[Git][security-tracker-team/security-tracker][master] Triage CVE-2026-46445, CVE-2026-46446, CVE-2025-71276, CVE-2026-33550,...
Chris Lamb (@lamby)
lamby at debian.org
Mon Jun 29 18:42:55 BST 2026
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3cea4c6d by Chris Lamb at 2026-06-29T10:42:49-07:00
Triage CVE-2026-46445, CVE-2026-46446, CVE-2025-71276, CVE-2026-33550, CVE-2026-8496 & CVE-2026-8851 in sogo for bullseye LTS.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -28570,6 +28570,7 @@ CVE-2026-43491 (In the Linux kernel, the following vulnerability has been resolv
CVE-2026-8851 (SOGo versions 5.12.7 and prior contains a SQL injection vulnerability ...)
{DSA-6366-1}
- sogo 5.12.8-1
+ [bullseye] - sogo <ignored> (Invasive to patch; Debian maintainer recommends against backport)
NOTE: https://github.com/Alinto/sogo/commit/f9b71059f4f382d7b337d16ce1257443ade43d02 (SOGo-5.12.8)
TODO: check correctness
CVE-2026-8838 (Unsafe use of Python's eval() on server-received data in the vector_in ...)
@@ -30547,6 +30548,7 @@ CVE-2026-45793 [Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions
CVE-2026-8496 (A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, vers ...)
{DSA-6366-1}
- sogo 5.12.8-1
+ [bullseye] - sogo <ignored> (Invasive to patch; Debian maintainer recommends against backport)
NOTE: https://github.com/Alinto/sogo/commit/67ce01ec2a1a7854d8e9f615dd65afb949043e8 (SOGo-5.12.8)
CVE-2026-8466 (Allocation of Resources Without Limits or Throttling vulnerability in ...)
- erlang-cowboy 2.16.1+dfsg-1 (bug #1137525)
@@ -30656,10 +30658,12 @@ CVE-2026-4524 (GitLab has remediated an issue in GitLab CE/EE affecting all vers
CVE-2026-46446 (SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext ...)
{DSA-6366-1}
- sogo 5.12.7-1
+ [bullseye] - sogo <ignored> (Invasive to patch; Debian maintainer recommends against backport)
NOTE: https://github.com/Alinto/sogo/commit/1f7e5d2b2c2047c44a6a9e05f73c36491cb96d21 (SOGo-5.12.7)
CVE-2026-46445 (SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection.)
{DSA-6366-1}
- sogo 5.12.7-1
+ [bullseye] - sogo <ignored> (Invasive to patch; Debian maintainer recommends against backport)
NOTE: https://github.com/Alinto/sogo/commit/1f7e5d2b2c2047c44a6a9e05f73c36491cb96d21 (SOGo-5.12.7)
CVE-2026-46419 (Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2. ...)
NOT-FOR-US: Yubico webauthn-server-core
@@ -66320,12 +66324,12 @@ CVE-2026-3312
CVE-2025-71276 (SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, ...)
{DSA-6366-1}
- sogo 5.12.6-1 (bug #1131605)
- [bullseye] - sogo <postponed> (minor issue; XSS)
+ [bullseye] - sogo <ignored> (minor issue; XSS; Debian maintainer recommends against backport)
NOTE: Fixed by: https://github.com/Alinto/sogo/commit/e9b3f2a43d7557e8416f6749df4ab4f9128af2d1 (SOGo-5.12.5)
CVE-2026-33550 (SOGo before 5.12.5 does not renew the OTP if a user disables/enables i ...)
{DSA-6366-1}
- sogo 5.12.6-1 (bug #1131606)
- [bullseye] - sogo <postponed> (minor issue)
+ [bullseye] - sogo <ignored> (minor issue; invasive to patch; Debian maintainer recommends against backport)
NOTE: Fixed by: https://github.com/Alinto/sogo/commit/83d4c522f87cfde0ba543837d9b24c3479083ec2 (SOGo-5.12.5)
CVE-2026-4359 (A compromised third party cloud server or man-in-the-middle attacker c ...)
- mongo-c-driver 2.2.3-1
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cea4c6d284b5e1a0782516a47dff73b51881a99
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cea4c6d284b5e1a0782516a47dff73b51881a99
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260629/76fd5e7d/attachment.htm>
More information about the debian-security-tracker-commits
mailing list