Am 18.05.2016 um 21:01 schrieb Jeroen Dekkers: > Hi Markus, > > Sorry for the late reply. This bug also isn't fixed in jessie, the > reason for this is that upstream isn't going to fix this for SOGo 2 > and earlier. The security bug is about the complete lack of CSRF > protection and implementing that is going to be a lot of work. SOGo 3 > has a complete new frontend and that has CSRF protection now, so I > think it is best to just mark SOGo as unsupported in wheezy-lts. I > haven't had the time yet to finish packaging SOGo 3, but I'll be at > debcamp next month and should have enough time then to do that and > create a backport for jessie. > Hi Jeroen, thank you for your reply. I see. We only ship the 1.x series in Wheezy, so this would require even more backporting work and I don't think this is justified in sogo's case. I believe we should mark sogo as unsupported in Wheezy but I will wait for further feedback from the team until I am going to do that. Cheers, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature