-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 21 Jun 2026 11:32:55 +0200 Source: sogo Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym Architecture: arm64 Version: 5.8.0-2+deb12u3 Distribution: bookworm-security Urgency: medium Maintainer: arm64 Build Daemon (arm-ubc-02) Changed-By: Peter Wienemann Description: sogo - Scalable groupware server sogo-activesync - Scalable groupware server - ActiveSync module Closes: 1131605 1131606 Changes: sogo (5.8.0-2+deb12u3) bookworm-security; urgency=medium . * Non-maintainer upload. . [ Peter Wienemann ] * Add patch to fix CVE-2026-46445 and CVE-2026-46446: - CVE-2026-46445: SQL injection vulnerability when at least one user source is a PostgreSQL database - CVE-2026-46446: SQL injection vulnerability when at least one user source is an SQL database (MariaDB or PostgreSQL) and passwords are stored in plain text * Add patch to fix CVE-2025-71276: (Closes: #1131605) XSS with events, tasks and contacts categories * Add patch to fix CVE-2026-33550: (Closes: #1131606) TOTP vulnerabilities: - If a user disables/enables it, it is not renewed. - Length is too short (12 rather than recommended 20). * Add patch to fix CVE-2026-8496: A maliciously crafted ICS calendar invitation file allows arbitrary JavaScript execution within the authenticated SOGo webmail session. * Add patch to fix a regression introduced by fix for CVE-2026-8496 * Add patch to fix CVE-2026-8851: SQL injection vulnerability in the access control list management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. * Add patch to fix folder path in fix for CVE-2026-8851 * Add patch to fix XSS in message subject rendering . [ Jordi Mallach ] * Add upstream patch to fix impersonation issues when importing events. Checksums-Sha1: cb986d0acb78dc682625f591515cecf4e09e696a 93236 sogo-activesync-dbgsym_5.8.0-2+deb12u3_arm64.deb 4d70c862a62704c808e6934657032124efdeebb8 187404 sogo-activesync_5.8.0-2+deb12u3_arm64.deb d095753c716f151862ca6d9802be9e96ba144318 1090524 sogo-dbgsym_5.8.0-2+deb12u3_arm64.deb 18c4392277f7a24764bed887d933f84a65715f36 11226 sogo_5.8.0-2+deb12u3_arm64-buildd.buildinfo a4124ac0e53c55be717812fad35231a386be314e 1123468 sogo_5.8.0-2+deb12u3_arm64.deb Checksums-Sha256: 74880a30eb84a5a539a84f19c3dc2f01b6402e38cc2e7edb22087666a5bec400 93236 sogo-activesync-dbgsym_5.8.0-2+deb12u3_arm64.deb 1e9b265df0dcf509a41bfe5d10a1983a15b540580a189c104e48323f600a8e7e 187404 sogo-activesync_5.8.0-2+deb12u3_arm64.deb 06cd3a0a359ddd35b19ff907e2af6b46295bdc60a96240bd6200af30387ab9f9 1090524 sogo-dbgsym_5.8.0-2+deb12u3_arm64.deb 2670a4b58199c8e5e43e1ab7b58ceed6061bdcfe994728896c7dcc9d53e0964b 11226 sogo_5.8.0-2+deb12u3_arm64-buildd.buildinfo 4a3c3c9c5dd87cfe4c043850abc43f7a4188deac702697679a7781f6250928e6 1123468 sogo_5.8.0-2+deb12u3_arm64.deb Files: 12e6cf4e2d15d37f7607992e97acc84d 93236 debug optional sogo-activesync-dbgsym_5.8.0-2+deb12u3_arm64.deb 4b7ead134b978a950f42db35a4e1e1ba 187404 mail optional sogo-activesync_5.8.0-2+deb12u3_arm64.deb ec570b797da88d24aa99a7e17587d4cd 1090524 debug optional sogo-dbgsym_5.8.0-2+deb12u3_arm64.deb 2db94ad81f111aec92c9031799d2d239 11226 mail optional sogo_5.8.0-2+deb12u3_arm64-buildd.buildinfo 2b09da3b899e861cf2e4c8d9bc29f998 1123468 mail optional sogo_5.8.0-2+deb12u3_arm64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEJkN0BnKzGWWW6tS+G5VHrWJmwgcFAmpCuhcACgkQG5VHrWJm wgeayw//WO/JyiOjgWeVSMdYIekiPkz7PG+5PcSii98zW8xmnVnzfeMZG05eg2P5 o64mDKo8bIHn9PrKlXQMeDRGzWC/4ebObtcb5XMJsqxngK/6T0x3DVyfs93ibLOS 2gNULFHeqjhU1BnxJUUaIoLvzFGXRmBS2/q6kUikpzwe9v7MzvQzJeWfEX5rJ54N F8MY+2cOqESwa86aKzhEhaJ0auZY6ihHxeBo3S3ZyJAaKp59/LE12Sos+T3e3FF1 JQcQVo+8uuFH4b071OFLofbH3vpDD+4+j1gFUxU/V9zWqnMPRUs/2Bv2T1K1xH1p J5q7An3DYu1X3XC4OpBRCE5pb4WcXBG4q4cUuw+xBhpQ8SDWJvfDS2dMRHIlXcCY xuj255Yr0yMzTGiX8477gSqBLTVyfWX1NT8ShMwBW3R0ofJJlU+OMpPzbyxjjNE3 Gfv+BfT3mPPd1mKmNYSy2eTYZI0mPaYazUtiSZQdV6pFlChxPQl8GJrjQYxsp7xj lnyVt1Rw+KrgUeowMbu70zi9PRJFnMZq3U1FEVQ+ai9YVet74N73hM4h+pbyH92z J4OZjmIqX0fokeanfbrM5aR0+/zaa41jvUOoe/8shf/Jpb5mTwa4ywoEF3JcB3uC c8E5aMJeq1+OltUX8BhXxFZf2yDJ6ztcMrtGXgMIjPKmnT6z6ZQ= =ABaM -----END PGP SIGNATURE-----