New Hotfix Appliance Release 15.0.4.2

A new SEPPmail Appliance hotfix release has been published.

The primary fix in this release prevents system freezes. In addition, we added static subject settings for the SCEP MPKI connector and fixed a bug in the interim certificate generation logic.

Security

The following CVEs cover the Infoguard findings resolved in version 15.0.4:

• Exposure of Sensitive Information to an Unauthorized Actor (CVE-2026-7864)
• Local File Inclusion (LFI) and Arbitrary File Deletion (CVE-2026-44127)
• Unauthenticated Remote Code Execution (CVE-2026-44128)
• Server-Side Template Injection (CVE-2026-44129)
• Missing Authorization in GINAv2 (CVE-2026-44125)
• Insecure Deserialization (CVE-2026-44126)

We also removed the login redirect in the GINA GUI to prevent disclosure of session token information. A CVE for this issue is still pending.

Updates

OpenBSD 7.7 has been updated to errata 42, and OpenLDAP has been updated to version 2.6.13.

The updates to OpenSSL 3.0.20 and Apache 2.4.67 also resolve several security findings:

• OpenSSL 3.0.20
  • CVE-2026-31790
  • CVE-2026-28387
  • CVE-2026-28388
  • CVE-2026-28389
  • CVE-2026-28390
  • CVE-2026-31789
• Apache 2.4.67
  • CVE-2026-23918
  • CVE-2026-24072
  • CVE-2026-28780
  • CVE-2026-29168
  • CVE-2026-29169
  • CVE-2026-33006
  • CVE-2026-33007
  • CVE-2026-33523
  • CVE-2026-33857
  • CVE-2026-34032
  • CVE-2026-34059

Please see the revision history and the extended release notes for further details.