-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 21 Jun 2026 11:32:55 +0200 Source: sogo Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym Architecture: ppc64el Version: 5.8.0-2+deb12u3 Distribution: bookworm-security Urgency: medium Maintainer: ppc64el Build Daemon (ppc64el-osuosl-02) Changed-By: Peter Wienemann Description: sogo - Scalable groupware server sogo-activesync - Scalable groupware server - ActiveSync module Closes: 1131605 1131606 Changes: sogo (5.8.0-2+deb12u3) bookworm-security; urgency=medium . * Non-maintainer upload. . [ Peter Wienemann ] * Add patch to fix CVE-2026-46445 and CVE-2026-46446: - CVE-2026-46445: SQL injection vulnerability when at least one user source is a PostgreSQL database - CVE-2026-46446: SQL injection vulnerability when at least one user source is an SQL database (MariaDB or PostgreSQL) and passwords are stored in plain text * Add patch to fix CVE-2025-71276: (Closes: #1131605) XSS with events, tasks and contacts categories * Add patch to fix CVE-2026-33550: (Closes: #1131606) TOTP vulnerabilities: - If a user disables/enables it, it is not renewed. - Length is too short (12 rather than recommended 20). * Add patch to fix CVE-2026-8496: A maliciously crafted ICS calendar invitation file allows arbitrary JavaScript execution within the authenticated SOGo webmail session. * Add patch to fix a regression introduced by fix for CVE-2026-8496 * Add patch to fix CVE-2026-8851: SQL injection vulnerability in the access control list management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. * Add patch to fix folder path in fix for CVE-2026-8851 * Add patch to fix XSS in message subject rendering . [ Jordi Mallach ] * Add upstream patch to fix impersonation issues when importing events. Checksums-Sha1: de0bc40db4dcd4d5427c9ac76f9cb59971ed5261 93396 sogo-activesync-dbgsym_5.8.0-2+deb12u3_ppc64el.deb 1e3f7a9c2c409fdbdae05dbc6cf2ae7c33a220dd 187068 sogo-activesync_5.8.0-2+deb12u3_ppc64el.deb 155146905ccd6102c6538cfcb90f6004508bebfa 1094236 sogo-dbgsym_5.8.0-2+deb12u3_ppc64el.deb 60eebdb923caf8199c11d42f7012b1f5c783b013 11235 sogo_5.8.0-2+deb12u3_ppc64el-buildd.buildinfo 7cda3d12431e9747cd8ec070eb85d0aa5e08f982 1149000 sogo_5.8.0-2+deb12u3_ppc64el.deb Checksums-Sha256: ecad781b4014ed9ab25c465f2250630c113bf700c59629b182b2ea361907dd28 93396 sogo-activesync-dbgsym_5.8.0-2+deb12u3_ppc64el.deb 311304e5626f8450fd0e063f894d2221a4581215e7965653329ede272c2fcf0d 187068 sogo-activesync_5.8.0-2+deb12u3_ppc64el.deb 8e4defbe5523b462f1e299e749ca4b1cababc90946958f08061e27d4d79e0586 1094236 sogo-dbgsym_5.8.0-2+deb12u3_ppc64el.deb bf2a27384a77daef9e245f4a86c775f95f57758363d87d2cb42be1e01d3f048b 11235 sogo_5.8.0-2+deb12u3_ppc64el-buildd.buildinfo fc2084e2de5bb8730bca189ac80bf4428c0524b91bb2bbd3e54220b99a601c56 1149000 sogo_5.8.0-2+deb12u3_ppc64el.deb Files: 8a86ab20a66cfa2ed581b02fc83f164a 93396 debug optional sogo-activesync-dbgsym_5.8.0-2+deb12u3_ppc64el.deb 6ed597af3f613b8bff3ab7e6dbd4c845 187068 mail optional sogo-activesync_5.8.0-2+deb12u3_ppc64el.deb de63a68c8baa7aa2a63758c97e130333 1094236 debug optional sogo-dbgsym_5.8.0-2+deb12u3_ppc64el.deb 4e7490a8a197c948b74c1430bc49146b 11235 mail optional sogo_5.8.0-2+deb12u3_ppc64el-buildd.buildinfo a18c1a0b88e9d0b3a0ca7ca3cbc1c9ac 1149000 mail optional sogo_5.8.0-2+deb12u3_ppc64el.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE9ibmwdV9gdKNbK7oV8ucRsMTpuMFAmpCugwACgkQV8ucRsMT puMfLw//X1k0Kim//yLxw5+Z5YH/uoHjR4+kV4YrzD3OWMgNNX3FcSQtCD1rWXvb Rkrp87rBVhl4O+huQlvhru21/ux+iGA0FrMfDLRLUBjf3+DZdZ+i07Uvysa9vzpX S3ci0k81BV4Btyn1/T07QzPGnT8a4Lu4/rY09NCbesMUrAUWiIwck7M2PC8wgNrN +16h7xhsPxqYe5AobYefuTKgy9XteA6a7mUy9Z9ZEblBx/hyS2Fp5B9lf4nxgUP4 ZgeoOfI3ASNGNts29YTzGEFuSn1/eTBsmA1pa+XQ2mDuzmp5akvtnRv5VFNV6iO4 7EfTWGsR4iBlOoZr20pVkySbXSfWB50s80t7lWTHl9Aiepah8d60Uxd/Ym695XJU F7W5XnYS2YWK0vumfbitQe2d4Ks/urNNxH7yEiP2czgRlMeR2RQbP8NUWPHOV+WM Rs1ezcVqZOLCG5lyrtevXcdJNWqJfpo5zouG59++B0Ax2FXX3OZaY+LFzXv9Clc5 qAkn1ZAq+XhFI90JN9Ve1nzcEC8PGD5sKVzOo9FzZ7jzjHTE6Fmjq2CiutmovElR 2xVycnHFoaNBjUruxQCFnGMQ/eUcWCduP5jdfkq4qK2astQ+ViwVumzSxCD68Rtx etfxxzYvqiyGQ/T/TqiBYqwq8jlofVMzA8NrUdBhpi5T25oH4ac= =YhoV -----END PGP SIGNATURE-----