sogo - Debian Package Tracker

general

source: sogo (main)
version: 5.12.7-1
maintainer: Debian SOGo Maintainers (archive) (DMD)
uploaders: Jordi Mallach [DMD] – Jeroen Dekkers [DMD]
arch: all any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 5.0.1-4+deb11u1
o-o-sec: 5.0.1-4+deb11u3
oldstable: 5.8.0-2+deb12u2
stable: 5.12.1-3+deb13u1
testing: 5.12.7-1
unstable: 5.12.7-1

versioned links

5.0.1-4+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.0.1-4+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.8.0-2+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.12.1-3+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.12.7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

sogo (9 bugs: 0, 7, 2, 0)
sogo-activesync
sogo-common

action needed

3 security issues in trixie high

There are 3 open security issues in trixie.

3 important issues:

CVE-2026-3054: A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-71276: SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories.
CVE-2026-33550: SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).

Created: 2026-02-24 Last update: 2026-04-06 04:31

7 security issues in bullseye high

There are 7 open security issues in bullseye.

3 important issues:

CVE-2026-3054: A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-71276: SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories.
CVE-2026-33550: SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).

4 ignored issues:

CVE-2022-4556: A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Affected by this issue is the function _migrateMailIdentities of the file SoObjects/SOGo/SOGoUserDefaults.m of the component Identity Handler. The manipulation of the argument fullName leads to cross site scripting. The attack may be launched remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is efac49ae91a4a325df9931e78e543f707a0f8e5e. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215960.
CVE-2022-4558: A vulnerability was found in Alinto SOGo up to 5.7.1. It has been classified as problematic. This affects an unknown part of the file SoObjects/SOGo/NSString+Utilities.m of the component Folder/Mail Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is 1e0f5f00890f751e84d67be4f139dd7f00faa5f3. It is recommended to upgrade the affected component. The identifier VDB-215961 was assigned to this vulnerability.
CVE-2023-48104: Alinto SOGo before 5.9.1 is vulnerable to HTML Injection.
CVE-2024-24510: Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute arbitrary code via the import function to the mail component.

Created: 2026-02-24 Last update: 2026-04-06 04:31

3 security issues in bookworm high

There are 3 open security issues in bookworm.

3 important issues:

CVE-2026-3054: A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-71276: SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories.
CVE-2026-33550: SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).

Created: 2026-02-24 Last update: 2026-04-06 04:31

lintian reports 1 error and 199 warnings high

Lintian reports 1 error and 199 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-03-25 Last update: 2026-04-02 00:00

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2026-04-06 Last update: 2026-04-07 22:00

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2025-07-28 Last update: 2026-04-07 21:01

54 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 21ceb3ae3effd8c59b47348a2f33aeffe24f56d3
Author: Jordi Mallach <jordi@mallach.net>
Date:   Wed Apr 1 14:26:25 2026 +0200

    Update changelog and release to unstable.

commit 2dd7d7183a84c08e0bb1f60952fb3653da8c5053
Author: Jordi Mallach <jordi@mallach.net>
Date:   Wed Apr 1 14:25:20 2026 +0200

    Update Standards-Version to 4.7.4, with no changes.

commit bb698248899563d34dcb09db679bad45fef93288
Merge: e3d539fe c76899e7
Author: Jordi Mallach <jordi@mallach.net>
Date:   Wed Apr 1 14:24:40 2026 +0200

    Update upstream source from tag 'upstream/5.12.7'
    
    Update to upstream version '5.12.7'
    with Debian dir c9c7cfda651bf2dc2e452c93d02e63563729f5fc

commit c76899e7af6a539c849ad05ac063a657899c70c3
Merge: 1569a4f6 6f0b4f9d
Author: Jordi Mallach <jordi@mallach.net>
Date:   Wed Apr 1 14:23:49 2026 +0200

    New upstream version 5.12.7

commit e3d539fecab0203dd191273135205758cd0580c1
Author: Jordi Mallach <jordi@mallach.net>
Date:   Wed Apr 1 14:22:05 2026 +0200

    Remove Pgp-Sig-Url-Mangle from watch file; there are no sig files.

commit 6f0b4f9d05b5c0fa1ee455e96546c069290d77e4
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Mon Mar 30 10:19:00 2026 +0200

    chore(release): 5.12.7

commit 40228c619b6df02be4ed5e3f2e0b8d78d8cf15b2
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Mon Mar 30 10:06:08 2026 +0200

    i18n(all): update several translations

commit 6afad54832aca6a663039f467fd5e4588636fc8c
Author: Jordi Mallach <jordi@mallach.net>
Date:   Thu Mar 26 16:10:26 2026 +0100

    Fix typo in CVE number.

commit d7f02b6083197ecabc57c6e3c6f16a3bc23c68d0
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Thu Mar 26 09:07:05 2026 +0100

    fix(typo): pass the correct arg to checkLogin

commit 453ddceae993a04a7d6e90b10140853ee02e1609
Merge: 55d615e4 1f7e5d2b
Author: tkeriven <38073966+tkeriven@users.noreply.github.com>
Date:   Wed Mar 25 17:20:52 2026 +0100

    Merge pull request #379 from Alinto/fix_6065
    
    fix(sql): use proper sql adaptor for usr source

commit 89acfc07fbdbe6f056d79ada48a57e3e14eea893
Author: Jordi Mallach <jordi@mallach.net>
Date:   Wed Mar 25 12:47:26 2026 +0100

    Update changelog and release to unstable.

commit 080b99312b5a6faee3a24b1b4a81c10daa09bc25
Author: Jordi Mallach <jordi@mallach.net>
Date:   Wed Mar 25 12:45:25 2026 +0100

    Drop CVE-2025-63499.patch, included in release.

commit 592f5df70de4d04853f84366e9d07f871adda59d
Author: Jordi Mallach <jordi@mallach.net>
Date:   Wed Mar 25 12:02:21 2026 +0100

    Update Standards-Version to 4.7.3, with no changes needed.

commit e59535b96be1393b71a1f4c26b6424b181afe495
Author: Jordi Mallach <jordi@mallach.net>
Date:   Wed Mar 25 12:01:58 2026 +0100

    Update copyright years.

commit d63f3eb72fb31a2504a0328befa9fe1bc4a74b9f
Author: Jordi Mallach <jordi@mallach.net>
Date:   Wed Mar 25 12:01:19 2026 +0100

    Update watch file to version 5.

commit 55d615e4dd563bc31d82400b1bf110eed61248f6
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Wed Mar 25 09:21:42 2026 +0100

    i18n(fr): Typo in French

commit ae66f16c26f6fd8b821735f29ebb1851647905c3
Merge: 1b0d61a8 1569a4f6
Author: Jordi Mallach <jordi@mallach.net>
Date:   Wed Mar 25 09:16:14 2026 +0100

    Update upstream source from tag 'upstream/5.12.6'
    
    Update to upstream version '5.12.6'
    with Debian dir 2afb50528944b7ec62350fe209f10127a4942a16

commit 1569a4f694a4bfb3853e9fafa2f2a35322342b6f
Merge: a9808918 f322fa27
Author: Jordi Mallach <jordi@mallach.net>
Date:   Wed Mar 25 09:15:19 2026 +0100

    New upstream version 5.12.6

commit 1f7e5d2b2c2047c44a6a9e05f73c36491cb96d21
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Tue Mar 24 15:26:37 2026 +0100

    fix(sql): use proper sql adaptor for usr source

commit f322fa27214c2e987c904908deb39e5497509451
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Thu Mar 19 13:49:13 2026 +0100

    chore(release): 5.12.6

commit 623f083cd94842766c6d9430cf3bdad8fc4d5dbc
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Thu Mar 19 13:30:28 2026 +0100

    fix(totp): new user can properly use totp

commit 7f7e1ad496c626ac1fbb1020f20f08f9efccc06b
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Tue Mar 3 12:49:33 2026 +0100

    chore(release): 5.12.5

commit 4f92da49716b93a5be8a0cd180a7d053f163cc13
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Tue Mar 3 01:01:16 2026 -0500

    chore(js/css): update generated files

commit 1fdb4d30261f5d69d83eef7d8615ef62ddd94a7e
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Mon Mar 2 15:01:52 2026 +0100

    i18n(pt): Add Greek (partial)

commit fbd056cc293a7c53f0ff0de4dd8a50a0d998291f
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Mon Mar 2 11:49:55 2026 +0100

    i18n(pt): Update Portuguese translations

commit 39b820a5490eadbbadc6872f0814c23b7a6d4a13
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Mon Mar 2 11:49:55 2026 +0100

    i18n(pt_BR): Update BrazilianPortuguese translations

commit 1be58da745b875aeb12096ac8fb8c51c6df99068
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Mon Mar 2 11:49:55 2026 +0100

    i18n(ru): Update Russian translations

commit 6ce884b3e71cc08c1e3eedb722be00ade6d1263f
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Mon Mar 2 11:49:55 2026 +0100

    i18n(es_ES): Update SpanishSpain translations

commit 4a587fe00044bfce55186a7f75af64b5256399d7
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Mon Mar 2 11:49:54 2026 +0100

    i18n(ca): Update Catalan translations

commit d993227b36b6fbddebf113a5b544aa3bebf01bcc
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Mon Mar 2 11:49:54 2026 +0100

    i18n(th): Update Thai translations

commit 54e65233d9b28138c97bdf097a7a675f9fda34be
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Mon Mar 2 09:15:14 2026 +0000

    chore(js/css): update generated files

commit 2c2dbe4c61d40ad87517db2a21bc0743922d8d20
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Thu Feb 26 01:00:41 2026 -0500

    chore(js/css): update generated files

commit d7e51655fb0a543cff68a9fbc10ceb67540e4bec
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Wed Feb 25 17:33:05 2026 +0100

    fix(minsearch): fix instance of minsearch

commit 83d4c522f87cfde0ba543837d9b24c3479083ec2
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Wed Feb 25 15:23:57 2026 +0100

    fix(vulnerability): properly change the totp code after disabling it

commit e821b20f87d1a9757f1d0aff7d1e31703f97054b
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Tue Feb 24 17:06:04 2026 +0100

    fix(vulnerability): prevent javascript njection with hint query

commit dba92852f1c7eec2bedfbdb245b9e3624061309f
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Fri Feb 6 01:00:40 2026 -0500

    chore(js/css): update generated files

commit af984f58c043cb7ddc8597f119c8a5b9737612b2
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Thu Feb 5 10:51:41 2026 +0100

    fix(Mail): correctly update quota when refreshing

commit 71d865b86a7c11dc6aa8612999ae515f14a3bdf2
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Thu Feb 5 08:47:52 2026 +0100

    fix(identity): fix signatrue when changing identity

commit 3abbc31ed492bb2eb19727d1a2fae1f659cc46cc
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Fri Jan 30 01:00:38 2026 -0500

    chore(js/css): update generated files

commit 389e8e64c4933edbcc1f756f422594e70d70c903
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Thu Jan 29 15:58:00 2026 +0100

    fix(ui): prevent UI to search for users with empty string

commit b46bf8b8ddab4a4e2a4fb1b3cb1ec7c351dc4332
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Thu Jan 22 01:00:37 2026 -0500

    chore(js/css): update generated files

commit 7a09408ef80aaa28fb8b9a1cb2f2e2a61d809051
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Wed Dec 31 01:00:38 2025 -0500

    chore(js/css): update generated files

commit 95efe73e69abaae7fb8c1bdd0fe7ac660d59d7a4
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Mon Dec 22 17:28:49 2025 +0100

    fix(encryptedUrl): fix cache key data and expect uncrypted name for freebusy

commit eb77a8e048ec93b2515a49d98d9a25c38a2f920f
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Wed Dec 17 01:00:34 2025 -0500

    chore(js/css): update generated files

commit 7876013a4c1b0c7a1ac7153f2c61ff5f3de39632
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Tue Dec 16 10:50:34 2025 +0100

    fix(event): also add jitsi url in the location as outlook doesn't support attach url

commit e9b3f2a43d7557e8416f6749df4ab4f9128af2d1
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Tue Dec 16 10:25:49 2025 +0100

    fix(vulnerability): prevent xss with events, tasks and contacts categories

commit 47239ba0fdaf71d1e4c2929c68a18c1b48181a7d
Author: vrubim <vrubiella@cdmon.com>
Date:   Fri Nov 7 10:48:53 2025 +0100

    add remaining traslations for catalan and spanish

commit 6f916008e9e30bceaf5942e0c8645006d07d3aec
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Tue Dec 9 11:05:52 2025 +0100

    fix(login): prevent user search for login keyword

commit 16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Wed Nov 26 13:22:38 2025 +0100

    fix(vulnerability): prevent sogo to execute scripts pass in theme query

commit bd0547fb7308fec5b60a2b94b399a0bf0ce84d94
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Tue Nov 25 01:00:34 2025 -0500

    chore(js/css): update generated files

commit 03fa91dc22b268ce230f78e7386234ca84814f27
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Mon Nov 24 15:44:21 2025 +0100

    fix(mail): use the correct replyTo when set to a non*default identity

commit e2b8494a9cde046a8aad71808353366c328e0230
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Thu Oct 16 17:03:30 2025 +0200

    fix(trad): typo in a transation key

commit d69f55c265e0e5873032d5e14e49636ed6c36631
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Thu Oct 16 11:32:39 2025 +0200

    fix(tool): ranem-user properly change data in c_defaults and c_settings

commit f8638a3f4edd3487901c119b079dea2a3746cd7c
Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date:   Wed Oct 15 17:07:37 2025 +0200

    fix(db): increase some column size

Created: 2026-03-25 Last update: 2026-04-01 15:02

debian/patches: 11 patches to forward upstream low

Among the 13 debian patches available in version 5.12.7-1 of the package, we noticed the following issues:

11 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-04-01 20:32

testing migrations

This package will soon be part of the auto-libsodium transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2026-04-06] sogo 5.12.7-1 MIGRATED to testing (Debian testing watch)
[2026-04-01] Accepted sogo 5.12.7-1 (source) into unstable (Jordi Mallach)
[2026-03-31] sogo 5.12.6-1 MIGRATED to testing (Debian testing watch)
[2026-03-25] Accepted sogo 5.12.6-1 (source) into unstable (Jordi Mallach)
[2026-01-06] Accepted sogo 5.0.1-4+deb11u3 (source) into oldoldstable-security (Tobias Frost)
[2026-01-04] Accepted sogo 5.8.0-2+deb12u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Tobias Frost)
[2026-01-04] Accepted sogo 5.8.0-2+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Tobias Frost)
[2026-01-01] Accepted sogo 5.12.1-3+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Tobias Frost)
[2025-12-28] sogo 5.12.4-1.2 MIGRATED to testing (Debian testing watch)
[2025-12-26] Accepted sogo 5.12.4-1.2 (source) into unstable (Tobias Frost)
[2025-12-23] sogo 5.12.4-1.1 MIGRATED to testing (Debian testing watch)
[2025-12-17] Accepted sogo 5.12.4-1.1 (source) into unstable (Adrian Bunk)
[2025-11-28] Accepted sogo 5.0.1-4+deb11u2 (source) into oldoldstable-security (Paride Legovini)
[2025-10-25] sogo 5.12.4-1 MIGRATED to testing (Debian testing watch)
[2025-10-19] Accepted sogo 5.12.4-1 (source) into unstable (Jordi Mallach)
[2025-09-29] sogo 5.12.3-2 MIGRATED to testing (Debian testing watch)
[2025-09-23] Accepted sogo 5.12.3-2 (source) into unstable (Jordi Mallach)
[2025-08-18] Accepted sogo 5.12.3-1 (source) into experimental (Jordi Mallach)
[2025-07-27] sogo 5.12.1-3 MIGRATED to testing (Debian testing watch)
[2025-07-25] Accepted sogo 5.12.1-3 (source) into unstable (Jordi Mallach)
[2025-06-14] sogo 5.12.1-2 MIGRATED to testing (Debian testing watch)
[2025-06-09] Accepted sogo 5.12.1-2 (source) into unstable (Jordi Mallach)
[2025-05-15] sogo 5.12.1-1 MIGRATED to testing (Debian testing watch)
[2025-05-04] Accepted sogo 5.12.1-1 (source) into unstable (Jordi Mallach)
[2025-03-30] sogo 5.12.0-1 MIGRATED to testing (Debian testing watch)
[2025-03-24] Accepted sogo 5.12.0-1 (source) into unstable (Jordi Mallach)
[2025-02-22] sogo 5.11.2-4 MIGRATED to testing (Debian testing watch)
[2025-02-19] Accepted sogo 5.11.2-4 (source) into unstable (Jordi Mallach)
[2025-02-18] sogo 5.11.2-3 MIGRATED to testing (Debian testing watch)
[2025-02-11] Accepted sogo 5.11.2-3 (source) into unstable (Jordi Mallach)

bugs [bug history graph]

all: 11
RC: 0
I&N: 8
M&W: 2
F&P: 1
patch: 1

links

homepage
lintian (1, 199)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 5.12.4-1.2