-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 21 Jun 2026 11:32:55 +0200 Source: sogo Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym Architecture: armel Version: 5.8.0-2+deb12u3 Distribution: bookworm-security Urgency: medium Maintainer: armel Build Daemon (arm-conova-02) Changed-By: Peter Wienemann Description: sogo - Scalable groupware server sogo-activesync - Scalable groupware server - ActiveSync module Closes: 1131605 1131606 Changes: sogo (5.8.0-2+deb12u3) bookworm-security; urgency=medium . * Non-maintainer upload. . [ Peter Wienemann ] * Add patch to fix CVE-2026-46445 and CVE-2026-46446: - CVE-2026-46445: SQL injection vulnerability when at least one user source is a PostgreSQL database - CVE-2026-46446: SQL injection vulnerability when at least one user source is an SQL database (MariaDB or PostgreSQL) and passwords are stored in plain text * Add patch to fix CVE-2025-71276: (Closes: #1131605) XSS with events, tasks and contacts categories * Add patch to fix CVE-2026-33550: (Closes: #1131606) TOTP vulnerabilities: - If a user disables/enables it, it is not renewed. - Length is too short (12 rather than recommended 20). * Add patch to fix CVE-2026-8496: A maliciously crafted ICS calendar invitation file allows arbitrary JavaScript execution within the authenticated SOGo webmail session. * Add patch to fix a regression introduced by fix for CVE-2026-8496 * Add patch to fix CVE-2026-8851: SQL injection vulnerability in the access control list management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. * Add patch to fix folder path in fix for CVE-2026-8851 * Add patch to fix XSS in message subject rendering . [ Jordi Mallach ] * Add upstream patch to fix impersonation issues when importing events. Checksums-Sha1: c64ae09787a96e2001d3a6207ac85582c95b36cc 97904 sogo-activesync-dbgsym_5.8.0-2+deb12u3_armel.deb bc78edb321ccd96bf8508b84be338a17520bf122 225160 sogo-activesync_5.8.0-2+deb12u3_armel.deb 30cc7d7c5c4fa08312fcf83938d04b5e58b7c2d3 1172576 sogo-dbgsym_5.8.0-2+deb12u3_armel.deb 3367934ad409d7824aa856e316a9d5bf14fffddd 11068 sogo_5.8.0-2+deb12u3_armel-buildd.buildinfo eb7e0a62e90dd6fba6d7961beb54d2f3e29a16df 1208268 sogo_5.8.0-2+deb12u3_armel.deb Checksums-Sha256: 668d05aa6716528fd2e7d2d6c210999bc2a9ed0c600a3cf811b61e0c55f6e722 97904 sogo-activesync-dbgsym_5.8.0-2+deb12u3_armel.deb 39987772d285b5faaedd0d58e0f9133896e67ba062819007e36e6c03dc64a470 225160 sogo-activesync_5.8.0-2+deb12u3_armel.deb 1b892dbc4c6566124f92286bedcabc966b10d253258c941eb000607816bb77b2 1172576 sogo-dbgsym_5.8.0-2+deb12u3_armel.deb 92853bcd26e178bda1ba26df8a6a3b693eefd13296718b40fb3f3b8b1cdacffa 11068 sogo_5.8.0-2+deb12u3_armel-buildd.buildinfo 7e5b96b9eec971ef07639d5a740c31350081c15ee6e1c6a65379279b96152565 1208268 sogo_5.8.0-2+deb12u3_armel.deb Files: 43f75e39af87b9cfb14711f42b7b96b0 97904 debug optional sogo-activesync-dbgsym_5.8.0-2+deb12u3_armel.deb cd4bd7c8c430b2d0952ebced5a4a22ee 225160 mail optional sogo-activesync_5.8.0-2+deb12u3_armel.deb 464c49a4a820fb7569602230bb26ba0b 1172576 debug optional sogo-dbgsym_5.8.0-2+deb12u3_armel.deb 800520714c65813582b0b10d3d954fa6 11068 mail optional sogo_5.8.0-2+deb12u3_armel-buildd.buildinfo 16c34d7946fee7bfa06cf1119514f908 1208268 mail optional sogo_5.8.0-2+deb12u3_armel.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEa5s+5E+WDkV2pQjwIyDMsRzdi8EFAmpCuhYACgkQIyDMsRzd i8Evbg/+Mn9gkueHBzeG7Bzgd4H+Br33HF0QUElTaehaLqFEEUT1mGvXGbsU5l6w grgPdgexa2EwAbpbSl8BgXT/p3cGzZA5Ot1NAJ8hdJKh1DY+OBtJfNjNpQ0n3rnR 58AJ6gmERDyLkli6Fa+T8Td7HmTgaAERzXIDdX57Q+mNVkns3zDpS6GvoyLOxXYx 5th1z6iaeBgmSjfqLHYZqR3KAdolIGfIxfjXi/efmr2pIWIJTGmNl9YP/jCErwsw mI/zIZv5RYiCc/ZvfinSlnRemVocJQkLPlBvKcJu3aJtplWt39m1JIJN9xb/1sEd A0TuPxaOFqEdo8rngcqGwah+9ZbiRbapXIpvV4U/+p3j11Hug1onEvjR35f5XfAg oVBpAOOJqWHHC59vWKlzaWVIWvrkn2P215v6R+7W4P24wcRBwc+kk6PxS/KqIlbO IukzHaODKuQ65VHSs2Mh3CiLQ88BIN/kagBkE1krzrV2I0/guh7oJkMIoEDBprSC 65gQyZwSvGa+/qbNHGBUJiAGkWEQDynY2GRGWeSBBNx+m9QxH4ZKsTD4gIJsGAUi hz/ND1KNKkY6Phyor7/dYuhscOcN1gSWDOaMpz39V0OU4M0oLnWzUc8kVaIAN9k4 Akl++bF/1QpFg1mO3bkwco1Z0OsOVeMevUjjSBkPM4pCKvE+xsQ= =2SuA -----END PGP SIGNATURE-----