Bug#1124633: bookworm-pu: package sogo/5.8.0-2+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: sogo@packages.debian.org, sogo@packages.debian.org, team@security.debian.org
Control: affects -1 + src:sogo
User: release.debian.org@packages.debian.org
Usertags: pu
This o-s-p-u fixes the following CVES:
* CVE-2024-48104 - HTML Injection (Closes: #1060925)
* CVE-2024-24510 - CSS Injection
* CVE-2024-34462 - Cross Site Scripting (XSS) (Closes: #1071163)
* CVE-2025-63498 - Cross Site Scripting (XSS)
* CVE-2025-63499 - Cross Site Scripting (XSS) (Closes: #1121952)
It additinonally fixes a crash (NSException) that could be triggered
when mailIdentities was invalid
[ Tests ]
I've verified that the POCs the tracker mentions stops working (they did
trigger before) in a Bookworm VM and additionally manually tested
sogo.
[ Risks ]
The Patches are cherry-picked from upstream are small and quite straight
forward. See the dep3 headers for pointers to the upstream changes.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
see above
I'll upload the changes after this mail has been sent.
--
tobi
diff -Nru sogo-5.8.0/debian/changelog sogo-5.8.0/debian/changelog
--- sogo-5.8.0/debian/changelog 2022-12-01 12:47:54.000000000 +0100
+++ sogo-5.8.0/debian/changelog 2026-01-04 17:27:30.000000000 +0100
@@ -1,3 +1,22 @@
+sogo (5.8.0-2+deb12u1) bookworm; urgency=high
+
+ [ Tobias Frost ]
+ * Non-maintainer upload.
+ * Cherry-pick patch from salsa repo to fix below mentioned
+ WSTG-INPV-02 issue. (The patch was present in the git repo,
+ but the never released as part of a package)
+ * CVE-2024-48104 - HTML Injection (Closes: #1060925)
+ * CVE-2024-24510 - CSS Injection
+ * CVE-2024-34462 - Cross Site Scripting (XSS) (Closes: #1071163)
+ * CVE-2025-63498 - Cross Site Scripting (XSS)
+ * CVE-2025-63499 - Cross Site Scripting (XSS) (Closes: #1121952)
+
+ [ Jordi Mallach ]
+ * Add upstream fix for a WSTG-INPV-02 security issue, crash on
+ invalid mailIdentities.
+
+ -- Tobias Frost <tobi@debian.org> Sun, 04 Jan 2026 17:27:30 +0100
+
sogo (5.8.0-1) unstable; urgency=medium
* New upstream release.
diff -Nru sogo-5.8.0/debian/patches/CVE-2024-24510.patch sogo-5.8.0/debian/patches/CVE-2024-24510.patch
--- sogo-5.8.0/debian/patches/CVE-2024-24510.patch 1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.8.0/debian/patches/CVE-2024-24510.patch 2026-01-04 17:27:30.000000000 +0100
@@ -0,0 +1,45 @@
+Description: CVE-2024-24510 - XSS via mail import component
+ Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote
+ attacker to execute arbitrary code via the import function to the mail
+ component.
+Origin: https://github.com/Alinto/sogo/commit/21468700718ed71774eaf2979ee59330fc569424
+
+ From 21468700718ed71774eaf2979ee59330fc569424 Mon Sep 17 00:00:00
+2001
+From: smizrahi <seb.mizrahi@gmail.com>
+Date: Tue, 23 Jan 2024 15:01:47 +0000
+Subject: [PATCH] fix(mail): Fix security @import css injection
+
+---
+ SoObjects/SOGo/NSString+Utilities.m | 9 +++++++++
+ Tests/Unit/TestNSString+Utilities.m | 1 +
+ 2 files changed, 10 insertions(+)
+
+--- a/SoObjects/SOGo/NSString+Utilities.m
++++ b/SoObjects/SOGo/NSString+Utilities.m
+@@ -990,6 +990,15 @@
+ options: NSRegularExpressionCaseInsensitive error:&error];
+ newResult = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@"onmouseo***="];
+ result = [NSString stringWithString: newResult];
++
++ // Remove @import css (in style tags)
++ regex = [NSRegularExpression regularExpressionWithPattern:@"(<[\\s\\u200B	

\\\\0]*s[\\s\\u200B	

\\\\0]*t[\\s\\u200B	

\\\\0]*y[\\s\\u200B	

\\\\0]*l[\\s\\u200B	

\\\\0]*e.*)([\\s\\u200B	

\\\\0]*@[\\s\\u200B	

\\\\0]*i[\\s\\u200B	

\\\\0]*m[\\s\\u200B	

\\\\0]*p[\\s\\u200B	

\\\\0]*o[\\s\\u200B	

\\\\0]*r[\\s\\u200B	

\\\\0]*t)(.*<[\\s\\u200B	

\\\\0]*\\/[\\s\\u200B	

\\\\0]*s[\\s\\u200B	

\\\\0]*t[\\s\\u200B	

\\\\0]*y[\\s\\u200B	

\\\\0]*l[\\s\\u200B	

\\\\0]*e[\\s\\u200B	

\\\\0]*>)"
++ options: NSRegularExpressionCaseInsensitive error:&error];
++ newResult = result;
++ while([regex numberOfMatchesInString:newResult options:0 range:NSMakeRange(0, [newResult length])] > 0) {
++ newResult = [regex stringByReplacingMatchesInString:newResult options:0 range:NSMakeRange(0, [newResult length]) withTemplate:@"$1@im****$3"];
++ }
++ result = [NSString stringWithString: newResult];
+ }
+ }
+ NS_HANDLER
+--- a/Tests/Unit/TestNSString+Utilities.m
++++ b/Tests/Unit/TestNSString+Utilities.m
+@@ -108,6 +108,7 @@
+ testEquals([[NSString stringWithString:@"foobar <iframe src=\"\">bar</iframe>"] stringWithoutHTMLInjection: NO], @"foobar <ifr*** src=\"\">bar</iframe>");
+ testEquals([[NSString stringWithString:@"foobar <img onload=foo bar"] stringWithoutHTMLInjection: NO], @"foobar <img onl***=foo bar");
+ testEquals([[NSString stringWithString:@"foobar <img onmouseover=foo bar"] stringWithoutHTMLInjection: NO], @"foobar <img onmouseo***=foo bar");
++ testEquals([[NSString stringWithString:@"<!DOCTYPE html><html><head><style>@import url(https://foo.bar/malicious.css);.foo{background-color: red; @import url(https://bar.foo/malicious2.css);</style></head><body><table><tr><td>A</td><td>B</td><td>C</td></tr></table></body></html>"] stringWithoutHTMLInjection: NO], @"<!DOCTYPE html><html><head><style>@im**** url(https://foo.bar/malicious.css);.foo{background-color: red; @im**** url(https://bar.foo/malicious2.css);</style></head><body><table><tr><td>A</td><td>B</td><td>C</td></tr></table></body></html>");
+ }
+
+
diff -Nru sogo-5.8.0/debian/patches/CVE-2024-34462.patch sogo-5.8.0/debian/patches/CVE-2024-34462.patch
--- sogo-5.8.0/debian/patches/CVE-2024-34462.patch 1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.8.0/debian/patches/CVE-2024-34462.patch 2026-01-04 17:27:30.000000000 +0100
@@ -0,0 +1,113 @@
+Description: CVE-2024-34462 - XSS during attachment preview
+Origin: https://github.com/Alinto/sogo/commit/2e37e59ed140d4aee0ff2fba579ca5f83f2c5920
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071163
+
+From 2e37e59ed140d4aee0ff2fba579ca5f83f2c5920 Mon Sep 17 00:00:00 2001
+From: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date: Wed, 3 Apr 2024 17:34:16 +0200
+Subject: [PATCH] fix(vulnerability): prevent cross-site scripting when
+ previewing attachments
+
+---
+ SoObjects/Mailer/SOGoMailBodyPart.m | 85 +++++++++++++++--------------
+ 1 file changed, 45 insertions(+), 40 deletions(-)
+
+diff --git a/SoObjects/Mailer/SOGoMailBodyPart.m b/SoObjects/Mailer/SOGoMailBodyPart.m
+index 7317869232..1f043d335c 100644
+--- a/SoObjects/Mailer/SOGoMailBodyPart.m
++++ b/SoObjects/Mailer/SOGoMailBodyPart.m
+@@ -500,49 +500,54 @@ - (id) GETAction: (WOContext *) localContext
+
+ error = [self matchesRequestConditionInContext: localContext];
+ if (error)
+- {
+- response = error; /* return 304 or 416 */
+- }
++ {
++ response = error; /* return 304 or 416 */
++ }
+ else
+- {
+-// [self debugWithFormat: @"should fetch body part: %@",
++ {
++// [self debugWithFormat: @"should fetch body part: %@",
+ // [self bodyPartIdentifier]];
+- data = [self fetchBLOB];
+- if (data)
+- {
+-// [self debugWithFormat:@" fetched %d bytes: %@", [data length],
+-// [self partInfo]];
+-
+- response = [localContext response];
+- mimeType = [self davContentType];
+- if ([mimeType isEqualToString: @"application/x-xpinstall"])
+- mimeType = @"application/octet-stream";
+- else if (!asAttachment)
+- mimeType = [self contentTypeForBodyPartInfo: [self partInfo]];
+-
+- [response setHeader: mimeType forKey: @"content-type"];
+- [response setHeader: [NSString stringWithFormat:@"%d", (int)[data length]]
+- forKey: @"content-length"];
+-
+- if (asAttachment)
+- {
+- fileName = [self filename];
+- if ([fileName length])
+- [response setHeader: [NSString stringWithFormat: @"attachment; filename*=\"utf-8''%@\"",
+- [fileName stringByEscapingURL]]
+- forKey: @"content-disposition"];
+- }
+-
+- etag = [self davEntityTag];
+- if (etag)
+- [response setHeader: etag forKey: @"etag"];
+-
+- [response setContent: data];
+- }
++ data = [self fetchBLOB];
++ if (data)
++ {
++// [self debugWithFormat:@" fetched %d bytes: %@", [data length],
++// [self partInfo]];
++
++ response = [localContext response];
++ mimeType = [self davContentType];
++
++ if ([mimeType isEqualToString: @"application/x-xpinstall"])
++ mimeType = @"application/octet-stream";
++ else if (!asAttachment)
++ mimeType = [self contentTypeForBodyPartInfo: [self partInfo]];
++
++ if([mimeType rangeOfString:@"xml"].location != NSNotFound || [mimeType rangeOfString:@"html"].location != NSNotFound
++ || [mimeType rangeOfString:@"css"].location != NSNotFound || [mimeType rangeOfString:@"javascript"].location != NSNotFound)
++ [response setHeader: @"text/plain" forKey: @"content-type"];
+ else
+- response = [NSException exceptionWithHTTPStatus: 404 /* not found */
+- reason: @"did not find body part"];
+- }
++ [response setHeader: mimeType forKey: @"content-type"];
++
++ [response setHeader: [NSString stringWithFormat:@"%d", (int)[data length]] forKey: @"content-length"];
++
++ if (asAttachment)
++ {
++ fileName = [self filename];
++ if ([fileName length])
++ [response setHeader: [NSString stringWithFormat: @"attachment; filename*=\"utf-8''%@\"",
++ [fileName stringByEscapingURL]]
++ forKey: @"content-disposition"];
++ }
++
++ etag = [self davEntityTag];
++ if (etag)
++ [response setHeader: etag forKey: @"etag"];
++
++ [response setContent: data];
++ }
++ else
++ response = [NSException exceptionWithHTTPStatus: 404 /* not found */
++ reason: @"did not find body part"];
++ }
+
+ return response;
+ }
diff -Nru sogo-5.8.0/debian/patches/CVE-2024-48104.patch sogo-5.8.0/debian/patches/CVE-2024-48104.patch
--- sogo-5.8.0/debian/patches/CVE-2024-48104.patch 1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.8.0/debian/patches/CVE-2024-48104.patch 2026-01-04 17:27:30.000000000 +0100
@@ -0,0 +1,50 @@
+Description: CVE-2023-48104 - HTML Injection
+Origin: https://github.com/Alinto/sogo/commit/7481ccf37087c3f456d7e5a844da01d0f8883098
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060925
+
+
+From 7481ccf37087c3f456d7e5a844da01d0f8883098 Mon Sep 17 00:00:00 2001
+From: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date: Mon, 6 Nov 2023 14:04:53 +0100
+Subject: [PATCH] fix(hmtl): prevent html injection of tag form
+
+---
+ SoObjects/SOGo/NSString+Utilities.m | 12 ++++++++++++
+ Tests/Unit/TestNSString+Utilities.m | 1 +
+ 2 files changed, 13 insertions(+)
+
+diff --git a/SoObjects/SOGo/NSString+Utilities.m b/SoObjects/SOGo/NSString+Utilities.m
+index 682be7e718..cf722d9238 100644
+--- a/SoObjects/SOGo/NSString+Utilities.m
++++ b/SoObjects/SOGo/NSString+Utilities.m
+@@ -979,6 +979,18 @@ - (NSString *) stringWithoutHTMLInjection: (BOOL)stripHTMLCode
+ newResult = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@"<ifr***"];
+ result = [NSString stringWithString: newResult];
+
++ // Remove <form
++ regex = [NSRegularExpression regularExpressionWithPattern:@"<[\\s\\u200B	

\\\\0]*f[\\s\\u200B	

\\\\0]*o[\\s\\u200B	

\\\\0]*r[\\s\\u200B	

\\\\0]*m"
++ options: NSRegularExpressionCaseInsensitive error:&error];
++ newResult = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@"<for*"];
++ result = [NSString stringWithString: newResult];
++
++ // Remove </form
++ regex = [NSRegularExpression regularExpressionWithPattern:@"<[\\s\\u200B	

\\\\0]*/[\\s\\u200B	

\\\\0]*f[\\s\\u200B	

\\\\0]*o[\\s\\u200B	

\\\\0]*r[\\s\\u200B	

\\\\0]*m"
++ options: NSRegularExpressionCaseInsensitive error:&error];
++ newResult = [regex stringByReplacingMatchesInString:result options:0 range:NSMakeRange(0, [result length]) withTemplate:@"</for*"];
++ result = [NSString stringWithString: newResult];
++
+ // Remove onload
+ regex = [NSRegularExpression regularExpressionWithPattern:@"onload="
+ options: NSRegularExpressionCaseInsensitive error:&error];
+diff --git a/Tests/Unit/TestNSString+Utilities.m b/Tests/Unit/TestNSString+Utilities.m
+index caf244c673..e0698caaf6 100644
+--- a/Tests/Unit/TestNSString+Utilities.m
++++ b/Tests/Unit/TestNSString+Utilities.m
+@@ -105,6 +105,7 @@ - (void) test_stringWithoutHTMLInjection
+ testEquals([[NSString stringWithString:@"<img vbscript:test"] stringWithoutHTMLInjection: NO], @"<img test");
+ testEquals([[NSString stringWithString:@"<img javascript:test"] stringWithoutHTMLInjection: NO], @"<img test");
+ testEquals([[NSString stringWithString:@"<img livescript:test"] stringWithoutHTMLInjection: NO], @"<img test");
++ testEquals([[NSString stringWithString:@"foobar <form action=\"\">bar</form>"] stringWithoutHTMLInjection: NO], @"foobar <for* action=\"\">bar</for*>");
+ testEquals([[NSString stringWithString:@"foobar <iframe src=\"\">bar</iframe>"] stringWithoutHTMLInjection: NO], @"foobar <ifr*** src=\"\">bar</iframe>");
+ testEquals([[NSString stringWithString:@"foobar <img onload=foo bar"] stringWithoutHTMLInjection: NO], @"foobar <img onl***=foo bar");
+ testEquals([[NSString stringWithString:@"foobar <img onmouseover=foo bar"] stringWithoutHTMLInjection: NO], @"foobar <img onmouseo***=foo bar");
diff -Nru sogo-5.8.0/debian/patches/CVE-2025-63498.patch sogo-5.8.0/debian/patches/CVE-2025-63498.patch
--- sogo-5.8.0/debian/patches/CVE-2025-63498.patch 1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.8.0/debian/patches/CVE-2025-63498.patch 2026-01-04 17:27:30.000000000 +0100
@@ -0,0 +1,54 @@
+Description: CVE-2025-63498 - Cross Site Scripting (XSS) via the "userName" parameter
+Origin: https://github.com/Alinto/sogo/commit/9e20190fad1a437f7e1307f0adcfe19a8d45184c
+Bug: https://github.com/xryptoh/CVE-2025-63498
+
+From 9e20190fad1a437f7e1307f0adcfe19a8d45184c Mon Sep 17 00:00:00 2001
+From: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date: Thu, 2 Oct 2025 13:37:56 +0200
+Subject: [PATCH] fix(login): Only remember the login if the auth was
+ successful
+
+---
+ UI/MainUI/SOGoRootPage.m | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/UI/MainUI/SOGoRootPage.m
++++ b/UI/MainUI/SOGoRootPage.m
+@@ -214,7 +214,7 @@
+
+ SOGoPasswordPolicyError err;
+ int expire, grace;
+- BOOL rememberLogin, b;
++ BOOL rememberLogin, b, loginSuccess;
+
+ err = PolicyNoError;
+ expire = grace = -1;
+@@ -232,13 +232,15 @@
+ * [WOHttpTransaction applyAdaptorHeadersWithHttpRequest] */
+ remoteHost = [request headerForKey:@"x-webobjects-remote-host"];
+
+- if ((b = [auth checkLogin: username password: password domain: &domain
+- perr: &err expire: &expire grace: &grace useCache: NO])
++ loginSuccess = [auth checkLogin: username password: password domain: &domain
++ perr: &err expire: &expire grace: &grace useCache: NO]
+ && (err == PolicyNoError)
+ // no password policy
+ && ((expire < 0 && grace < 0) // no password policy or everything is alright
+ || (expire < 0 && grace > 0) // password expired, grace still permits login
+- || (expire >= 0 && grace == -1))) // password about to expire OR ppolicy activated and passwd never changed
++ || (expire >= 0 && grace == -1)); // password about to expire OR ppolicy activated and passwd never changed
++
++ if (loginSuccess)
+ {
+ NSMutableDictionary *json = [NSMutableDictionary dictionary];
+
+@@ -373,7 +375,8 @@
+ response = [self _responseWithLDAPPolicyError: err];
+ }
+
+- if (rememberLogin)
++ //Only remember login If the auth was succesful...
++ if (rememberLogin && loginSuccess)
+ [response addCookie: [self _cookieWithUsername: [params objectForKey: @"userName"]]];
+ else
+ [response addCookie: [self _cookieWithUsername: nil]];
diff -Nru sogo-5.8.0/debian/patches/CVE-2025-63499.patch sogo-5.8.0/debian/patches/CVE-2025-63499.patch
--- sogo-5.8.0/debian/patches/CVE-2025-63499.patch 1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.8.0/debian/patches/CVE-2025-63499.patch 2026-01-04 17:27:30.000000000 +0100
@@ -0,0 +1,40 @@
+Description: CVE-2025-63499 - Reflected XSS Vulnerability
+Origin: https://github.com/Alinto/sogo/commit/16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb
+Bug: https://github.com/poblaguev-tot/CVE-2025-63499
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121952
+
+From 16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb Mon Sep 17 00:00:00 2001
+From: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date: Wed, 26 Nov 2025 13:22:38 +0100
+Subject: [PATCH] fix(vulnerability): prevent sogo to execute scripts pass in
+ theme query
+
+---
+ UI/SOGoUI/UIxComponent.m | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/UI/SOGoUI/UIxComponent.m b/UI/SOGoUI/UIxComponent.m
+index a8658e772b..012d6edea7 100644
+--- a/UI/SOGoUI/UIxComponent.m
++++ b/UI/SOGoUI/UIxComponent.m
+@@ -395,14 +395,18 @@ - (NSString *) ownPath
+
+ - (NSString *) relativePathToUserFolderSubPath: (NSString *) _sub
+ {
+- NSString *dst, *rel, *theme;
++ NSString *dst, *rel, *theme, *safeTheme;
+
+ dst = [[self userFolderPath] stringByAppendingPathComponent: _sub];
+ rel = [dst urlPathRelativeToPath:[self ownPath]];
+
+ theme = [[context request] formValueForKey: @"theme"];
+ if ([theme length])
+- rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme];
++ {
++ safeTheme = [theme stringWithoutHTMLInjection: YES];
++ if([safeTheme isEqualToString: theme])
++ rel = [NSString stringWithFormat: @"%@?theme=%@", rel, theme];
++ }
+
+ return rel;
+ }
diff -Nru sogo-5.8.0/debian/patches/security_wstg-inpv-02_nsexception_fix.patch sogo-5.8.0/debian/patches/security_wstg-inpv-02_nsexception_fix.patch
--- sogo-5.8.0/debian/patches/security_wstg-inpv-02_nsexception_fix.patch 1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.8.0/debian/patches/security_wstg-inpv-02_nsexception_fix.patch 2026-01-04 17:24:57.000000000 +0100
@@ -0,0 +1,27 @@
+Description: fix(security): Security fix for WSTG-INPV-02.
+ Fix Crash / NSException where mailIdentities is invalid on init.
+Bug: https://bugs.sogo.nu/view.php?id=5651
+
+commit fe9ae12e46a151ee5989ed1f0009bb81611a46bd
+Author: smizrahi <seb.mizrahi@gmail.com>
+Date: Mon Dec 5 11:45:45 2022 +0100
+
+ fix(security): Security fix for WSTG-INPV-02. Fix NSException where tried to modify NSDictionary. Closes #5651.
+
+diff --git a/SoObjects/SOGo/SOGoUserDefaults.m b/SoObjects/SOGo/SOGoUserDefaults.m
+index 357f8ebe6..5073e29b2 100644
+--- a/SoObjects/SOGo/SOGoUserDefaults.m
++++ b/SoObjects/SOGo/SOGoUserDefaults.m
+@@ -805,9 +805,9 @@ NSString *SOGoPasswordRecoverySecondaryEmail = @"SecondaryEmail";
+ // Remove possible XSS injection
+ mailIdentities = [NSMutableArray arrayWithArray: [self arrayForKey: @"SOGoMailIdentities"]];
+ for (i = 0 ; i < [mailIdentities length] ; i++) {
+- mailIdentity = [mailIdentities objectAtIndex: i];
+- if (mailIdentity && [mailIdentity objectForKey: @"fullName"] && [[self arrayForKey: @"SOGoMailIdentities"] isKindOfClass: [NSString class]]) {
+- fullName = [NSString stringWithString: [self arrayForKey: @"SOGoMailIdentities"]];
++ mailIdentity = [NSMutableDictionary dictionaryWithDictionary: [mailIdentities objectAtIndex: i]];
++ if (mailIdentity && [mailIdentity objectForKey: @"fullName"]) {
++ fullName = [NSString stringWithString: [mailIdentity objectForKey: @"fullName"]];
+ if (fullName) {
+ [mailIdentity setObject: [fullName stringWithoutHTMLInjection: YES] forKey: @"fullName"];
+ [mailIdentities setObject: mailIdentity atIndexedSubscript: i];
diff -Nru sogo-5.8.0/debian/patches/series sogo-5.8.0/debian/patches/series
--- sogo-5.8.0/debian/patches/series 2022-12-01 11:42:05.000000000 +0100
+++ sogo-5.8.0/debian/patches/series 2025-12-25 17:50:20.000000000 +0100
@@ -9,3 +9,9 @@
0008-Unset-MAKEFLAGS-and-MFLAGS-in-configure.patch
0009-Omit-signedViewer-altogether-when-not-using-openssl.patch
python3.patch
+security_wstg-inpv-02_nsexception_fix.patch
+CVE-2025-63499.patch
+CVE-2025-63498.patch
+CVE-2024-34462.patch
+CVE-2024-24510.patch
+CVE-2024-48104.patch
Reply to: