-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 21 Jun 2026 11:32:55 +0200 Source: sogo Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym Architecture: armhf Version: 5.8.0-2+deb12u3 Distribution: bookworm-security Urgency: medium Maintainer: armhf Build Daemon (arm-ubc-06) Changed-By: Peter Wienemann Description: sogo - Scalable groupware server sogo-activesync - Scalable groupware server - ActiveSync module Closes: 1131605 1131606 Changes: sogo (5.8.0-2+deb12u3) bookworm-security; urgency=medium . * Non-maintainer upload. . [ Peter Wienemann ] * Add patch to fix CVE-2026-46445 and CVE-2026-46446: - CVE-2026-46445: SQL injection vulnerability when at least one user source is a PostgreSQL database - CVE-2026-46446: SQL injection vulnerability when at least one user source is an SQL database (MariaDB or PostgreSQL) and passwords are stored in plain text * Add patch to fix CVE-2025-71276: (Closes: #1131605) XSS with events, tasks and contacts categories * Add patch to fix CVE-2026-33550: (Closes: #1131606) TOTP vulnerabilities: - If a user disables/enables it, it is not renewed. - Length is too short (12 rather than recommended 20). * Add patch to fix CVE-2026-8496: A maliciously crafted ICS calendar invitation file allows arbitrary JavaScript execution within the authenticated SOGo webmail session. * Add patch to fix a regression introduced by fix for CVE-2026-8496 * Add patch to fix CVE-2026-8851: SQL injection vulnerability in the access control list management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. * Add patch to fix folder path in fix for CVE-2026-8851 * Add patch to fix XSS in message subject rendering . [ Jordi Mallach ] * Add upstream patch to fix impersonation issues when importing events. Checksums-Sha1: 18df63374f0591bad38e25ce8858654fb32ed026 98144 sogo-activesync-dbgsym_5.8.0-2+deb12u3_armhf.deb e6a45f36781257447a6cc965cce364b87e1bfd9f 223384 sogo-activesync_5.8.0-2+deb12u3_armhf.deb d977a0d5b155abce2a124ec487328b03716e40d3 1175924 sogo-dbgsym_5.8.0-2+deb12u3_armhf.deb 070fbb7eedbbd93cff374199ef7b4a4fa71aa2cf 11070 sogo_5.8.0-2+deb12u3_armhf-buildd.buildinfo 7cd7b598f6641f975a97d5f6716295a2a82a1c5a 1214320 sogo_5.8.0-2+deb12u3_armhf.deb Checksums-Sha256: c44636fa65225dda64549550a5e140a069e2835921de9df784e0f7f482acbccd 98144 sogo-activesync-dbgsym_5.8.0-2+deb12u3_armhf.deb 5db8b30ad3c54dde2a7b9409c83de5e9cfd37ed143b78e50a79f875dc8c58d28 223384 sogo-activesync_5.8.0-2+deb12u3_armhf.deb 5f0481d389eab07b68d67a17a8b1f0de6d8845c33b59b6c589b332d076f088cb 1175924 sogo-dbgsym_5.8.0-2+deb12u3_armhf.deb 4d94e01f4d6bd7cecb1efe0d011cb566e82cade35927c387eda5bd84047a4ee3 11070 sogo_5.8.0-2+deb12u3_armhf-buildd.buildinfo 51e5e92bfd646f833b846c26de8cafae990a08eca127e1aa0d74b8f37924abf4 1214320 sogo_5.8.0-2+deb12u3_armhf.deb Files: 89044e2207c6d2bf9726b7318c940580 98144 debug optional sogo-activesync-dbgsym_5.8.0-2+deb12u3_armhf.deb 355dce3b7bbdb80e8c64774c8dd364a1 223384 mail optional sogo-activesync_5.8.0-2+deb12u3_armhf.deb c8b00b34949d500d8a6a129de5e7abdf 1175924 debug optional sogo-dbgsym_5.8.0-2+deb12u3_armhf.deb 4b1ee146d6b2f817e6656ed05101cb39 11070 mail optional sogo_5.8.0-2+deb12u3_armhf-buildd.buildinfo 47412a13c1405f33777b0cd8ea6a10fc 1214320 mail optional sogo_5.8.0-2+deb12u3_armhf.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEBOUsBrtd5lcy6oRfutMAkCxKbL0FAmpCuiUACgkQutMAkCxK bL02zhAAqJiYukTI0g+6duTQoF/RiZCWxQD4N0PCEcxyyFBG1SNgMG/SDHeu8SFb KJ/dJ4uilcliYhN8Dg4T6mItATkMvtBrm8WbRE6V5azrPFa7ekLm07qb492M3yTD T2IF6sGsr7F0eBHP1VmL+CNXioGhKP27XrTgBcyA08zExvB27lnoBqILLVIL8gmj QdoSgzin9kPpBof3t8Rlz3MfwfmnzFN5o2gdAm5aK3AGL2SLMP3ODr2iFxBLwv59 GG6zl3Npdz0vnPUqxCYn48JaxeAM8kRHdyhJzckzgr5fXDMK5sAI/U7l7n195kEo WUoKoKI70HoowgCsK2GiBNJRJ8Tevqt+R1Z0OpCdqSScL3n80jzkDdSrobPNaVag h5FrR4++396gZET10u0mVAtPuNAt6o/NrqXR88p2Lm8ih+SoOm55J/AIw03Uu3kB omgMbQic/XTXQlAm4iuNOwse/xb2THCapN1/Q0iBMwtt6sEDA745K+khbSrMjsix Vddsap3VkrBSBA1vW27qKlkVmc+5HduL/C9pwctDhfCcWuBFe2LFWSGpgoNkMLYQ 2tpSuekmLyhNmzhKDzd6pvXMPZUHn+kYOoITbcjKYna+0AOPhpeIKGniAiCcegOP tpFNjJWfsbK8txihNXIw+moeBslyz7mn7SbrFTpqZQLPYvf9fk8= =kRak -----END PGP SIGNATURE-----