Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3cea4c6d by Chris Lamb at 2026-06-29T10:42:49-07:00
Triage CVE-2026-46445, CVE-2026-46446, CVE-2025-71276, CVE-2026-33550, 
CVE-2026-8496 & CVE-2026-8851 in sogo for bullseye LTS.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -28570,6 +28570,7 @@ CVE-2026-43491 (In the Linux kernel, the following 
vulnerability has been resolv
 CVE-2026-8851 (SOGo versions 5.12.7 and prior contains a SQL injection 
vulnerability  ...)
        {DSA-6366-1}
        - sogo 5.12.8-1
+       [bullseye] - sogo <ignored> (Invasive to patch; Debian maintainer 
recommends against backport)
        NOTE: 
https://github.com/Alinto/sogo/commit/f9b71059f4f382d7b337d16ce1257443ade43d02 
(SOGo-5.12.8)
        TODO: check correctness
 CVE-2026-8838 (Unsafe use of Python's eval() on server-received data in the 
vector_in ...)
@@ -30547,6 +30548,7 @@ CVE-2026-45793 [Github Actions issued GITHUB_TOKEN 
disclosure in GitHub Actions
 CVE-2026-8496 (A cross-site scripting (XSS) vulnerability exists in Alinto 
SOGo, vers ...)
        {DSA-6366-1}
        - sogo 5.12.8-1
+       [bullseye] - sogo <ignored> (Invasive to patch; Debian maintainer 
recommends against backport)
        NOTE: 
https://github.com/Alinto/sogo/commit/67ce01ec2a1a7854d8e9f615dd65afb949043e8 
(SOGo-5.12.8)
 CVE-2026-8466 (Allocation of Resources Without Limits or Throttling 
vulnerability in  ...)
        - erlang-cowboy 2.16.1+dfsg-1 (bug #1137525)
@@ -30656,10 +30658,12 @@ CVE-2026-4524 (GitLab has remediated an issue in 
GitLab CE/EE affecting all vers
 CVE-2026-46446 (SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and 
cleartext  ...)
        {DSA-6366-1}
        - sogo 5.12.7-1
+       [bullseye] - sogo <ignored> (Invasive to patch; Debian maintainer 
recommends against backport)
        NOTE: 
https://github.com/Alinto/sogo/commit/1f7e5d2b2c2047c44a6a9e05f73c36491cb96d21 
(SOGo-5.12.7)
 CVE-2026-46445 (SOGo before 5.12.7, when PostgreSQL is used, allows SQL 
injection.)
        {DSA-6366-1}
        - sogo 5.12.7-1
+       [bullseye] - sogo <ignored> (Invasive to patch; Debian maintainer 
recommends against backport)
        NOTE: 
https://github.com/Alinto/sogo/commit/1f7e5d2b2c2047c44a6a9e05f73c36491cb96d21 
(SOGo-5.12.7)
 CVE-2026-46419 (Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 
before 2. ...)
        NOT-FOR-US: Yubico webauthn-server-core
@@ -66320,12 +66324,12 @@ CVE-2026-3312
 CVE-2025-71276 (SOGo before 5.12.5 is prone to a XSS vulnerability with 
events, tasks, ...)
        {DSA-6366-1}
        - sogo 5.12.6-1 (bug #1131605)
-       [bullseye] - sogo <postponed> (minor issue; XSS)
+       [bullseye] - sogo <ignored> (minor issue; XSS; Debian maintainer 
recommends against backport)
        NOTE: Fixed by: 
https://github.com/Alinto/sogo/commit/e9b3f2a43d7557e8416f6749df4ab4f9128af2d1 
(SOGo-5.12.5)
 CVE-2026-33550 (SOGo before 5.12.5 does not renew the OTP if a user 
disables/enables i ...)
        {DSA-6366-1}
        - sogo 5.12.6-1 (bug #1131606)
-       [bullseye] - sogo <postponed> (minor issue)
+       [bullseye] - sogo <ignored> (minor issue; invasive to patch; Debian 
maintainer recommends against backport)
        NOTE: Fixed by: 
https://github.com/Alinto/sogo/commit/83d4c522f87cfde0ba543837d9b24c3479083ec2 
(SOGo-5.12.5)
 CVE-2026-4359 (A compromised third party cloud server or man-in-the-middle 
attacker c ...)
        - mongo-c-driver 2.2.3-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cea4c6d284b5e1a0782516a47dff73b51881a99

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cea4c6d284b5e1a0782516a47dff73b51881a99
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to