Date: Fri, 4 Jun 2021 10:01:22 GMT From: Thomas Zander <riggs@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 44ca7573855d - main - security/vuxml: Document CVE-2021-33054 for www/sogo*. Message-ID: <202106041001.154A1M0D064877@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by riggs: URL: https://cgit.FreeBSD.org/ports/commit/?id=44ca7573855d48957714ccbe1e0849617ac18915 commit 44ca7573855d48957714ccbe1e0849617ac18915 Author: Thomas Zander <riggs@FreeBSD.org> AuthorDate: 2021-06-04 09:59:47 +0000 Commit: Thomas Zander <riggs@FreeBSD.org> CommitDate: 2021-06-04 09:59:47 +0000 security/vuxml: Document CVE-2021-33054 for www/sogo*. PR: 256374 Reported by: rob2g2 <spam123@bitbert.com> --- security/vuxml/vuln.xml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index d4dc3cc5b5c8..38e8f777ddf3 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,47 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="69815a1d-c31d-11eb-9633-b42e99a1b9c3"> + <topic>SOGo -- SAML user authentication impersonation</topic> + <affects> + <package> + <name>sogo</name> + <range><lt>5.1.1</lt></range> + </package> + <package> + <name>sogo-activesync</name> + <range><lt>5.1.1</lt></range> + </package> + <package> + <name>sogo2</name> + <range><lt>2.4.1</lt></range> + </package> + <package> + <name>sogo2-activesync</name> + <range><lt>2.4.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>sogo.nu reports:</p> + <blockquote cite="https://www.sogo.nu/news/2021/saml-vulnerability.html"> + <p>SOGo was not validating the signatures of any SAML assertions it received.</p> + <p>This means any actor with network access to the deployment could impersonate</p> + <p>users when SAML was the authentication method.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-33054</cvename> + <url>https://www.sogo.nu/news/2021/saml-vulnerability.html</url> + <url>https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html</url> + </references> + <dates> + <discovery>2021-06-01</discovery> + <entry>2021-06-02</entry> + </dates> + </vuln> + <vuln vid="c7855866-c511-11eb-ae1d-b42e991fc52e"> <topic>tauthon -- Regular Expression Denial of Service</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106041001.154A1M0D064877>