-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 21 Jun 2026 11:32:55 +0200 Source: sogo Architecture: source Version: 5.8.0-2+deb12u3 Distribution: bookworm-security Urgency: medium Maintainer: Debian SOGo Maintainers Changed-By: Peter Wienemann Closes: 1131605 1131606 Changes: sogo (5.8.0-2+deb12u3) bookworm-security; urgency=medium . * Non-maintainer upload. . [ Peter Wienemann ] * Add patch to fix CVE-2026-46445 and CVE-2026-46446: - CVE-2026-46445: SQL injection vulnerability when at least one user source is a PostgreSQL database - CVE-2026-46446: SQL injection vulnerability when at least one user source is an SQL database (MariaDB or PostgreSQL) and passwords are stored in plain text * Add patch to fix CVE-2025-71276: (Closes: #1131605) XSS with events, tasks and contacts categories * Add patch to fix CVE-2026-33550: (Closes: #1131606) TOTP vulnerabilities: - If a user disables/enables it, it is not renewed. - Length is too short (12 rather than recommended 20). * Add patch to fix CVE-2026-8496: A maliciously crafted ICS calendar invitation file allows arbitrary JavaScript execution within the authenticated SOGo webmail session. * Add patch to fix a regression introduced by fix for CVE-2026-8496 * Add patch to fix CVE-2026-8851: SQL injection vulnerability in the access control list management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. * Add patch to fix folder path in fix for CVE-2026-8851 * Add patch to fix XSS in message subject rendering . [ Jordi Mallach ] * Add upstream patch to fix impersonation issues when importing events. Checksums-Sha1: 03c7f04c5292af91d32259f5e2c94ea7803ec2d9 2296 sogo_5.8.0-2+deb12u3.dsc 53cf3471d97d0ea029b07b9f31d1a42afb6a3bd8 34926380 sogo_5.8.0.orig.tar.gz e623dda80b1ffd7a584b972bd886fd2cfb893607 29356 sogo_5.8.0-2+deb12u3.debian.tar.xz e4d39814af09c6f7b888b5202098001433a75062 5923 sogo_5.8.0-2+deb12u3_source.buildinfo Checksums-Sha256: 7bba4329203b4ca90843633f2a9dfe180363a96ca7333c8e5c226671411103b5 2296 sogo_5.8.0-2+deb12u3.dsc 0031e30f48b523ec5c015f5f3fe90184e8a9abdfa3efe3ab08fd980ab7173380 34926380 sogo_5.8.0.orig.tar.gz c98bd09daa542ff0630c2338f7b70dda8bf0054c9573fe07f6ed474791d2a711 29356 sogo_5.8.0-2+deb12u3.debian.tar.xz 9e0d87fe70ddb66ddc29a626adec806a15d2478b300b90849350562525915163 5923 sogo_5.8.0-2+deb12u3_source.buildinfo Files: 994a81de1a645341c84e9bde70ff8086 2296 mail optional sogo_5.8.0-2+deb12u3.dsc 07da886b2b4faa942d68af8a3d6a38a6 34926380 mail optional sogo_5.8.0.orig.tar.gz aabd6d2e1027f57630b56ce12587e907 29356 mail optional sogo_5.8.0-2+deb12u3.debian.tar.xz 4658f6c24920e60303e46f652b83743d 5923 mail optional sogo_5.8.0-2+deb12u3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmpCsuQACgkQHpU+J9Qx HlhNrg/9G8oosRxVwON0PsjiaT/QWF54xoatJ+A7fYinn5Iv3JdqzKq8abSMfCoq y4HwEyCzPuWmDZ97Ylw+g12ps42BCJ03/6A9P4DIRztmWugNm3yOsS82Zdx+Fhl8 QSpW6mHHhuteyDaKMPJAfblFKJl5YBs8NLFdgAYNqcuNSEri2StUropBx/4Sv6d8 PnORHN49P0qw6rAVgpiWQQX7q0RsyyImqgffy3D9DKvL273b7wQimmYjsM/y+T8J hzUKC6iC3Ut/VqRm0tn+6ddJ3+xdKazKkqi+jifd3vrn6U/huSBkf/egRELNP7gh T5obbOAm0iMeYUOBZG5h0RWHApDLkymFIZzPQSkWTOkH1UXJZK7pBeenfVRzN+Fe PXrWrhyiJOGfmyl+nyFoNYKFNtlnpccuHrtqrT0Z2oSzAKFGuG1KWZJ8Z102SzgZ OWkLuWPSopxQ7SJ3BUFnlTUm1JTctjxw378XaDt02tSrIP5Sp7lBvKApmkeBtbUm Mnncqp/v1gBzB9vXASpvpn+c3X/QLkk73rqN6EoLXoCUxDSrwBog/sgr3Mef3Is3 Ox9ci6uSRcodbAwTDxTLn/exjjAIOxVorAXa/i2qX092mc9qnvQKG/0BOymyj/Qs NUEehWrY4FRhHA99VpsuDfAzFvFLpf0zhzCjVRaVCKNQlG/8NyY= =GJRn -----END PGP SIGNATURE-----