1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109735: unblock: sope/5.12.1-2

    From Jordi Mallach@21:1/5 to All on Tue Jul 22 23:10:01 2025
    XPost: linux.debian.devel.release

    This is a multi-part MIME message sent by reportbug.


    Package: release.debian.org
    Severity: normal
    X-Debbugs-Cc: [email protected]
    Control: affects -1 + src:sope
    User: [email protected]
    Usertags: unblock

    Please unblock package sope

    [ Reason ]

    This upload includes the proposed patch for CVE-2025-53603,
    plus cherry-picks two of the three commits that were included
    in the upstream 5.12.2 release, and that fix issues reported
    by 5.12.x users.

    [ Impact ]

    An easy-to-trigger DoS condition won't be patched, and
    some non-compliant SMTP implementations won't be able to
    speak to SOGo. Additionally, a one-liner auth optimization
    for OpenID users won't be present.

    [ Tests ]
    None, just manual testing.

    [ Risks ]

    The CVE fix has not been accepted by upstream yet, so I don't
    know if they will accept it as is or they will pick another
    solution.

    [ Checklist ]
    [x] all changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [x] attach debdiff against the package in testing

    unblock sope/5.12.1-2

    diff -Nru sope-5.12.1/debian/changelog sope-5.12.1/debian/changelog
    --- sope-5.12.1/debian/changelog 2025-05-04 23:13:11.000000000 +0200
    +++ sope-5.12.1/debian/changelog 2025-07-22 22:34:25.000000000 +0200
    @@ -1,3 +1,13 @@
    +sope (5.12.1-2) unstable; urgency=medium
    +
    + * [CVE-2025-53603] Add proposed patch to fix DoS-enabling segfault
    + (closes: #1108798).
    + * Cherry-pick two additional fixes from the 5.12.2 release.
    + - allow SMTP replies that don't adhere to the SMTP spec
    + - don't check for the auth bearer token
    +
    + -- Jordi Mallach <[email protected]> Tue, 22 Jul 2025 22:34:25 +0200
    +
    sope (5.12.1-1) unstable; urgency=medium

    * New upstream release.
    diff -Nru sope-5.12.1/debian/patches/git_CVE-2025-53603.patch sope-5.12.1/debian/patches/git_CVE-2025-53603.patch
    --- sope-5.12.1/debian/patches/git_CVE-2025-53603.patch 1970-01-01 01:00:00.000000000 +0100
    +++ sope-5.12.1/debian/patches/git_CVE-2025-53603.patch 2025-07-07 15:31:00.000000000 +0200
    @@ -0,0 +1,143 @@
    +From 280104e45c20519ac4849ebf8bca114d91383543 Mon Sep 17 00:00:00 2001
    +From: