CVE-2021-33054 (https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md): SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.) Maintainers, I guess we just need to cleanup 4.x?
Looks so, let me remove sope/sogo 4.3.2 and we will be good there
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15c1feabb78a45a595b94bda58555d5c63ceb39a commit 15c1feabb78a45a595b94bda58555d5c63ceb39a Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2021-06-21 22:15:34 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2021-06-21 22:15:46 +0000 gnustep-libs/sope: drop version for removed sogo 4.x Bug: https://bugs.gentoo.org/797223 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> gnustep-libs/sope/Manifest | 1 - gnustep-libs/sope/sope-4.3.2.ebuild | 54 ------------------------------------- 2 files changed, 55 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e56b89a609e0343c716986912b5f8508ed8ece0 commit 1e56b89a609e0343c716986912b5f8508ed8ece0 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2021-06-21 22:14:47 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2021-06-21 22:15:46 +0000 gnustep-apps/sogo: drop security vulnerable version Bug: https://bugs.gentoo.org/797223 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> gnustep-apps/sogo/Manifest | 1 - gnustep-apps/sogo/sogo-4.3.2.ebuild | 102 ------------------------------------ 2 files changed, 103 deletions(-)
Thanks! noglsa, all done
