-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Jun 2026 21:26:37 +0200
Source: sogo
Binary: sogo-common
Architecture: all
Version: 5.12.1-3+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: Peter Wienemann <wiene@debian.org>
Description:
 sogo-common - Scalable groupware server - common files
Closes: 1130878 1131605 1131606
Changes:
 sogo (5.12.1-3+deb13u2) trixie-security; urgency=medium
 .
   * Non-maintainer upload.
 .
   [ Peter Wienemann ]
   * Add patch to fix CVE-2026-46445 and CVE-2026-46446:
     - CVE-2026-46445: SQL injection vulnerability when at least one user
       source is a PostgreSQL database
     - CVE-2026-46446: SQL injection vulnerability when at least one user
       source is an SQL database (MariaDB or PostgreSQL) and passwords are
       stored in plain text
   * Add patch to fix CVE-2025-71276: (Closes: #1131605)
     XSS with events, tasks and contacts categories
   * Add patch to fix CVE-2026-3054: (Closes: #1130878)
     XSS via manipulation of the argument hint
   * Add patch to fix CVE-2026-33550: (Closes: #1131606)
     TOTP vulnerabilities:
     - If a user disables/enables it, it is not renewed.
     - Length is too short (12 rather than recommended 20).
   * Add patch to fix CVE-2026-8496:
     A maliciously crafted ICS calendar invitation file allows arbitrary
     JavaScript execution within the authenticated SOGo webmail session.
   * Add patch to fix a regression introduced by fix for CVE-2026-8496
   * Add patch to fix CVE-2026-8851:
     SQL injection vulnerability in the access control list
     management functionality that allows authenticated users to extract
     arbitrary data from the database by injecting SQL subqueries through
     the uid parameter of the addUserInAcls endpoint.
   * Add patch to fix folder path in fix for CVE-2026-8851
   * Add patch to fix openid validation:
     Verify that the returned email domain is authorized and that the
     user exists in the local source.
   * Add two patches to fix XSS in message subject rendering
   * Add three patches to fix message rendering
 .
   [ Jordi Mallach ]
   * Add upstream patch to fix impersonation issues when importing events.
Checksums-Sha1:
 9ef00f938e7712fc740eec5a3a3206d00b448818 18606844 sogo-common_5.12.1-3+deb13u2_all.deb
 00365e0cd1d23b014864e1d76e40d83da1f891b7 12923 sogo_5.12.1-3+deb13u2_all-buildd.buildinfo
Checksums-Sha256:
 b9c09253b842d68c2b715e8ad1d673d8a98fc1d2af3d640ed5315cc6592062a1 18606844 sogo-common_5.12.1-3+deb13u2_all.deb
 9623fd1851351386318cb9148ac8cb7d508d71b1e7b8f5e58a4860b682a71c33 12923 sogo_5.12.1-3+deb13u2_all-buildd.buildinfo
Files:
 b50c976ce156a35a813cdcd215b3c208 18606844 mail optional sogo-common_5.12.1-3+deb13u2_all.deb
 39d8d4ebe189b6141c433e3025898486 12923 mail optional sogo_5.12.1-3+deb13u2_all-buildd.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmo8O3sACgkQmgPNRvTf
/zdHYQ//eHzFFskkvDh368AxHAW9mz7+tH+NXojMeMz9bjTaRLIuKMjOAZ9OH/6W
K/x2IQ6C71JLxvrbKXPR5naHuh3uwPeY2sXf7DGmAHLWTh91CQEhbNmNzstt8FY6
xG1g5ycjaB2H+Zm57VuFYmCMVNaEs8UNSjssQTg7tDgjesJLm/3ElByw8VKgd8cp
9x/fzwmaK1vpcgeTZ4SefrLWNng4JJlY/yYZ6yOig0D1vRXv9AkxOD0q1GR/ZDD7
qZIoOAqVb4k4uUbrSvcB0bXhyUpcV6zRYLNSAfJof6YV3dXJTiImtNkEuinUbR+K
FaXE46JTNZzXGL6fEMh4I76wI/HSNDPcadW0VFXnVN/s57mKfD8iqnAyvZmoGyYi
iMNviz9rHiYDoDzoMQWWSXfTTvjnBx7Q7my3Xi/xXO/kcfsuznkPo4t307IsIchy
3um/vINQFpy5sH4QU+auUt5lxx/9359cE8ae0XPKQCynhhis0fdRmDhBfLv4RDWU
VeXluDZ5zROCd3iewBIud7mxIBjxbTG1Sdv5uRNyZIMZ+RvgGQjLXf5SeZQRl9/X
fVjwV3mIchgfwUIYrQbDVYyyexEYZhEddk2sM7LJyNz+m8s9NQyYrz+iLyDa81eI
VBmFy8zI4f98kOe7Rv2nYYGJnSrypZ+voXduIiVHDCgvoQ1bvKE=
=HPNr
-----END PGP SIGNATURE-----
