Re: Wheezy update of sogo?
Hi Markus,
Sorry for the late reply. This bug also isn't fixed in jessie, the
reason for this is that upstream isn't going to fix this for SOGo 2
and earlier. The security bug is about the complete lack of CSRF
protection and implementing that is going to be a lot of work. SOGo 3
has a complete new frontend and that has CSRF protection now, so I
think it is best to just mark SOGo as unsupported in wheezy-lts. I
haven't had the time yet to finish packaging SOGo 3, but I'll be at
debcamp next month and should have enough time then to do that and
create a backport for jessie.
Kind regards,
Jeroen Dekkers
At Mon, 9 May 2016 09:53:13 +0200,
Markus Koschany wrote:
>
> Hello Jeroen,
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of sogo:
> https://security-tracker.debian.org/tracker/CVE-2015-5395
>
> Would you like to take care of this yourself?
>
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
>
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
>
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
>
> Thank you very much.
>
> Markus Koschany,
> on behalf of the Debian LTS team.
>
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
Reply to: