From: Marcus MERIGHI Subject: www/sogo 5.12.8 update attempt To: ports@openbsd.org Date: Wed, 13 May 2026 18:06:12 +0200 Hello, our SOGo is at 5.12.7. 5.12.8: Four major vulnerabilities have been reported and fixed (You can find the entire release e-mail below.) I've had a go on SOPE-5.12.8.tar.gz, a prerequisite. It failed with: +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ if [ -r "STXSaxDriver-Info.plist" ]; then \ plmerge STXSaxDriver.sax/Resources/Info-gnustep.plist STXSaxDriver-Info.plist; \ fi Segmentation fault (core dumped) gmake[4]: *** [/usr/local/share/GNUstep/Makefiles/Instance/bundle.make:301: STXSaxDriver.sax/Resources/Info-gnustep.plist] Error 139 [...] +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ egdb(1) tells me: +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Reading symbols from /usr/local/bin/plmerge... (No debugging symbols found in /usr/local/bin/plmerge) [New process 488098] Core was generated by `plmerge'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00000b20741b3297 in tsl::detail_robin_hash::bucket_entry, false>::dist_from_ideal_bucket() \ const () from /usr/local/lib/libobjc2.so.4.0 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ I'm at my wits end. My diffs to the Makefiles and the distfiles below and attached. Followed by the release e-mail. Marcus +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Index: Makefile =================================================================== RCS file: /cvs/ports/www/sope/Makefile,v retrieving revision 1.106 diff -u -p -r1.106 Makefile --- Makefile 6 May 2026 13:26:09 -0000 1.106 +++ Makefile 13 May 2026 15:59:12 -0000 @@ -2,7 +2,7 @@ COMMENT-main= Skyrix Object Publishing COMMENT-mysql= SOPE MySQL adaptor COMMENT-postgres= SOPE PostgreSQL adaptor -VERSION = 5.12.7 +VERSION = 5.12.8 DISTNAME = SOPE-${VERSION} PKGNAME-main = sope-${VERSION} PKGNAME-mysql = sope-mysql-${VERSION} Index: distinfo =================================================================== RCS file: /cvs/ports/www/sope/distinfo,v retrieving revision 1.65 diff -u -p -r1.65 distinfo --- distinfo 6 May 2026 13:26:09 -0000 1.65 +++ distinfo 13 May 2026 15:59:12 -0000 @@ -1,2 +1,2 @@ -SHA256 (SOPE-5.12.7.tar.gz) = CyfQ15P7yEQmDwqwcCVejdBf5aRdLfFBx6CIgh+Pg/M= -SIZE (SOPE-5.12.7.tar.gz) = 2307155 +SHA256 (SOPE-5.12.8.tar.gz) = 0b27d0d793fbc844260f0ab070255e8dd05fe5a45d2df141c7a088821f8f83f3 +SIZE (SOPE-5.12.8.tar.gz) = 2307155 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Index: Makefile =================================================================== RCS file: /cvs/ports/www/sogo/Makefile,v retrieving revision 1.118 diff -u -p -u -r1.118 Makefile --- Makefile 6 May 2026 13:26:09 -0000 1.118 +++ Makefile 13 May 2026 16:01:16 -0000 @@ -1,6 +1,6 @@ COMMENT = web based groupware server -VERSION = 5.12.7 +VERSION = 5.12.8 DISTNAME = SOGo-${VERSION} PKGNAME = sogo-${VERSION} Index: distinfo =================================================================== RCS file: /cvs/ports/www/sogo/distinfo,v retrieving revision 1.63 diff -u -p -u -r1.63 distinfo --- distinfo 6 May 2026 13:26:09 -0000 1.63 +++ distinfo 13 May 2026 16:01:16 -0000 @@ -1,2 +1,2 @@ -SHA256 (SOGo-5.12.7.tar.gz) = xcHvqOE7Ugkc9SfiptoUr/tT7EmgdxjUN7Xg1bxP2ws= -SIZE (SOGo-5.12.7.tar.gz) = 37847103 +SHA256 (SOGo-5.12.8.tar.gz) = 05f81b604651f72de94c8bb012cc5e6aea17f8d3281161423fee6f091dd2a0e9 +SIZE (SOGo-5.12.8.tar.gz) = 37848204 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ----- Weitergeleitete Nachricht von "\"SOGo Reporter\"" ----- Date: Tue, 12 May 2026 15:51:28 +0200 From: SOGo Reporter To: announce@sogo.nu Subject: [SOGo] [announce] Latest updates on SOGo SOGo 5.12.8 Release ANNOUNCEMENT SOGo 5.12.8 Release Dear SOGo community, The Alinto team is pleased to announce the immediate availability of SOGo v5.12.8. This is a major release as it fixes security vulnerabilities. IMPORTANT Four major vulnerabilities have been reported and fixed in this version 5.12.8 or since the nightly of the 8th of May 2026: `sogo_5.12.7.20260508`. Those vulnerabilities affect any previous SOGO version. Please update as soon as possible [1]CVE ID will be on our website once they're created. Affect anyone * 2 possible XSS injections with malicious mail: fixed * 1 possible SQL injection with specific request: fixed Affect SOGo when using OpenID with a non-matching usersource * Impersonification with untrusted user source: fixed Regression Some regression, mainly on the mail view, can happen. If you find any, please report them [2]bugs.sogo.nu Thanks * [3]dninh of SACOMBANK for the SQL injection. * [4]Luke H for one XSS injection. * [5]Greg Lesnewich from [6]Proofpoint Threat Research for one XSS injection. * Last one was found by us, Alinto [7]Find the full post on our website SOGo Team What is SOGo SOGo is a free and modern scalable groupware server. It offers shared calendars, address books and emails through your favorite Web browser or by using a native client such as Mozilla Thunderbird and Lightning, Apple Calendar and Address Book (Mac OS X and iOS) and Microsoft Outlook. SOGo is standard-compliant and supports CalDAV, CardDAV and reuses existing IMAP, SMTP and database servers - making the solution easy to deploy and interoperable with many applications. SOGo features: * Scalable architecture suitable for deployments from dozen to many thousand users * Rich, responsible Web-based interface aligned with Google Material Design guidelines * Improved integration with Mozilla Thunderbird and Lightning by using the SOGo Connector and the SOGo Integrator * Two-way synchronization support with any Microsoft ActiveSync-capable device (Apple iOS, Android, Windows Phone, BlackBerry 10) or Outlook 2013/2016/365 * Excellent native integration with Apple software (OS X and iOS) and Android-based devices and many more! SOGo and our connectors are completely free. [8]Try Online Available accounts: sogo1, sogo2 and sogo3. Their password is sogo. Helping SOGo is a collaborative effort in order to create the best Free and Open Source groupware solution. There are multiple ways you can contribute to the project: * Documentation reviews, enhancements and translations * Write test cases - if you know Python, join in! * Feature requests or by sharing your ideas * Participate to the discussion in mailing lists * Patches for [9]bugs or enhancements * Provide new [10]translations Feel free to send us your questions. You can also post them to the SOGo [11]mailing list. Getting Support For any questions, do not hesitate to contact us by writing to [12]support@sogo.nu Customer support packages for SOGo are also [13]available. [14][?size=100&id=JP7JIPAexYpx&format=png&color=000000] [15][linkedin.png] [16][github.png] References 1. https://www.sogo.nu/news/2026/sogo-v5128-released.html 2. https://bugs.sogo.nu/ 3. https://vn.linkedin.com/in/ninhld 4. https://github.com/lukehebe 5. https://www.linkedin.com/in/greglesnewich 6. https://www.proofpoint.com/us/blog/threat-insight 7. https://www.sogo.nu/news/2026/sogo-v5128-released.html 8. https://demo.sogo.nu/SOGo 9. https://bugs.sogo.nu/ 10. https://github.com/Alinto/sogo#translations 11. https://mailing.sogo.nu/sympa/info/users 12. mailto:support@sogo.nu 13. https://www.sogo.nu/support.html#/commercial 14. https://floss.social/@SOGo 15. https://www.linkedin.com/shareArticle?mini=true&url=https://www.linkedin.com/groups/4164805/&title=&summary=&source= 16. https://github.com/Alinto/sogo/ ----- Ende weitergeleitete Nachricht ----- Index: Makefile =================================================================== RCS file: /cvs/ports/www/sope/Makefile,v retrieving revision 1.106 diff -u -p -u -r1.106 Makefile --- Makefile 6 May 2026 13:26:09 -0000 1.106 +++ Makefile 13 May 2026 16:02:48 -0000 @@ -2,7 +2,7 @@ COMMENT-main= Skyrix Object Publishing COMMENT-mysql= SOPE MySQL adaptor COMMENT-postgres= SOPE PostgreSQL adaptor -VERSION = 5.12.7 +VERSION = 5.12.8 DISTNAME = SOPE-${VERSION} PKGNAME-main = sope-${VERSION} PKGNAME-mysql = sope-mysql-${VERSION} Index: distinfo =================================================================== RCS file: /cvs/ports/www/sope/distinfo,v retrieving revision 1.65 diff -u -p -u -r1.65 distinfo --- distinfo 6 May 2026 13:26:09 -0000 1.65 +++ distinfo 13 May 2026 16:02:48 -0000 @@ -1,2 +1,2 @@ -SHA256 (SOPE-5.12.7.tar.gz) = CyfQ15P7yEQmDwqwcCVejdBf5aRdLfFBx6CIgh+Pg/M= -SIZE (SOPE-5.12.7.tar.gz) = 2307155 +SHA256 (SOPE-5.12.8.tar.gz) = 0b27d0d793fbc844260f0ab070255e8dd05fe5a45d2df141c7a088821f8f83f3 +SIZE (SOPE-5.12.8.tar.gz) = 2307155 Index: Makefile =================================================================== RCS file: /cvs/ports/www/sogo/Makefile,v retrieving revision 1.118 diff -u -p -u -r1.118 Makefile --- Makefile 6 May 2026 13:26:09 -0000 1.118 +++ Makefile 13 May 2026 16:02:22 -0000 @@ -1,6 +1,6 @@ COMMENT = web based groupware server -VERSION = 5.12.7 +VERSION = 5.12.8 DISTNAME = SOGo-${VERSION} PKGNAME = sogo-${VERSION} Index: distinfo =================================================================== RCS file: /cvs/ports/www/sogo/distinfo,v retrieving revision 1.63 diff -u -p -u -r1.63 distinfo --- distinfo 6 May 2026 13:26:09 -0000 1.63 +++ distinfo 13 May 2026 16:02:22 -0000 @@ -1,2 +1,2 @@ -SHA256 (SOGo-5.12.7.tar.gz) = xcHvqOE7Ugkc9SfiptoUr/tT7EmgdxjUN7Xg1bxP2ws= -SIZE (SOGo-5.12.7.tar.gz) = 37847103 +SHA256 (SOGo-5.12.8.tar.gz) = 05f81b604651f72de94c8bb012cc5e6aea17f8d3281161423fee6f091dd2a0e9 +SIZE (SOGo-5.12.8.tar.gz) = 37848204