-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 21 Jun 2026 11:32:55 +0200 Source: sogo Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym Architecture: i386 Version: 5.8.0-2+deb12u3 Distribution: bookworm-security Urgency: medium Maintainer: all / amd64 / i386 Build Daemon (x86-conova-02) Changed-By: Peter Wienemann Description: sogo - Scalable groupware server sogo-activesync - Scalable groupware server - ActiveSync module Closes: 1131605 1131606 Changes: sogo (5.8.0-2+deb12u3) bookworm-security; urgency=medium . * Non-maintainer upload. . [ Peter Wienemann ] * Add patch to fix CVE-2026-46445 and CVE-2026-46446: - CVE-2026-46445: SQL injection vulnerability when at least one user source is a PostgreSQL database - CVE-2026-46446: SQL injection vulnerability when at least one user source is an SQL database (MariaDB or PostgreSQL) and passwords are stored in plain text * Add patch to fix CVE-2025-71276: (Closes: #1131605) XSS with events, tasks and contacts categories * Add patch to fix CVE-2026-33550: (Closes: #1131606) TOTP vulnerabilities: - If a user disables/enables it, it is not renewed. - Length is too short (12 rather than recommended 20). * Add patch to fix CVE-2026-8496: A maliciously crafted ICS calendar invitation file allows arbitrary JavaScript execution within the authenticated SOGo webmail session. * Add patch to fix a regression introduced by fix for CVE-2026-8496 * Add patch to fix CVE-2026-8851: SQL injection vulnerability in the access control list management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. * Add patch to fix folder path in fix for CVE-2026-8851 * Add patch to fix XSS in message subject rendering . [ Jordi Mallach ] * Add upstream patch to fix impersonation issues when importing events. Checksums-Sha1: eceae85b9eceea899d455ffbf85d498e80ac4517 94152 sogo-activesync-dbgsym_5.8.0-2+deb12u3_i386.deb fabadb77c333fe1756eef47a5202414c4d26b824 184408 sogo-activesync_5.8.0-2+deb12u3_i386.deb 7aea0df860ca6c88e2efbb8ff196ef3557447a49 1090044 sogo-dbgsym_5.8.0-2+deb12u3_i386.deb 72152cdd2fb64f005d170569c8988138e080b4be 11129 sogo_5.8.0-2+deb12u3_i386-buildd.buildinfo 8326b42bb53b510ff580d1caed0e3d020a8fe8d0 1060864 sogo_5.8.0-2+deb12u3_i386.deb Checksums-Sha256: 745f6ac68b3b98538fa1e19b4168983d881d10f045abe6b1d5803c27bac99c53 94152 sogo-activesync-dbgsym_5.8.0-2+deb12u3_i386.deb a0391d6a081cb9080adfbe8a3214511c7f1f9a2da725b11a7ba98c5dc782d6f3 184408 sogo-activesync_5.8.0-2+deb12u3_i386.deb 16d6e7cffac9f5972a501e870b846a1a73ebaa020b6ebd5d32b66974792b9b4b 1090044 sogo-dbgsym_5.8.0-2+deb12u3_i386.deb a182a3a1361cbe4e6186cd492291d62c580f2915f317cfd04ba953d98d083cef 11129 sogo_5.8.0-2+deb12u3_i386-buildd.buildinfo 89b4d0731cdd6a0c3f65887be210b71d8165caf1f6cdc18f0b832e12a69cafd3 1060864 sogo_5.8.0-2+deb12u3_i386.deb Files: ebb34c666deb8aeb2c5106261573dfb4 94152 debug optional sogo-activesync-dbgsym_5.8.0-2+deb12u3_i386.deb 8b4bdf57a93f783bad5e8793cfc1a6da 184408 mail optional sogo-activesync_5.8.0-2+deb12u3_i386.deb 67d4304c1ab7e0c11fe762be86ae7320 1090044 debug optional sogo-dbgsym_5.8.0-2+deb12u3_i386.deb b935e6eae3b7d0a7ebfe71ea33ca6a05 11129 mail optional sogo_5.8.0-2+deb12u3_i386-buildd.buildinfo 45300749b2de5f5b7d8e544ea9ecc077 1060864 mail optional sogo_5.8.0-2+deb12u3_i386.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE+i/sCsF3puL4e7qIGNGWmfrqILEFAmpCuhkACgkQGNGWmfrq ILHILA/+KceIKqVAit9XPHh37+bMQbY039a3hKGxacd1QO/Cse0Hi2lzh6rrSfp5 gLrrOsn05jE7UD/suWB8UPFv+rNfClSeLiApgwKoj4hFm/lLuNl6ANGtPPCWFYvz HsYnZVdEcCvvt3FFSqMng3OXP4Pf+FZLgqrUh19CseAaFzRTxE+z5NN/IkeZMuzc lWwTK7xc0FkfmAligHRAzUJFxAO8mzj8GlxR1YT9aq5olr8oPo4zMZNfktOhcG83 tTErs+22YgJTlidqpKGgKfDzkIJtv9pxF5tAOm1iA0Wrb1owFNss07n69us9Q18m naFYFr/tegzNyqWgheI7+THTAZeH6Rq6gLqpmjLEixH1UZK+pBs8+aKqJVMTobWs TRdcov4MWw2xseIZ9A0BhzLR8Cs2AfkxwQBFo+WZaODxun+xTlWt4958VowdNiDw 8o76FsuvUvRLvy7L6rB0zlbjJk0ClOmeD//qrtVKsuZ5jZjL2L5a8KfRwPC1i4Op bgyIlX5ckfZm8DQzcn5FYyOSNP6KvUsvhPNltkaXYx1nrA3XSMO9DNnVaXRM2x4W mPJ5ltKN8JjhIG5c81hCsdFCxWaL7YZoSXNpE3d7WjEIR0wZ54AT80kL8M3rZkqX ZPGc5tH69djyKbjjir8FI/RjggQazS5+mFPd3taVwoZ2eGk1VZo= =Np/M -----END PGP SIGNATURE-----