CVE-2021-33054: SOGo does not validate the signatures of any
SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method.
Other LTS-related work
Many hours were spent, working on ffmpeg, where currently 18 CVEs are opened. Some of them are fixed in git.The work is ongoing.
I attended the Debian LTS team IRC-meeting this month.
Other FLOSS activities
One week before the full freeze of Debian Bullseye the release-critical bug
#990895 against the package
httraqt was filed. Thanks to the reporter I could fix it within the
hour after the ticket was created, uploaded as the version httraqt_1.4.9-5, filed an unblock-request, which was