-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 21 Jun 2026 11:32:55 +0200 Source: sogo Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym Architecture: s390x Version: 5.8.0-2+deb12u3 Distribution: bookworm-security Urgency: medium Maintainer: s390x Build Daemon (ziehrer) Changed-By: Peter Wienemann Description: sogo - Scalable groupware server sogo-activesync - Scalable groupware server - ActiveSync module Closes: 1131605 1131606 Changes: sogo (5.8.0-2+deb12u3) bookworm-security; urgency=medium . * Non-maintainer upload. . [ Peter Wienemann ] * Add patch to fix CVE-2026-46445 and CVE-2026-46446: - CVE-2026-46445: SQL injection vulnerability when at least one user source is a PostgreSQL database - CVE-2026-46446: SQL injection vulnerability when at least one user source is an SQL database (MariaDB or PostgreSQL) and passwords are stored in plain text * Add patch to fix CVE-2025-71276: (Closes: #1131605) XSS with events, tasks and contacts categories * Add patch to fix CVE-2026-33550: (Closes: #1131606) TOTP vulnerabilities: - If a user disables/enables it, it is not renewed. - Length is too short (12 rather than recommended 20). * Add patch to fix CVE-2026-8496: A maliciously crafted ICS calendar invitation file allows arbitrary JavaScript execution within the authenticated SOGo webmail session. * Add patch to fix a regression introduced by fix for CVE-2026-8496 * Add patch to fix CVE-2026-8851: SQL injection vulnerability in the access control list management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. * Add patch to fix folder path in fix for CVE-2026-8851 * Add patch to fix XSS in message subject rendering . [ Jordi Mallach ] * Add upstream patch to fix impersonation issues when importing events. Checksums-Sha1: fe303a633178f5e62384ed1ab2cb14067e2eeecc 95212 sogo-activesync-dbgsym_5.8.0-2+deb12u3_s390x.deb 8d2a3c4e7dd319561a930ce3f2b5780f12064daf 204228 sogo-activesync_5.8.0-2+deb12u3_s390x.deb f990ebf4118c185a8c8232911884b4639671b712 1101812 sogo-dbgsym_5.8.0-2+deb12u3_s390x.deb 726b511a090023f0dcd35d8f2ab9b965cbf03ee4 11098 sogo_5.8.0-2+deb12u3_s390x-buildd.buildinfo b8cde68d73a77d7266c3cb8ef523f33668767e1a 1243000 sogo_5.8.0-2+deb12u3_s390x.deb Checksums-Sha256: a1cbdb2353fd262f91f8a1354245c98decc6f2b275761c027d7c841a12b63cd8 95212 sogo-activesync-dbgsym_5.8.0-2+deb12u3_s390x.deb d9b870055c050bf83e336fd1089520c98b0ef47e87a7e31faa2543b0e744608d 204228 sogo-activesync_5.8.0-2+deb12u3_s390x.deb 9e1b3bb02bc047d9d5837c474506cc1b2799ece063662a01af0e5c2fc1a0d887 1101812 sogo-dbgsym_5.8.0-2+deb12u3_s390x.deb deb14b9c61567d65d3ceb6e87a1fdbc431dc7ef208e16c342a19f268c4aeeaa4 11098 sogo_5.8.0-2+deb12u3_s390x-buildd.buildinfo 5316b0c1df13647933c6aac08dc57ec3998d8064ce13fdd78a2c1cb2d41175f6 1243000 sogo_5.8.0-2+deb12u3_s390x.deb Files: 3f2084ea747b099cf1ddee4acec72a61 95212 debug optional sogo-activesync-dbgsym_5.8.0-2+deb12u3_s390x.deb 6bd9cc29d93b8338baa6dfb8f2f28528 204228 mail optional sogo-activesync_5.8.0-2+deb12u3_s390x.deb fd20fa8dc268fc6dc6b7393f3d9015c4 1101812 debug optional sogo-dbgsym_5.8.0-2+deb12u3_s390x.deb a8384ac2b650ed98db0d4019a8a838a3 11098 mail optional sogo_5.8.0-2+deb12u3_s390x-buildd.buildinfo a326c425f11cbf2459c535a2f8ab2ecb 1243000 mail optional sogo_5.8.0-2+deb12u3_s390x.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEl0BM/nR+Oj597wRWMWUFebkHnoQFAmpCuiUACgkQMWUFebkH noQg6A//bssxnWho8ikY3AXzOLPOkdVZvu3bw5nnOOqm33Fhh85Oha47hfXg/nUJ KsqPna/Of1RE58hunLJGDAnZOxsBy/1g/TYPDCevfHcnpklBbbFmQ4mhTBVGUReF OJN+eIOErnWof2HWfP4PZePxV5Ds4LkRLNULnsBwa0yXDl1bqMpsSqaoLWVOp4VT 1uu8CZFJ5bYtFTAtgUaAQ+7TORFkNqnnEU+WxZTYZEdu6kNRHPPAxFPH9A53wF/b KkdRe9Gr2+fftSG1ahWlkrSuqG/5HWNEmYa9MKbdXAj3xwvLA6MzIrZkn2nWp6lD 1dW2cAzkWiTZGThA+/tiovika83A23XeIfuETJjW7Jc6XvadMnfJXTieedvcGLxQ fw10sUA/9huxrVEt1C5Cs98KoKcpLSYK8roiB4vTjpD+4di7OrrMFADW79TL+Lio IC8/8MGDFfdF1pmon5q4WdzxP4eVkWd+YBU7I1e2yTKaYc4mGYS8oKYasSl4aeOF qQZgmBYzSpKBNT/O0QLeu7DaRq5ByqRNMnDgAe+Lz9rV6yqK5vF8rFmYI969ywub Fq9IwYfK6qBPjmrisp67XItJy734a+V2OvtXv10sHt2VxBhMxHcuPjbOe3Kwrftx CVMtxp7xKktc8v4YaQGXIbPEGrnN/no9YLfMRBwv4mvVBQkr55w= =mCDX -----END PGP SIGNATURE-----