-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 21 Jun 2026 11:32:55 +0200 Source: sogo Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym Architecture: mips64el Version: 5.8.0-2+deb12u3 Distribution: bookworm-security Urgency: medium Maintainer: mipsel Build Daemon (mipsel-osuosl-03) Changed-By: Peter Wienemann Description: sogo - Scalable groupware server sogo-activesync - Scalable groupware server - ActiveSync module Closes: 1131605 1131606 Changes: sogo (5.8.0-2+deb12u3) bookworm-security; urgency=medium . * Non-maintainer upload. . [ Peter Wienemann ] * Add patch to fix CVE-2026-46445 and CVE-2026-46446: - CVE-2026-46445: SQL injection vulnerability when at least one user source is a PostgreSQL database - CVE-2026-46446: SQL injection vulnerability when at least one user source is an SQL database (MariaDB or PostgreSQL) and passwords are stored in plain text * Add patch to fix CVE-2025-71276: (Closes: #1131605) XSS with events, tasks and contacts categories * Add patch to fix CVE-2026-33550: (Closes: #1131606) TOTP vulnerabilities: - If a user disables/enables it, it is not renewed. - Length is too short (12 rather than recommended 20). * Add patch to fix CVE-2026-8496: A maliciously crafted ICS calendar invitation file allows arbitrary JavaScript execution within the authenticated SOGo webmail session. * Add patch to fix a regression introduced by fix for CVE-2026-8496 * Add patch to fix CVE-2026-8851: SQL injection vulnerability in the access control list management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. * Add patch to fix folder path in fix for CVE-2026-8851 * Add patch to fix XSS in message subject rendering . [ Jordi Mallach ] * Add upstream patch to fix impersonation issues when importing events. Checksums-Sha1: 4f4bbf0ee9ba9f44b3bca4a4ddfb050f38c851c1 116528 sogo-activesync-dbgsym_5.8.0-2+deb12u3_mips64el.deb 83b3a6d8bd0f179e3ab9b20605050f4920008f78 163004 sogo-activesync_5.8.0-2+deb12u3_mips64el.deb bba89597312956ecf90e06dbbe16a88b16b71b83 1298368 sogo-dbgsym_5.8.0-2+deb12u3_mips64el.deb c1d4fe6b21d9b2937923a328463738daacda1e04 11033 sogo_5.8.0-2+deb12u3_mips64el-buildd.buildinfo 9eb7daf3a7fca16b25ef94d481a6d5b01950387f 932276 sogo_5.8.0-2+deb12u3_mips64el.deb Checksums-Sha256: c06a7e786b8b5c534db0ee37f439af0958809853d67e1c4359a60c0f4163ecbf 116528 sogo-activesync-dbgsym_5.8.0-2+deb12u3_mips64el.deb 775f354a6624bf92f085c0f96102320608d055ca462c0baa7595885dafa0826e 163004 sogo-activesync_5.8.0-2+deb12u3_mips64el.deb bcfd7bd01068bacfa4e8dfaec29bf12a84dc4b5872024252422e55224e24e48c 1298368 sogo-dbgsym_5.8.0-2+deb12u3_mips64el.deb 8f3abbcfdc7464ecec267f85d0cd782465104064272cba683177a189b6ba35ea 11033 sogo_5.8.0-2+deb12u3_mips64el-buildd.buildinfo c08e2353f71e1e6b7190fef32ff4c745712b98200b4a662926a132fe186bf08f 932276 sogo_5.8.0-2+deb12u3_mips64el.deb Files: e0525ffe8f469232a7d793e0f4deadd5 116528 debug optional sogo-activesync-dbgsym_5.8.0-2+deb12u3_mips64el.deb 79df417f112259213cbcb958d07fbb95 163004 mail optional sogo-activesync_5.8.0-2+deb12u3_mips64el.deb 1d452668606cf6d692041c780e8f6385 1298368 debug optional sogo-dbgsym_5.8.0-2+deb12u3_mips64el.deb 9bbf910759352eabf4df34d1a3c6a691 11033 mail optional sogo_5.8.0-2+deb12u3_mips64el-buildd.buildinfo 03eb65fbb2bf00b7e9920a3b71f63b23 932276 mail optional sogo_5.8.0-2+deb12u3_mips64el.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7sd7jtCtE5bBJ1Hx/qmHKZssfSAFAmpCul0ACgkQ/qmHKZss fSAccg/+M5o+O4a2SSQyaNSm/TvuyOq2b6BtrhyxpA71ycCwJs3piCmZOADPNSwt 7SHwePbVYMb9wi/bLGClvKVEnQNPlyXOYzU5po4KBWDV5XQGbntXAgLDBhsNhpbk lSwyLlmNJSPVS0oH5S+ypZM5wGjPyjGHtvareINJFJ3UGWG2xu8zsBzfmavLfSWs Ch+u4nuRdhhuiacoCCP6fHN8xg7Px8nsnLyPdIyHszxu4RVqI4r38wMpkSxr7WJo i8OoymPDGj0HtlsjZkcgF8VwMZB61uWIxLU3eyRg1viP8uQ/wHrRu9cWcXq9wsaF ryLskTe7p79Y5pC0cCCZrsrMhHIbLCw2VW9mljbvin4JuQ3OKgQ1x03LBBRA5ar1 +ETT/ZrvsZ4xdZBRUYhPZQWqGpN25u3vgghJKFPYiGtMO3BXjplXmeDJNCUtiD7h 1Fz+ZinPA1uVESJ39RvVGIhNqizkJGTYYo2tAWcKnQleE5yJEdbpPQOT8Mahxo2N WKzDUXfgMDIfzPdshV9UD1GGS8BDnen3gQMVTCz6jqCdB6TBd/GTBCFxxfTnO9Sq +PpHM1RZE0UG//2a5L0HfuP45LGBsqltq0qUd5fFmNyiYvcIYkeaqfooEvY/If35 k5MRpBRC1YojoodArMbv8mKNdV77TeDvodDY1280zHclCDumjHI= =B6dY -----END PGP SIGNATURE-----