Bug#989479: marked as done (sogo: CVE-2021-33054)

[Debian Bug Tracking System]

Your message dated Thu, 19 Aug 2021 11:12:19 +0200
with message-id <yr4gcykacaudq...@eldamar.lan>
and subject line Re: Accepted sogo 5.1.1-1 (source) into unstable
has caused the Debian Bug report #989479,
regarding sogo: CVE-2021-33054
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
989479: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989479
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: sogo
Version: 5.1.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 5.0.1-4
Control: found -1 4.0.7-1+deb10u1
Control: found -1 4.0.7-1

Hi,

The following vulnerability was published for sogo.

CVE-2021-33054[0]:
| SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not
| validate the signatures of any SAML assertions it receives. Any actor
| with network access to the deployment could impersonate users when
| SAML is the authentication method. (Only versions after 2.0.5a are
| affected.)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-33054
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33054
[1] 
https://github.com/inverse-inc/sogo/commit/e53636564680ac0df11ec898304bc442908ba746

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: sogo
Source-Version: 5.1.1-1

On Thu, Aug 19, 2021 at 08:48:47AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Tue, 17 Aug 2021 00:54:43 +0200
> Source: sogo
> Architecture: source
> Version: 5.1.1-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian SOGo Maintainers 
> <pkg-sogo-maintain...@lists.alioth.debian.org>
> Changed-By: Jordi Mallach <jo...@debian.org>
> Changes:
>  sogo (5.1.1-1) unstable; urgency=medium
>  .
>    * New upstream release.

AFAICS, this seems to fix CVE-2021-33054 / #989479. Closing with the
respective version.

Regards,
Salvatore

--- End Message ---