-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 21 Jun 2026 11:32:55 +0200 Source: sogo Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym Architecture: mipsel Version: 5.8.0-2+deb12u3 Distribution: bookworm-security Urgency: medium Maintainer: mipsel Build Daemon (mipsel-osuosl-04) Changed-By: Peter Wienemann Description: sogo - Scalable groupware server sogo-activesync - Scalable groupware server - ActiveSync module Closes: 1131605 1131606 Changes: sogo (5.8.0-2+deb12u3) bookworm-security; urgency=medium . * Non-maintainer upload. . [ Peter Wienemann ] * Add patch to fix CVE-2026-46445 and CVE-2026-46446: - CVE-2026-46445: SQL injection vulnerability when at least one user source is a PostgreSQL database - CVE-2026-46446: SQL injection vulnerability when at least one user source is an SQL database (MariaDB or PostgreSQL) and passwords are stored in plain text * Add patch to fix CVE-2025-71276: (Closes: #1131605) XSS with events, tasks and contacts categories * Add patch to fix CVE-2026-33550: (Closes: #1131606) TOTP vulnerabilities: - If a user disables/enables it, it is not renewed. - Length is too short (12 rather than recommended 20). * Add patch to fix CVE-2026-8496: A maliciously crafted ICS calendar invitation file allows arbitrary JavaScript execution within the authenticated SOGo webmail session. * Add patch to fix a regression introduced by fix for CVE-2026-8496 * Add patch to fix CVE-2026-8851: SQL injection vulnerability in the access control list management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. * Add patch to fix folder path in fix for CVE-2026-8851 * Add patch to fix XSS in message subject rendering . [ Jordi Mallach ] * Add upstream patch to fix impersonation issues when importing events. Checksums-Sha1: b7a2a8588842a407bdc120ba136f59b421fef33a 94616 sogo-activesync-dbgsym_5.8.0-2+deb12u3_mipsel.deb fc36f5000f9e31e12632ee5b84d682a363b6fbd0 164564 sogo-activesync_5.8.0-2+deb12u3_mipsel.deb 705949b3249191b2e26e9291fc59334234bbbfe1 1103812 sogo-dbgsym_5.8.0-2+deb12u3_mipsel.deb fe2fa9a730c9b6b576cc446fa9447eea20a5d862 10995 sogo_5.8.0-2+deb12u3_mipsel-buildd.buildinfo 0255e9ed5103755f3acd4d3a36dab187b7719071 940564 sogo_5.8.0-2+deb12u3_mipsel.deb Checksums-Sha256: e002f33bbcded52a503b90f2fab269dd47a1f5e151406f9b02a23d7809c69c48 94616 sogo-activesync-dbgsym_5.8.0-2+deb12u3_mipsel.deb d6294e7dca3131ec89a6939befafc66518405a7428dc8407b34f760b89ff722a 164564 sogo-activesync_5.8.0-2+deb12u3_mipsel.deb 7b626e73644a0f799e5c2877c9e6ddb759eeaaca6986af73bf440e914275fa83 1103812 sogo-dbgsym_5.8.0-2+deb12u3_mipsel.deb 1eda9ea60c4f801fd6968021976fe6300c99df54d3d507aacfae6d1a7cde3f36 10995 sogo_5.8.0-2+deb12u3_mipsel-buildd.buildinfo 393ea3354bad1a99b42ee8d835fcfa51f8d65f4d7c266c16e4c6b5bac8ebffbb 940564 sogo_5.8.0-2+deb12u3_mipsel.deb Files: cc46248f0b95db26e58c8f786fda0c2f 94616 debug optional sogo-activesync-dbgsym_5.8.0-2+deb12u3_mipsel.deb 4396c437923d023c32985c719eba2478 164564 mail optional sogo-activesync_5.8.0-2+deb12u3_mipsel.deb fcdd98795a3109308720d593a893abea 1103812 debug optional sogo-dbgsym_5.8.0-2+deb12u3_mipsel.deb 57028f316f411cee420e7da8504a1da2 10995 mail optional sogo_5.8.0-2+deb12u3_mipsel-buildd.buildinfo d584d03ea4e8b5bce8b48707a71134dc 940564 mail optional sogo_5.8.0-2+deb12u3_mipsel.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEyYUQCyzsgu940OiVpwP2OD8jZaoFAmpCur4ACgkQpwP2OD8j ZarcTw//ZtNim/YGNrzdLZQpQ6D0trdaWilBfEAdl7kMyIlaMeLTg03KdSE544tb r+GpG3tnnInSh0OI8tFuv6NaSFR/1zMgL5voXxTMlNITSGhHm9cX3xeRZBhPZzY7 CynUZIv40kjy/D6JcLDDhejUTFm4xNvikhVvv6wTdSa87qtGvJ7Me61WIYNBe7lO 08DCuHJorXImdLalkfMlLB9KOdcAOEUpRj3oJttb0aksbsYqlSK93TdJGP6e+4gx 7iCyo3KKovQFo8HYdZqIBaxkFbqxscYdub+rRvsGdjqrplkH7YSgTKCZLuk+yyWZ W25QcOXmC2Izf1zsJfejCvP3mIi24OcrYFNv6gum9x0oAbstsClkQrWv1TMQz1yW JKsECf4G8WNC/OH+Lc7ZXakqsT57QAU5N2WF5orzRabwqONjwCD/e9A1bCfMgSDq 1FM+TGY9dEgFRm1rmqWA0Qlmq6fMzm5MLBL4TXCTwGnTCbdFOr0VwppCI/crQVIa IGbXir3jOBqpFfSwCSOemaSRfrD6MyRzggcnqlaIfW1tj7GP9pjmIpLoznKuIemN Mn/vSZj7I6eH+PrcO7c/Olm64SIi2a5UeZHjildIUdv51QHej3QzMQxLhjbNn8Xd 29wzQRIrhRpuTgkCjy47CkV5J7pH7H4tqL7wsZ95UAHdc6wVQ5U= =xDM3 -----END PGP SIGNATURE-----