[SECURITY] [DLA 2707-1] sogo security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 2707-1] sogo security update
From: Anton Gladky <gladk@debian.org>
Date: Mon, 12 Jul 2021 22:00:13 +0200 (CEST)
Message-id: <[🔎] 20210712200013.A4C634A0313@thinkpad.localdomain>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2707-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Anton Gladky
July 12, 2021                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : sogo
Version        : 3.2.6-2+deb9u1
CVE ID         : CVE-2021-33054

One security issue has been discovered in sogo.

SOGo does not validate the signatures of any SAML assertions it receives.
Any actor with network access to the deployment could impersonate users when
SAML is the authentication method.

For Debian 9 stretch, this problem has been fixed in version
3.2.6-2+deb9u1.

We recommend that you upgrade your sogo packages.

ATTENTION! If you are using SAML authentication, use sogo-tool to immediately
delete users sessions and force all users to visit the login page:

    sogo-tool -v expire-sessions 1
    systemctl restart memcached

For the detailed security status of sogo please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sogo

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmDsn0sACgkQ0+Fzg8+n
/wYXghAAiA3Qz87G28FyoGMfusI4DD/jNGLzOLnK9o5MFctgD4Lx3mZaphrCM6Za
SDAfUaFbM/DQjdDUzEbLTMDt9M3yicplx0xPw57yHBnNJ2VWiLC287KonnaKVgNK
Uyw3ZGLS1Ak2nx67z/8o9VZzb9vhBVF1pKFWF3KvbjMMRnUT+sKw4honcjIWz0Rm
/Om71twYXjbbx/aHMZjnJlrLiR2dTwbviohYTNAjDMDPbsaiB6JIWCqo0rZOz5A0
4u/ZeZKJzVJ8WU0K1ekCqI0wSFTP4bnpAVyd/vrdapbf6s+BktbqAJ5+BGTFK17+
14tP36EzAk14/82Wzs6TgalsIsfoEuANfOss/Eqsa1o4G5HhyDGx8f1iQSUL07rg
N/AmPzxJRNdjsOAHiztCZAY+99lhgOab7ckEnEaqKgc5fkiU5USAaN1/VBdtiiBX
Ssu7+scWApPo7UFays+MO8eNW3y90hwoQLcOZLQwIiIH0cWl4P3wod0Lzu7wJKj5
GhSP7HSqyI+ZrmKGGyfWH38GjhPfMWRUNDTo3CbkIjU1aEjP0vqSQv5CZsqxf0Y7
QTxq3PVxNvzVF112rMalG1MjQACcFFiZ0id8t5LmhYzTrbNmWHCOXq3Bsr0Du1s4
rUIQPZ2m/JePCAWFFJaT56ewStSU5BEO2buNPVcR3wLT3BrKnL8=
=QZ0z
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2706-1] apache2 security update
Next by Date: [SECURITY] [DLA 2708-1] php7.0 security update
Previous by thread: [SECURITY] [DLA 2706-1] apache2 security update
Next by thread: [SECURITY] [DLA 2708-1] php7.0 security update
Index(es):
- Date
- Thread