Re: Wheezy update of sogo?
Sorry for the late reply. This bug also isn't fixed in jessie, the
reason for this is that upstream isn't going to fix this for SOGo 2
and earlier. The security bug is about the complete lack of CSRF
protection and implementing that is going to be a lot of work. SOGo 3
has a complete new frontend and that has CSRF protection now, so I
think it is best to just mark SOGo as unsupported in wheezy-lts. I
haven't had the time yet to finish packaging SOGo 3, but I'll be at
debcamp next month and should have enough time then to do that and
create a backport for jessie.
At Mon, 9 May 2016 09:53:13 +0200,
Markus Koschany wrote:
> Hello Jeroen,
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of sogo:
> Would you like to take care of this yourself?
> If yes, please follow the workflow we have defined here:
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to firstname.lastname@example.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
> Thank you very much.
> Markus Koschany,
> on behalf of the Debian LTS team.
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file: