-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 21 Jun 2026 11:32:55 +0200 Source: sogo Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym Architecture: amd64 Version: 5.8.0-2+deb12u3 Distribution: bookworm-security Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) Changed-By: Peter Wienemann Description: sogo - Scalable groupware server sogo-activesync - Scalable groupware server - ActiveSync module Closes: 1131605 1131606 Changes: sogo (5.8.0-2+deb12u3) bookworm-security; urgency=medium . * Non-maintainer upload. . [ Peter Wienemann ] * Add patch to fix CVE-2026-46445 and CVE-2026-46446: - CVE-2026-46445: SQL injection vulnerability when at least one user source is a PostgreSQL database - CVE-2026-46446: SQL injection vulnerability when at least one user source is an SQL database (MariaDB or PostgreSQL) and passwords are stored in plain text * Add patch to fix CVE-2025-71276: (Closes: #1131605) XSS with events, tasks and contacts categories * Add patch to fix CVE-2026-33550: (Closes: #1131606) TOTP vulnerabilities: - If a user disables/enables it, it is not renewed. - Length is too short (12 rather than recommended 20). * Add patch to fix CVE-2026-8496: A maliciously crafted ICS calendar invitation file allows arbitrary JavaScript execution within the authenticated SOGo webmail session. * Add patch to fix a regression introduced by fix for CVE-2026-8496 * Add patch to fix CVE-2026-8851: SQL injection vulnerability in the access control list management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. * Add patch to fix folder path in fix for CVE-2026-8851 * Add patch to fix XSS in message subject rendering . [ Jordi Mallach ] * Add upstream patch to fix impersonation issues when importing events. Checksums-Sha1: 69156fad46e6af2c04f955320573b5416cb55ddb 95876 sogo-activesync-dbgsym_5.8.0-2+deb12u3_amd64.deb 29af4e423f9322cb65018674b93fc4253b07279e 217708 sogo-activesync_5.8.0-2+deb12u3_amd64.deb 8cd9e5716f05a8d31d559d753ee00c314f7b5073 1109744 sogo-dbgsym_5.8.0-2+deb12u3_amd64.deb ce5052203155d70891dd0392c952333f86edb83c 11211 sogo_5.8.0-2+deb12u3_amd64-buildd.buildinfo f9382771206dcb601e70ee5dba0a2aa328a9be5c 1312980 sogo_5.8.0-2+deb12u3_amd64.deb Checksums-Sha256: 2f146d201f077f5e4a7143924e5ad1fa69281295dfd0fe11f8f7215169cb9088 95876 sogo-activesync-dbgsym_5.8.0-2+deb12u3_amd64.deb 7165b263e2e2eebc94e2cdb5672c545714be7111d4731ceb84195003de655bdb 217708 sogo-activesync_5.8.0-2+deb12u3_amd64.deb ad8f988ecd6aaddc5f7a4e7fef777aaa0847d5aeccec4d44f6cad37e4f03918c 1109744 sogo-dbgsym_5.8.0-2+deb12u3_amd64.deb 16c49d4da88508ff10a2ec08418660869e66f1ec370c6a1cd1590b47ffa960fc 11211 sogo_5.8.0-2+deb12u3_amd64-buildd.buildinfo ee1b17b6587cb62d0e533c0323582284fd022f18fde9261910f129c6924c8903 1312980 sogo_5.8.0-2+deb12u3_amd64.deb Files: 5d56fbc31583aba9e8ccddbb3d86c240 95876 debug optional sogo-activesync-dbgsym_5.8.0-2+deb12u3_amd64.deb acf1f619ca460f08d45ba8a79f4462c6 217708 mail optional sogo-activesync_5.8.0-2+deb12u3_amd64.deb b2d79a5728ce96044432efa569cf0a83 1109744 debug optional sogo-dbgsym_5.8.0-2+deb12u3_amd64.deb b77a889dd417f0a02710838e14995a14 11211 mail optional sogo_5.8.0-2+deb12u3_amd64-buildd.buildinfo 156c23dc7ebda434e92004a297c3f6a6 1312980 mail optional sogo_5.8.0-2+deb12u3_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEb5EwsJvHBEjqIJYIbheoBegwXLIFAmpCul0ACgkQbheoBegw XLJb/hAAnPeUtUo2ayX8r/GBGaBVf36m4yxeA1o15SQehvETGRvRKmcnENtkp2IV QpnOUJIQhrGw1n4oSgEGOsPYAFn6gTQ8dKiEBIST0YNsByN/ZKQyEXsZb0navObu X3Oaerb9rg8i7lgvFZNvNLRjzI00PBqErNp3QjIhdNRopsjnv3k+v14nkrxoULSc yfMAt2jA0Svy+2rV5Z33wOixB95t4ef0CNZqTI3ivXPH1hPGi8x1ixDg3nZbi9D1 wHrotj8TFz1m29oU4YR1+QMngPjb1dlftGZR/inmSiZgN2HX8gBE7UwUV2eMz60R T2QlNB89aLmJy4TH4/Ch+5ayD59pt68k1owYXFJk78dEWIfVoCLg5Yleequa+50Y YFWsRlgMzT124hwbKNLsdHtzc/GZb9r2eQS3Rw++0tkF/m7YMhiDNARkBIvpKpXy LTXhbKifm+lnaFMjJYDUY9qY6HphU7YWgQzoZz2jzdby9cWV/4bqUhucF8CzLfo3 fc4n70e7Ol+7j7Sh0nDaE+S6vHhB4t7fXfVQKXZ4i9iVNh7QyA/h3hkizZALctDZ NZ2PL3x7qjS5H5IeJRIYLubqZhncGX/0TP3DbYlonk2I94V12lQmbRvnRs5RQIYE vF+Gqv0e0bdu0qqRVZKAYgvJOtERH91z3v55ICtRjaNrml+kvIs= =SSp8 -----END PGP SIGNATURE-----