[Git][security-tracker-team/security-tracker][master] Triage CVE-2026-46445, CVE-2026-46446, CVE-2025-71276, CVE-2026-33550,...

Chris Lamb (@lamby) lamby at debian.org
Mon Jun 29 18:42:55 BST 2026



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3cea4c6d by Chris Lamb at 2026-06-29T10:42:49-07:00
Triage CVE-2026-46445, CVE-2026-46446, CVE-2025-71276, CVE-2026-33550, CVE-2026-8496 & CVE-2026-8851 in sogo for bullseye LTS.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -28570,6 +28570,7 @@ CVE-2026-43491 (In the Linux kernel, the following vulnerability has been resolv
 CVE-2026-8851 (SOGo versions 5.12.7 and prior contains a SQL injection vulnerability  ...)
 	{DSA-6366-1}
 	- sogo 5.12.8-1
+	[bullseye] - sogo <ignored> (Invasive to patch; Debian maintainer recommends against backport)
 	NOTE: https://github.com/Alinto/sogo/commit/f9b71059f4f382d7b337d16ce1257443ade43d02 (SOGo-5.12.8)
 	TODO: check correctness
 CVE-2026-8838 (Unsafe use of Python's eval() on server-received data in the vector_in ...)
@@ -30547,6 +30548,7 @@ CVE-2026-45793 [Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions
 CVE-2026-8496 (A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, vers ...)
 	{DSA-6366-1}
 	- sogo 5.12.8-1
+	[bullseye] - sogo <ignored> (Invasive to patch; Debian maintainer recommends against backport)
 	NOTE: https://github.com/Alinto/sogo/commit/67ce01ec2a1a7854d8e9f615dd65afb949043e8 (SOGo-5.12.8)
 CVE-2026-8466 (Allocation of Resources Without Limits or Throttling vulnerability in  ...)
 	- erlang-cowboy 2.16.1+dfsg-1 (bug #1137525)
@@ -30656,10 +30658,12 @@ CVE-2026-4524 (GitLab has remediated an issue in GitLab CE/EE affecting all vers
 CVE-2026-46446 (SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext  ...)
 	{DSA-6366-1}
 	- sogo 5.12.7-1
+	[bullseye] - sogo <ignored> (Invasive to patch; Debian maintainer recommends against backport)
 	NOTE: https://github.com/Alinto/sogo/commit/1f7e5d2b2c2047c44a6a9e05f73c36491cb96d21 (SOGo-5.12.7)
 CVE-2026-46445 (SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection.)
 	{DSA-6366-1}
 	- sogo 5.12.7-1
+	[bullseye] - sogo <ignored> (Invasive to patch; Debian maintainer recommends against backport)
 	NOTE: https://github.com/Alinto/sogo/commit/1f7e5d2b2c2047c44a6a9e05f73c36491cb96d21 (SOGo-5.12.7)
 CVE-2026-46419 (Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2. ...)
 	NOT-FOR-US: Yubico webauthn-server-core
@@ -66320,12 +66324,12 @@ CVE-2026-3312
 CVE-2025-71276 (SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, ...)
 	{DSA-6366-1}
 	- sogo 5.12.6-1 (bug #1131605)
-	[bullseye] - sogo <postponed> (minor issue; XSS)
+	[bullseye] - sogo <ignored> (minor issue; XSS; Debian maintainer recommends against backport)
 	NOTE: Fixed by: https://github.com/Alinto/sogo/commit/e9b3f2a43d7557e8416f6749df4ab4f9128af2d1 (SOGo-5.12.5)
 CVE-2026-33550 (SOGo before 5.12.5 does not renew the OTP if a user disables/enables i ...)
 	{DSA-6366-1}
 	- sogo 5.12.6-1 (bug #1131606)
-	[bullseye] - sogo <postponed> (minor issue)
+	[bullseye] - sogo <ignored> (minor issue; invasive to patch; Debian maintainer recommends against backport)
 	NOTE: Fixed by: https://github.com/Alinto/sogo/commit/83d4c522f87cfde0ba543837d9b24c3479083ec2 (SOGo-5.12.5)
 CVE-2026-4359 (A compromised third party cloud server or man-in-the-middle attacker c ...)
 	- mongo-c-driver 2.2.3-1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cea4c6d284b5e1a0782516a47dff73b51881a99

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cea4c6d284b5e1a0782516a47dff73b51881a99
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260629/76fd5e7d/attachment.htm>


More information about the debian-security-tracker-commits mailing list