-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Jun 2026 21:26:37 +0200
Source: sogo
Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym
Architecture: amd64
Version: 5.12.1-3+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: all / amd64 / i386 Build Daemon (x86-conova-01) <buildd_amd64-x86-conova-01@buildd.debian.org>
Changed-By: Peter Wienemann <wiene@debian.org>
Description:
 sogo       - Scalable groupware server
 sogo-activesync - Scalable groupware server - ActiveSync module
Closes: 1130878 1131605 1131606
Changes:
 sogo (5.12.1-3+deb13u2) trixie-security; urgency=medium
 .
   * Non-maintainer upload.
 .
   [ Peter Wienemann ]
   * Add patch to fix CVE-2026-46445 and CVE-2026-46446:
     - CVE-2026-46445: SQL injection vulnerability when at least one user
       source is a PostgreSQL database
     - CVE-2026-46446: SQL injection vulnerability when at least one user
       source is an SQL database (MariaDB or PostgreSQL) and passwords are
       stored in plain text
   * Add patch to fix CVE-2025-71276: (Closes: #1131605)
     XSS with events, tasks and contacts categories
   * Add patch to fix CVE-2026-3054: (Closes: #1130878)
     XSS via manipulation of the argument hint
   * Add patch to fix CVE-2026-33550: (Closes: #1131606)
     TOTP vulnerabilities:
     - If a user disables/enables it, it is not renewed.
     - Length is too short (12 rather than recommended 20).
   * Add patch to fix CVE-2026-8496:
     A maliciously crafted ICS calendar invitation file allows arbitrary
     JavaScript execution within the authenticated SOGo webmail session.
   * Add patch to fix a regression introduced by fix for CVE-2026-8496
   * Add patch to fix CVE-2026-8851:
     SQL injection vulnerability in the access control list
     management functionality that allows authenticated users to extract
     arbitrary data from the database by injecting SQL subqueries through
     the uid parameter of the addUserInAcls endpoint.
   * Add patch to fix folder path in fix for CVE-2026-8851
   * Add patch to fix openid validation:
     Verify that the returned email domain is authorized and that the
     user exists in the local source.
   * Add two patches to fix XSS in message subject rendering
   * Add three patches to fix message rendering
 .
   [ Jordi Mallach ]
   * Add upstream patch to fix impersonation issues when importing events.
Checksums-Sha1:
 db8c0294541c89c6ce85e25eeba14a61cbcbe015 104704 sogo-activesync-dbgsym_5.12.1-3+deb13u2_amd64.deb
 7c860029e5da294b848e4a9f6bb48f5cdf823064 252772 sogo-activesync_5.12.1-3+deb13u2_amd64.deb
 4da07e4c4cae32f2ba9c06412d48d8d25486c427 1210416 sogo-dbgsym_5.12.1-3+deb13u2_amd64.deb
 b385d2766312a3a8e74d3e593e3ede1b9542fa09 13839 sogo_5.12.1-3+deb13u2_amd64-buildd.buildinfo
 cdb285d51462b249accc00074bb1edff6131a6d0 1461900 sogo_5.12.1-3+deb13u2_amd64.deb
Checksums-Sha256:
 16b555b88b912c80a31af80ac2e8334d3c4353fe666f14dfa71e793a9bc22dad 104704 sogo-activesync-dbgsym_5.12.1-3+deb13u2_amd64.deb
 53a864a348446ef68d8fad827104063f39b2e0dc50be9021760b5f3f04167808 252772 sogo-activesync_5.12.1-3+deb13u2_amd64.deb
 a119dc0e54ef7364199ac05329e9dc7e860aa7eb0be5c667b438c3cfcb000c89 1210416 sogo-dbgsym_5.12.1-3+deb13u2_amd64.deb
 244e3c21dce5acc18beef65cc23ae06e23d94539ba19411a2e1a1353f107aa69 13839 sogo_5.12.1-3+deb13u2_amd64-buildd.buildinfo
 df3df9954a902b96983b245541d90b0109ffa354fc07f88b57fd73e1ef432f77 1461900 sogo_5.12.1-3+deb13u2_amd64.deb
Files:
 1b0f634f69257ebdbf3964a8a4b80ae4 104704 debug optional sogo-activesync-dbgsym_5.12.1-3+deb13u2_amd64.deb
 8c1d305fa6beed6290edc296612d594e 252772 mail optional sogo-activesync_5.12.1-3+deb13u2_amd64.deb
 c83b926006f3c80dff266843a1b6430f 1210416 debug optional sogo-dbgsym_5.12.1-3+deb13u2_amd64.deb
 433f7964b7dd3c1173e989e1cc01d3e4 13839 mail optional sogo_5.12.1-3+deb13u2_amd64-buildd.buildinfo
 3304e014472b35564338d8461f8bd268 1461900 mail optional sogo_5.12.1-3+deb13u2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7cQ9mRD4+dWjjrb6PkCWRKsh20cFAmo8O2UACgkQPkCWRKsh
20fC5xAAgiFarsi37LPGw07Jlew4A3wYKEo9bf2v2COFepnAvM53DbPKBNtKKRQq
1gCISiuKdmSQEep1pNa26hAf8UVclNvdK6AOuAEQM6Ugten9uLrXWQrn+ZdOas95
Se0mP0JBOLh1l6fwWT29HFK8mDWerNdRjlnShc4/Xue1RP3aclGe71Eaj5cwmV7Q
c2aBvarB4/dIH5C+1yL9F2v5damfhPvmWktfVqr1UWndXpYGGHNwVsbNOZNXyYCz
k/c+CvsGcmd8boPy0+5R0oXlxGKEMj5czxLtlWD70ckS9+oV9z4vj5SlTMffdsHF
EVH/7d7qUfMa50MNRHzK4cx7SLv8bQsWWrPFnujaQ1mPudPnfjABVlCVoU5Uhl5N
+5hswpFgS/1y3/cfv+s+HIh3nBC9A8VyIedrEgoltxMVOi1x4OoqxsJN0zS7ByRw
D5E1Kbv1984j7cIMKNT3Y2F3c5HrD78T3vK4V4JCuYWE2AiBhLOx/X2ve2SiKzo9
gGhHGTGXr2nJO6DcSMRJKzo6v8lLKvoS2gM6IgTytG+/NNBjt2B3nrBNSgCxC0gD
PoCAyUMc6oNm5qM1zwSFpGWc6zdQpR4gWhmjIp/vqGcHt1UHCxLZw6plKDsi1/yR
j5peWgUmewyKjsqMHwl9qLD88EyYHWdNMetS8yQKCkXieuiAuq0=
=uJ/U
-----END PGP SIGNATURE-----
