part of a package) + * CVE-2024-48104 - HTML Injection (Closes: #1060925) + * CVE-2024-24510 - CSS Injection + * CVE-2024-34462 - Cross Site Scripting (XSS) (Closes: #1071163) + * CVE-2025-63498 - Cross Site Scripting (XSS) + * CVE-2025-63499 - Cross Site Scripting (XSS) (Closes: #1121952) + + [ Jordi Mallach ] + * Add upstream fix for a WSTG-INPV-02 security issue, crash on +invalid mailIdentities. + + -- Tobias Frost Sun, 04 Jan 2026 17:27:30 +0100 + sogo (5.8.0-1) unstable; urgency=medium * New upstream release. diff -Nru sogo-5.8.0/debian/patches/CVE-2024-24510.patch sogo-5.8.0/debian/patches/CVE-2024-24510.patch --- sogo-5.8.0/debian/patches/CVE-2024-24510.patch 1970-01-01 01:00:00.0 +0100 +++ sogo-5.8.0/debian/patches/CVE-2024-24510.patch 2026-01-04 17:27:30.0 +0100 @@ -0,0 +1,45 @@ +Description: CVE-2024-24510 - XSS via mail import component + Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote + attacker to execute arbitrary code via the import function to the mail + component. +Origin: https://github.com/Alinto/sogo/commit/21468700718ed71774eaf2979ee59330fc569424 + + From 21468700718ed71774eaf2979ee59330fc569424 Mon Sep 17 00:00:00 +2001 +From: smizrahi +Date: Tue, 23 Jan 2024 15:01:47 + +Subject: [PATCH] fix(mail): Fix security @import css injection + +--- + SoObjects/SOGo/NSString+Utilities.m | 9 + + Tests/Unit/TestNSString+Utilities.m | 1 + + 2 files changed, 10 insertions(+) + +--- a/SoObjects/SOGo/NSString+Utilities.m b/SoObjects/SOGo/NSString+Utilities.m +@@ -990,6 +990,15 @@ + options: NSRegularExpressionCaseInsensitive error:&error]; + newResult = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@"onmouseo***="]; + result = [NSString stringWithString: newResult]; ++ ++ // Remove @import css (in style tags) ++ regex = [NSRegularExpression regularExpressionWithPattern:@"(<[\\s\\u200B 0]*s[\\s\\u200B 0]*t[\\s\\u200B 0]*y[\\s\\u200B 0]*l[\\s\\u200B 0]*e.*)([\\s\\u200B 0]*@[\\s\\u200B 0]*i[\\s\\u200B 0]*m[\\s\\u200B 0]*p[\\s\\u200B 0]*o[\\s\\u200B 0]*r[\\s\\u200B 0]*t)(.*<[\\s\\u200B 0]*\\/[\\s\\u200B 0]*s[\\s\\u200B 0]*t[\\s\\u200B 0]*y[\\s\\u200B 0]*l[\\s\\u200B 0]*e[\\s\\u200B 0]*>)" ++ options: NSRegularExpressionCaseInsensitive error:&error]; ++ newResult = result; ++ while([regex numberOfMatchesInString:newResult options:0 range:NSMakeRange(0, [newResult length])] > 0) { ++newResult = [regex stringByReplacingMatchesInString:newResult options:0 range:NSMakeRange(0, [newResult length]) withTemplate:@"$1@im$3"]; ++ } ++ result = [NSString stringWithString: newResult]; + } + } + NS_HANDLER +--- a/Tests/Unit/TestNSString+Utilities.m b/Tests/Unit/TestNSString+Utilities.m +@@ -108,6 +108,7 @@ + testEquals([[NSString stringWithString:@"foobar bar"] stringWithoutHTMLInjection: NO], @"foobar bar"); + testEquals([[NSString stringWithString:@"foobar @import url(
5 matches
Mail list logo
