-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 21 Jun 2026 11:32:55 +0200 Source: sogo Binary: sogo-common Architecture: all Version: 5.8.0-2+deb12u3 Distribution: bookworm-security Urgency: medium Maintainer: all Build Daemon (x86-grnet-02) Changed-By: Peter Wienemann Description: sogo-common - Scalable groupware server - common files Closes: 1131605 1131606 Changes: sogo (5.8.0-2+deb12u3) bookworm-security; urgency=medium . * Non-maintainer upload. . [ Peter Wienemann ] * Add patch to fix CVE-2026-46445 and CVE-2026-46446: - CVE-2026-46445: SQL injection vulnerability when at least one user source is a PostgreSQL database - CVE-2026-46446: SQL injection vulnerability when at least one user source is an SQL database (MariaDB or PostgreSQL) and passwords are stored in plain text * Add patch to fix CVE-2025-71276: (Closes: #1131605) XSS with events, tasks and contacts categories * Add patch to fix CVE-2026-33550: (Closes: #1131606) TOTP vulnerabilities: - If a user disables/enables it, it is not renewed. - Length is too short (12 rather than recommended 20). * Add patch to fix CVE-2026-8496: A maliciously crafted ICS calendar invitation file allows arbitrary JavaScript execution within the authenticated SOGo webmail session. * Add patch to fix a regression introduced by fix for CVE-2026-8496 * Add patch to fix CVE-2026-8851: SQL injection vulnerability in the access control list management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. * Add patch to fix folder path in fix for CVE-2026-8851 * Add patch to fix XSS in message subject rendering . [ Jordi Mallach ] * Add upstream patch to fix impersonation issues when importing events. Checksums-Sha1: 9a9a09e3795c0a850cdd8d64a8d59638dfb59c15 17724988 sogo-common_5.8.0-2+deb12u3_all.deb 78f921c79b0dd8e54bb45c0d54df4d573bd79343 10323 sogo_5.8.0-2+deb12u3_all-buildd.buildinfo Checksums-Sha256: a9acc6e3a38eb69adbf80c9644b3391fd322a5ce65ecbd74b649913c35adf13e 17724988 sogo-common_5.8.0-2+deb12u3_all.deb 446e5af52604991352019bceb224fd9592d66a68ed49af7b6971f46d06a7f98f 10323 sogo_5.8.0-2+deb12u3_all-buildd.buildinfo Files: c18613b3343f4e3a628f8e3dbd14d8d5 17724988 mail optional sogo-common_5.8.0-2+deb12u3_all.deb 614a52ab75a6ff77970c58c1e69ffd31 10323 mail optional sogo_5.8.0-2+deb12u3_all-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmpCujEACgkQmgPNRvTf /zfOxRAAqcKVHLM2a05n8S3rFVBNIn0uwD0aIKYwAlhRMRx0BCcvnquxxoXg7URg nT0PYaEO6n53uVZwH02Wu8L8GaBW8TmT+A7aFnOxeSSQnczN6fQkeVcm976vb2IC q45KiUSeA/yBAUTzQ+NKF70mVcaROM1i5vT68Nz737kZt6BdqyUSzV3bdYPGxLoy TCBy7NBM0bSPTFQNkZvGE7A5vCT8rBt23k3GvK3fkvqXJgRMInDvuPNZnD0RVpwj tfObg5K569+cgljc+VzZOJL8MRqCJ+4bioWawslVD1yktjP65oX6GaXcCPeK6gOC m9dxNkkuw8Ao6qC2oK1xq5KrASBpoDyaNscZp5gjo05RjC/jOjGcuF96tAqjZr8V AvZfZhY4j9zphUBygW0lzwGupgQtASUK5irb8X4MxTBoAmQWY0djqoglGzKrVkcF ZSqyfoXmnFklC1yQKKJDEd4Kold5+/WJcP9zW6HJ18FtlUf5GHhxgkFM3KaicSZ9 /NjmsDl9C1UhLQJGI3Rd0yhbC9cGdu15tPzTUiDvjcGKIc7a+V7Xj9vrcO3Y22O/ t9nRQpMIRnE131T1W3xc94/pb2ezPP/hlOE3/CCpWi4dcOxigREqp33lWH5hajDm AetKoxvG2sBBmUj6sm05yrC9u8PxM346rVvQC6NWyozfafyXQsc= =GuFG -----END PGP SIGNATURE-----